justAnoob Posted June 12, 2009 Share Posted June 12, 2009 this doesn't work,,, but my registration script works like this. <?php $username = $_POST['username']; $password = $_POST['password']; $sql=sprintf("SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1", mysql_real_escape_string($username), md5($pasword)); ?> and this works <?php $username = mysql_real_escape_string($_POST['username']); $password = md5($_POST['password']); $sql="SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1"; ?> Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 12, 2009 Share Posted June 12, 2009 If you want to use sprintf, change $username and $password to %s. Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 12, 2009 Author Share Posted June 12, 2009 what exactly does sprintf do? and how come in my register script I did not have to make that change? do I need to use sprintf? Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 12, 2009 Author Share Posted June 12, 2009 this works fine for my reg script <?php $username = $_POST["username"]; $sql = sprintf("SELECT * FROM $tbl_name WHERE username = '$username'", mysql_real_escape_string($username)); $result=mysql_query($sql); ?> Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 12, 2009 Share Posted June 12, 2009 No, you don't have to use sprintf. It's actually better if you don't apply functions blindly if you don't know what they do and then come here and ask why it doesn't work and if you need to use it. If you don't know something, it's better to ask a more straight forward question. Anyways, php.net is a great resource site for all things PHP. sprintf. Edit - that's because you're not applying sprintf correctly. In you first post, $password is not hashed. So when you run the SQL, $password is still the original string the user typed in, not the hashed one in the DB. Read up on sprintf. I have the link above. Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 12, 2009 Author Share Posted June 12, 2009 Now i get an error with the comma $sql = "SELECT * FROM $tbl_name WHERE username = '$username'", mysql_real_escape_string($username); Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 12, 2009 Share Posted June 12, 2009 Just out of curiosity, where in the link that I posted did it tell you to do that? Quote Link to comment Share on other sites More sharing options...
Andy-H Posted June 12, 2009 Share Posted June 12, 2009 http://php.net/sprintf The function takes a string with variables to be replaced formatted like so: %s = A string %d = an integer For now these are probably all you will need, theres a full list at the link on php.net It then takes variables which are used to replace the % formatted data within the string, the first %? will be replaced by the first passed paramater, the 2nd %? by the second param etc... SO for your query to work, it needs to be in the following format... $sql = sprintf("SELECT * FROM %s WHERE username = '%s' AND password = '%s' LIMIT 1", $tbl_name, mysql_real_escape_string($username), md5($password) ); Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 12, 2009 Author Share Posted June 12, 2009 still having probs with it that way,,, I need to look into some more... I though sprintf did something else,,, sorry guys.. Quote Link to comment Share on other sites More sharing options...
haku Posted June 12, 2009 Share Posted June 12, 2009 You also need to stop using these triple commas. Annoying as hell. I even have the answer to your question/problem, but I'm not going to bother telling you. Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 12, 2009 Author Share Posted June 12, 2009 why would you say something like that? Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 12, 2009 Author Share Posted June 12, 2009 if you have some input, it would be great to hear it. I'm not just going to copy and paste. I like to learn PHP. Sometimes it is hard to find exactly what I'm looking for. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted June 12, 2009 Share Posted June 12, 2009 What do you mean by problems? You need to be more specific if you want help with the problem. haku, I think they were supposed to be full stops as the comma key is right next to the full stop key? This touchtypo stuff is harder then it looks. =P Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 12, 2009 Author Share Posted June 12, 2009 andy, what I'm working on doing is trying to secure some scripts. some people on here say I should do all this stuff, and then i read elsewhere saying I should do other things. i'm confused. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted June 12, 2009 Share Posted June 12, 2009 sprintf isn't all too effective for protecting your script. Just make sure that you cast user input thats expected to be integer type with (int) and use mysql_real_escape_string on your user inputted strings used for mysql. Then when the data has been fetched by mysql just use stripslashes and htmlEntities on the data before echoing it to the screen. Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 12, 2009 Share Posted June 12, 2009 sprintf doesn't protect or secure anything. Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 13, 2009 Author Share Posted June 13, 2009 Okay, so back to the post I posted earlier where I took out 'sprintf' and then still had a problem with the ',' I've looked everywhere, and everyone is saying to use mysql_real_escape_string like this... $var = mysql_real_escape_string($_POST['whatever']) and not at the end of the SQL statement. here is a simple register script that i have. this is what i've seen on examples that people are doing to protect against hackers.