Siggles Posted August 4, 2008 Share Posted August 4, 2008 Hi, I have made a script that takes user input entered in to a form, changes that information in to variables and those variables are used in MySQL statements that update the database. From what i have read so far about SQL injection, am I at risk of having something bad happen to my database because I am not using mysql_real_escape_string. Here is an example of my code with the important stuff in bold (I think)... $result3 = mysql_query("SELECT dateplayed, opponent, homeaway, id FROM fixtures WHERE id NOT IN (SELECT id FROM predictions WHERE username = '$session->username') AND NOW() < dateplayed ORDER BY dateplayed ASC"); if(mysql_num_rows($result3)==0){ echo "No predictions left to make at this time."; }else{ $counter=1; if($counter=1) { echo "colum headers etc blah blah" } while($row = mysql_fetch_array($result3)) { echo "<tr><td>".date('d/m/y',strtotime($row['dateplayed']))."</td>"; echo "<td>".date('G:ia',strtotime($row['dateplayed']))."</td>"; echo "<td align=\"center\">(".$row['homeaway'].")</td>"; echo "<td>".$row['opponent']."</td>"; $cid=$row['id']; ?> [b]<form action="processdata1.php" method="post"> <td><input type="text" name="resultafc" size="1"></td> <td><input type="text" name="resultother" size="1"></td> <td><input type="submit" name="submit" value="Add!"></td>[/b] <input type="hidden" name="opt" value="addprediction" > <input type="hidden" name="id" value="<? echo $cid; ?>"> <input type="hidden" name="dropdown" value="0" > </form> and then the page that processes the data processdata1.php.... switch($_POST['opt']) { case "addprediction": $datecreated=date("Y-m-d H:i:s"); $pid=$_POST['id']; $pusername=$session->username; $presultafc=$_POST['resultmfc']; $presultother=$_POST['resultother']; $timecheck = mysql_query("SELECT dateplayed FROM fixtures WHERE `id` = $pid"); while($row = mysql_fetch_array($timecheck)) { $dateplayed=$row['dateplayed']; $tUnixTime = time(); $timestamp2 = date("Y-m-d H:i:s", $tUnixTime); } //checks whether the game has started if ($dateplayed < $timestamp2){ $_SESSION['formsubtext']=5; } else { //Checks for 0-9 in form fields or errors [b]if (eregi('^[0-9]$', $presultafc) && eregi('^[0-9]$', $presultother)) { mysql_query("INSERT INTO predictions (datecreated, username, id, resultafc, resultother) VALUES ('$datecreated', '$pusername', '$pid', '$presultmfc', '$presultother') ");[/b] $_SESSION['formsubtext']=1; } else { $_SESSION['formsubtext']=2; } } break; Quote Link to comment Share on other sites More sharing options...
rawb Posted August 5, 2008 Share Posted August 5, 2008 change this $presultafc=$_POST['resultmfc']; $presultother=$_POST['resultother']; to this $presultafc=mysql_real_escape_string($_POST['resultmfc']); $presultother=mysql_real_escape_string($_POST['resultother']); ANY string input that you use in a mysql query should be escaped with this function (this function also takes a second argument, the database resource variable, and ideally that would be included as well). If the user input is not intended to be a string (an integer, for example), be sure to cast it (i.e. $var = (int)$var) to ensure that it is the correct datatype. Also be sure to continue to use those single quotes around your values to prevent certain types of injection. Quote Link to comment Share on other sites More sharing options...
fenway Posted August 6, 2008 Share Posted August 6, 2008 Be careful about magic_quotes, too... there was a nice clean() function floating around somewhere. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.