is this code safe form sql injection?

[runnerjp]

im using bbcode and wonderd how to make the code safe from injection...

 

here is my code

 

<?php	$thedate = date("U"); //get unix timestamp
							$displaytime = time();
						//This is where the bbcode come in.
							$message = new BBCode;
							$message->selection = $yourpost;
							$message->parseCode(); // set to 1 if you want to disable bbcode
							$message->parseEmoticons();
							$yourpost = $message->parsed;
							$insertpost = "INSERT INTO `forumtutorial_posts` (`author`,`forum`,`title`,`post`,`showtime`,`realtime`,`lastposter`,`parentid`) values('$name','$forum','$subject','$yourpost','$thedate','$thedate','$name','$forumpostid')";
							mysql_query($insertpost) or die("Could not insert post"); //insert post

							$updatepost = "UPDATE `forumtutorial_posts` SET `numreplies`=`numreplies`+'1', `lastposter`='$name', `lastrepliedto`='$thedate' WHERE `postid`='$forumpostid'";
							mysql_query($updatepost) or die("Could not update post");


							$updatep = "UPDATE `users` SET `post_count`=`post_count`+'1', last_post=$thedate WHERE `Username`='$name'";
							mysql_query($updatep) or die("Could not update post");

							header("Location: http://www.runningprofilfes.com/members/index.php?page=message&forum=$forum&id=$forumpostid");?>

[.josh]

maybe, maybe not.  You're inserting/updating with a bunch of vars but you do not show where they are coming from.

[premiso]

You should really check the variables you are going to be running SQL on for the SQL injection. I do not see anywhere in this code where that is done. On top of that you should use www.php.net/mysql_real_escape on variables before you use them in the SQL. This will parse the code and take care of anything that could be SQL injected.

 

I am sure searching the forums will bring up alot on SQL injection and the best practices to make sure your code is safe.

 

From what is shown here, you are not safe.

[runnerjp]

alot of the vars are coming from the db so im saying they will be ok...

 

but $yourpost = $_POST['yourpost'];

$subject = $_POST['title'];

 

 

come from a poist but would adding real_escape stop the bbcode beeing used?

[premiso]

No adding real escape will not stop the BBCode from being used. All it does is escape characters that mysql uses and takes them literally. Sort of like in PHP you would use a / to escape a quote so it will display properly on the page and not throw an error in the code.

 

 

[Andy-H]

$yourpost = mysql_real_escape_string($_POST['yourpost']);
$subject   = mysql_real_escape_string($_POST['title']);

 

Use post data for queries like that..

[runnerjp]

ahh right well that has helped alot.. iv miss understood what i had learnt lol ty guys!