Siggles Posted August 4, 2008 Share Posted August 4, 2008 Hi, I have made a script that takes user input entered in to a form, changes that information in to variables and those variables are used in MySQL statements that update the database. From what i have read so far about SQL injection, am I at risk of having something bad happen to my database because I am not using mysql_real_escape_string. Here is an example of my code with the important stuff in bold (I think)... $result3 = mysql_query("SELECT dateplayed, opponent, homeaway, id FROM fixtures WHERE id NOT IN (SELECT id FROM predictions WHERE username = '$session->username') AND NOW() < dateplayed ORDER BY dateplayed ASC"); if(mysql_num_rows($result3)==0){ echo "No predictions left to make at this time."; }else{ $counter=1; if($counter=1) { echo "colum headers etc blah blah" } while($row = mysql_fetch_array($result3)) { echo "<tr><td>".date('d/m/y',strtotime($row['dateplayed']))."</td>"; echo "<td>".date('G:ia',strtotime($row['dateplayed']))."</td>"; echo "<td align=\"center\">(".$row['homeaway'].")</td>"; echo "<td>".$row['opponent']."</td>"; $cid=$row['id']; ?> [b]<form action="processdata1.php" method="post"> <td><input type="text" name="resultafc" size="1"></td> <td><input type="text" name="resultother" size="1"></td> <td><input type="submit" name="submit" value="Add!"></td>[/b] <input type="hidden" name="opt" value="addprediction" > <input type="hidden" name="id" value="<? echo $cid; ?>"> <input type="hidden" name="dropdown" value="0" > </form> and then the page that processes the data processdata1.php.... switch($_POST['opt']) { case "addprediction": $datecreated=date("Y-m-d H:i:s"); $pid=$_POST['id']; $pusername=$session->username; $presultafc=$_POST['resultmfc']; $presultother=$_POST['resultother']; $timecheck = mysql_query("SELECT dateplayed FROM fixtures WHERE `id` = $pid"); while($row = mysql_fetch_array($timecheck)) { $dateplayed=$row['dateplayed']; $tUnixTime = time(); $timestamp2 = date("Y-m-d H:i:s", $tUnixTime); } //checks whether the game has started if ($dateplayed < $timestamp2){ $_SESSION['formsubtext']=5; } else { //Checks for 0-9 in form fields or errors [b]if (eregi('^[0-9]$', $presultafc) && eregi('^[0-9]$', $presultother)) { mysql_query("INSERT INTO predictions (datecreated, username, id, resultafc, resultother) VALUES ('$datecreated', '$pusername', '$pid', '$presultmfc', '$presultother') ");[/b] $_SESSION['formsubtext']=1; } else { $_SESSION['formsubtext']=2; } } break; Link to comment https://forums.phpfreaks.com/topic/118096-sql-injections-beginner/ Share on other sites More sharing options...
rawb Posted August 5, 2008 Share Posted August 5, 2008 change this $presultafc=$_POST['resultmfc']; $presultother=$_POST['resultother']; to this $presultafc=mysql_real_escape_string($_POST['resultmfc']); $presultother=mysql_real_escape_string($_POST['resultother']); ANY string input that you use in a mysql query should be escaped with this function (this function also takes a second argument, the database resource variable, and ideally that would be included as well). If the user input is not intended to be a string (an integer, for example), be sure to cast it (i.e. $var = (int)$var) to ensure that it is the correct datatype. Also be sure to continue to use those single quotes around your values to prevent certain types of injection. Link to comment https://forums.phpfreaks.com/topic/118096-sql-injections-beginner/#findComment-608830 Share on other sites More sharing options...
fenway Posted August 6, 2008 Share Posted August 6, 2008 Be careful about magic_quotes, too... there was a nice clean() function floating around somewhere. Link to comment https://forums.phpfreaks.com/topic/118096-sql-injections-beginner/#findComment-609570 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.