Downwindz Posted May 7, 2009 Share Posted May 7, 2009 It is needed to be said that i am fairly green with PHP and MySQL still, so if there is any noticeable mistakes please give usefull comments. I have a registration script which i would like to know if i prevented correct against SQL Injection. If i have understood correct the mysql_real_escape_string should be used with any POST and GET statements. <?php include('connect.php'); if($loggedin == '1') die("You can't register another account while you're logged in."); if(isset($_POST['submit'])) { $uname = trim($_POST['username']); $username = mysql_real_escape_string(trim($_POST['username'])); $pass = mysql_real_escape_string(trim($_POST['pass'])); if((!isset($_POST['username'])) || (!isset($_POST['pass'])) || ($uname == '') || ($_POST['pass'] == '')) die("Please fill out the form completely. <br><br> <a href=register.php>Continue</a>"); $check = @mysql_query("SELECT id FROM players WHERE username = '$uname'"); $check = @mysql_num_rows($check); if($check > 0) die("Sorry, that username has already been taken. Please try again. <br><br> <a href=register.php>Continue</a>"); $pass = md5($_POST['pass']); $date = date("m/d/y"); $newPlayer = @mysql_query("INSERT INTO players (username, password, registered) VALUES ('$uname', '$pass', '$date')") or die("Error: ".mysql_error()); echo 'You have been registered! You may now <a href=index.php>Log in</a>.'; } else { echo '<form action=registryz.php method=post> Username: <input type=text name=username><br> Password: <input type=password name=pass><br> <input type=submit name=submit value=Submit> </form>'; } ?> Link to comment https://forums.phpfreaks.com/topic/157262-solved-prevention-against-sql-injections/ Share on other sites More sharing options...
Ken2k7 Posted May 7, 2009 Share Posted May 7, 2009 If the input is not a number, look at - mysql_real_escape_string. Although, it doesn't matter the data type. Link to comment https://forums.phpfreaks.com/topic/157262-solved-prevention-against-sql-injections/#findComment-828790 Share on other sites More sharing options...
Downwindz Posted May 7, 2009 Author Share Posted May 7, 2009 Im sorry im not quite sure if i understand what you mean? I hoped to get a concrete response if i set up the mysql_real_escape_string correct in my script and if it would work against SQL injections. Link to comment https://forums.phpfreaks.com/topic/157262-solved-prevention-against-sql-injections/#findComment-828835 Share on other sites More sharing options...
Ken2k7 Posted May 7, 2009 Share Posted May 7, 2009 You're fine with mysql_real_escape_string(). Link to comment https://forums.phpfreaks.com/topic/157262-solved-prevention-against-sql-injections/#findComment-828839 Share on other sites More sharing options...
Downwindz Posted May 7, 2009 Author Share Posted May 7, 2009 Thank you very much Link to comment https://forums.phpfreaks.com/topic/157262-solved-prevention-against-sql-injections/#findComment-828891 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.