Jump to content

SQL Injections - beginner


Siggles

Recommended Posts

Hi, I have made a script that takes user input entered in to a form, changes that information in to variables and those variables are used in MySQL statements that update the database. From what i have read so far about SQL injection, am I at risk of having something bad happen to my database because I am not using mysql_real_escape_string. Here is an example of my code with the important stuff in bold (I think)...

 

$result3 = mysql_query("SELECT dateplayed, opponent, homeaway, id FROM fixtures WHERE id NOT IN (SELECT id FROM predictions WHERE username = '$session->username') AND NOW() < dateplayed ORDER BY dateplayed ASC");
if(mysql_num_rows($result3)==0){
echo "No predictions left to make at this time.";
}else{
$counter=1;
if($counter=1)
{
echo "colum headers etc blah blah"
}
while($row = mysql_fetch_array($result3))
  	{
echo "<tr><td>".date('d/m/y',strtotime($row['dateplayed']))."</td>";
echo "<td>".date('G:ia',strtotime($row['dateplayed']))."</td>";
echo "<td align=\"center\">(".$row['homeaway'].")</td>";
echo "<td>".$row['opponent']."</td>";
$cid=$row['id'];
?>
[b]<form action="processdata1.php" method="post">
<td><input type="text" name="resultafc" size="1"></td>
<td><input type="text" name="resultother" size="1"></td>
<td><input type="submit" name="submit" value="Add!"></td>[/b]
<input type="hidden" name="opt" value="addprediction" >
<input type="hidden" name="id" value="<? echo $cid; ?>">
<input type="hidden" name="dropdown" value="0" >
</form>

and then the page that processes the data processdata1.php....

 

switch($_POST['opt']) {
case "addprediction": 

$datecreated=date("Y-m-d H:i:s");
$pid=$_POST['id'];
$pusername=$session->username;
$presultafc=$_POST['resultmfc'];
$presultother=$_POST['resultother'];

$timecheck = mysql_query("SELECT dateplayed FROM fixtures WHERE  `id` = $pid");
while($row = mysql_fetch_array($timecheck))
{
$dateplayed=$row['dateplayed'];
$tUnixTime = time();
$timestamp2 = date("Y-m-d H:i:s", $tUnixTime);
}

//checks whether the game has started
if ($dateplayed < $timestamp2){
$_SESSION['formsubtext']=5;
} else {

//Checks for 0-9 in form fields or errors
[b]if (eregi('^[0-9]$', $presultafc) && eregi('^[0-9]$', $presultother)) {
mysql_query("INSERT INTO predictions (datecreated, username, id, resultafc, resultother) VALUES ('$datecreated', '$pusername', '$pid', '$presultmfc', '$presultother') ");[/b]
$_SESSION['formsubtext']=1;
} else {
$_SESSION['formsubtext']=2;
}
}
break;

Link to comment
https://forums.phpfreaks.com/topic/118096-sql-injections-beginner/
Share on other sites

change this

$presultafc=$_POST['resultmfc'];
$presultother=$_POST['resultother'];

 

to this

$presultafc=mysql_real_escape_string($_POST['resultmfc']);
$presultother=mysql_real_escape_string($_POST['resultother']);

 

ANY string input that you use in a mysql query should be escaped with this function (this function also takes a second argument, the database resource variable, and ideally that would be included as well).  If the user input is not intended to be a string (an integer, for example), be sure to cast it (i.e. $var = (int)$var) to ensure that it is the correct datatype.  Also be sure to continue to use those single quotes around your values to prevent certain types of injection. :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.