(i know if someone wanted to mess stuff up they will. just looking for some basic protection.) <?php session_start(); require_once 'connection.php'; // check if username or email is already registered, if so, give error message $username = mysql_real_escape_string($_POST["username"]); $sql = "SELECT * FROM members WHERE username = '$username'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // if username exists, display error if($count > 0) { $_SESSION['dup'] = "This username is already registered. Please try again."; header("location: http://www.--------.com/registration.php"); exit(); } // if data is good, register the new member else { $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); $email = mysql_real_escape_string($_POST["email"]); $sql = "INSERT INTO %s (username, password, email)VALUES('$username','$password','$email')"; mysql_query($sql) or die(mysql_error()); unset($_SESSION['dup']); $_SESSION['goodreg'] = "Thank you for registering. Please log in above."; sleep(2); header("location: http://www.------.com/registration.php"); mysql_close(); exit(); } ?> Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 13, 2009 Share Posted June 13, 2009 <?php $sql = "INSERT INTO %s (username, password, email)VALUES('$username','$password','$email')"; mysql_query($sql) or die(mysql_error()); You left a %s there. Change it to your table name. Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 13, 2009 Author Share Posted June 13, 2009 oopss, sorry, don't mind that, i forgot to change that back to my table name. but taking a look at the script, if it was yours, what would you do to beef up the security. I'm not looking for anything crazy. just your basic. also, why is my strLen not working correctly. it brings the error if the name is less then 6 or more than 12, but not something with, lets say 8. <?php session_start(); require_once 'connection.php'; // check if username or email is already registered, if so, give error message $username = mysql_real_escape_string($_POST["username"]); $sql = "SELECT * FROM members WHERE username = '$username'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // if username exists, display error if($count > 0) { $_SESSION['dup'] = "This username is already registered. Please try again."; header("location: http://www.-----.com/registration.php"); exit(); } if(strLen($username) < 6 || strLen($username) > 12 ) { $_SESSION['length'] = 'Username can only be 6-12 characters in length.'; header("location: http://www.------.com/registration.php"); exit(); } // if data is good, register the new member else { $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); $email = mysql_real_escape_string($_POST["email"]); $sql = "INSERT INTO members (username, password, email)VALUES('$username','$password','$email')"; mysql_query($sql) or die(mysql_error()); unset($_SESSION['dup']); $_SESSION['goodreg'] = "Thank you for registering. Please log in above."; sleep(2); header("location: http://www.-------.com/registration.php"); mysql_close(); exit(); } ?> Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 13, 2009 Author Share Posted June 13, 2009 i'm sorry,,, the error comes up no matter what length of username they input. Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 13, 2009 Author Share Posted June 13, 2009 i looke on google and it shows examples of something like this. but i still get the same prob. even if i enter a username that is 6 characters long, i get the error that the username is not the correct length. <?php if($count > 0) { $_SESSION['dup'] = "This username is already registered. Please try again."; header("location: http://www.--------.com/registration.php"); exit(); } elseif( strLen($_POST["$username"]) < 6 || strLen($_POST["$username"]) > 12 ) { $_SESSION['length'] = 'Username can only be 6-12 characters in length.'; header("location: http://www.---------.com/registration.php"); exit(); } // if data is good, register the new member else { ?> Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted June 13, 2009 Share Posted June 13, 2009 Well, I would not use or die() statement. I would use trigger_error and set_error_handler instead. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted June 13, 2009 Share Posted June 13, 2009 And change $_POST['$username'] // to $_POST['username'] =p Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 13, 2009 Author Share Posted June 13, 2009 ooppss, i knew that, thanks andy Quote Link to comment Share on other sites More sharing options...
justAnoob Posted June 13, 2009 Author Share Posted June 13, 2009 Okay, a couple times it worked. Now it does not. I can enter a username that is 6 or more characters and it still gives me the error that the username is not the correct length. <?php session_start(); require_once 'connection.php'; $username = mysql_real_escape_string($_POST["username"]); $email = mysql_real_escape_string($_POST['email']); $sql = "SELECT * FROM members WHERE username = '$username' and email = '$email'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // if username is currently being used, display error if($count > 0) { unset($_SESSION['length']); $_SESSION['dup'] = "This username or email is already registered. Please try again."; header("location: http://www.-------.com/registration.php"); exit(); } // if username is not correct length, display error elseif ( strLen($_POST["username"]) < 6 ) { unset($_SESSION['dup']); $_SESSION['length'] = 'Username must be a minimum of 6 characters in length.'; header("location: http://www.------.com/registration.php"); exit(); } // if data is good, register the new member else { $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); $email = mysql_real_escape_string($_POST["email"]); $sql = "INSERT INTO members (username, password, email)VALUES('$username','$password','$email')"; mysql_query($sql) or trigger_error(); unset($_SESSION['dup']); $_SESSION['goodreg'] = "Thank you for registering. Please log in above."; sleep(2); header("location: http://www.------.com/registration.php"); mysql_close(); exit(); } ?> Is there something wrong with the if,elseif,else? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.