Xtremer360 Posted June 18, 2011 Share Posted June 18, 2011 Is it neccessary to do a msqli_real_escape_string on a GET variable from the URL. I ask because its for an account validation and I'm going to get it from the URL and match it up against the registrations in the db. Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/ Share on other sites More sharing options...
Pikachu2000 Posted June 18, 2011 Share Posted June 18, 2011 It's necessary to validate and/or sanitize and/or escape all such data. Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231476 Share on other sites More sharing options...
Xtremer360 Posted June 18, 2011 Author Share Posted June 18, 2011 I should probably check to make sure my generated registrationKey isn't already inside of the db for another user before a user registers huh? And also. This is how it should be performed correctly? $registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']); Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231477 Share on other sites More sharing options...
redixx Posted June 18, 2011 Share Posted June 18, 2011 I should probably check to make sure my generated registrationKey isn't already inside of the db for another user before a user registers huh? And also. This is how it should be performed correctly? $registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']); Yes, that's right. However, you are using mysqli and so you should take advantage of that fact and use prepared statements. In doing so you, you don't have to escape data and you don't have to worry about SQL injection. Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231483 Share on other sites More sharing options...
Xtremer360 Posted June 18, 2011 Author Share Posted June 18, 2011 Thank you. Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231486 Share on other sites More sharing options...
PFMaBiSmAd Posted June 18, 2011 Share Posted June 18, 2011 If your $registrationKey value is a number only and you are putting it into a query statement as a number, without any quoting around it, using mysqli_real_escape_string won't stop sql injection, because mysqli_real_escape_string is only for escaping string data being put into a query. Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231487 Share on other sites More sharing options...
Xtremer360 Posted June 18, 2011 Author Share Posted June 18, 2011 Its actual a generated string of 32 numbers and letters but I only use the first 5 characters. Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231500 Share on other sites More sharing options...
Xtremer360 Posted June 18, 2011 Author Share Posted June 18, 2011 I just wanted to attach one more question to this board topic. I'm not sure why but I'm getting this: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given. <?php if((!isset($_GET['registrationKey'])) || (empty($_GET['registrationKey']))){$errors = "yes";} // Error checking, make sure all form fields have input if ($errors == "yes") { // No registration key present echo "There registration key can not be found!"; } else { // Get query string from URL $registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']); // Query database for all users $query = "SELECT * FROM manager_users_registrations INNER JOIN manager_users ON manager_users.userID = manager_users_registrations.userID WHERE registrationKey = '".$registrationKey."'"; $result = mysqli_query($dbc,$query); if (mysqli_num_rows($result) == 1) { function my_domain_name() { $my_domain = $_SERVER['HTTP_HOST']; $my_domain = str_replace('www.', '', $my_domain); return $my_domain; } while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) { $userID = $row['userID']; if ($registrationKey == $row['registrationKey']) { $query = "UPDATE manager_users_registrations, manager_users SET manager_users_registrations.registrationKey = '', manager_users.statusID = 2 WHERE userID = '".$userID."'"; $result = mysqli_query($dbc,$query); // Registration key found echo "Congratulations " . $row['firstName'] ." ". $row['lastName']." you are now a registered and verified member of a ".my_domain_name()." account. You will be redirected to the login form!"; } } } } ?> Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231502 Share on other sites More sharing options...
Xtremer360 Posted June 18, 2011 Author Share Posted June 18, 2011 I should probably check to make sure my generated registrationKey isn't already inside of the db for another user before a user registers huh? And also. This is how it should be performed correctly? $registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']); Yes, that's right. However, you are using mysqli and so you should take advantage of that fact and use prepared statements. In doing so you, you don't have to escape data and you don't have to worry about SQL injection. So by that I should verify that a registration key doesn't already exist with that same string. Link to comment https://forums.phpfreaks.com/topic/239734-get-superglobal-function-and-mysqli_real_escape_string/#findComment-1231505 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.