Jump to content

GET Superglobal function and mysqli_real_escape_string

Xtremer360

By Xtremer360
in PHP Coding Help

 Share

Recommended Posts

Xtremer360 Advanced Member

Xtremer360

Posted
  • Author
Posted

I should probably check to make sure my generated registrationKey isn't already inside of the db for another user before a user registers huh?

 

And also. This is how it should be performed correctly?

 

$registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']);

redixx Newbie

redixx

Posted
Posted

I should probably check to make sure my generated registrationKey isn't already inside of the db for another user before a user registers huh?

 

And also. This is how it should be performed correctly?

 

$registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']);

 

Yes, that's right.

 

However, you are using mysqli and so you should take advantage of that fact and use prepared statements. In doing so you, you don't have to escape data and you don't have to worry about SQL injection.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If your $registrationKey value is a number only and you are putting it into a query statement as a number, without any quoting around it, using mysqli_real_escape_string won't stop sql injection, because mysqli_real_escape_string is only for escaping string data being put into a query.

Xtremer360 Advanced Member

Xtremer360

Posted
  • Author
Posted

I just wanted to attach one more question to this board topic. I'm not sure why but I'm getting this: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given.

 

<?php
        
                        if((!isset($_GET['registrationKey'])) || (empty($_GET['registrationKey']))){$errors = "yes";}
                        
                        // Error checking, make sure all form fields have input
                    	if ($errors == "yes") {
                    		
                            // No registration key present
                            echo "There registration key can not be found!";
                            
                    	} else {
                        
                            // Get query string from URL
                            $registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']);
                            
                            // Query database for all users
                            $query = "SELECT * FROM manager_users_registrations INNER JOIN manager_users ON manager_users.userID = manager_users_registrations.userID WHERE registrationKey = '".$registrationKey."'";
                            $result = mysqli_query($dbc,$query);
                            
                            if (mysqli_num_rows($result) == 1) {
                                
                                function my_domain_name() {
                                    $my_domain = $_SERVER['HTTP_HOST'];
                                    $my_domain = str_replace('www.', '', $my_domain);
                                    return $my_domain;
                                }
                                
                                while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
                                    
                                    $userID = $row['userID'];
                                
                                    if ($registrationKey == $row['registrationKey']) {
                                
                                        $query = "UPDATE manager_users_registrations, manager_users SET manager_users_registrations.registrationKey = '', manager_users.statusID = 2 WHERE userID = '".$userID."'";
                                
                                        $result = mysqli_query($dbc,$query);
                                        
                                        // Registration key found
                                        echo "Congratulations " . $row['firstName'] ." ". $row['lastName']." you are now a registered and verified member of a ".my_domain_name()." account. You will be redirected to the login form!";
                                        
                                
                                    }
                                
                                }
                            
                            }
                        
                        }
                        
                        ?>

Xtremer360 Advanced Member

Xtremer360

Posted
  • Author
Posted

I should probably check to make sure my generated registrationKey isn't already inside of the db for another user before a user registers huh?

 

And also. This is how it should be performed correctly?

 

$registrationKey = mysqli_real_escape_string($dbc,$_GET['registrationKey']);

 

Yes, that's right.

 

However, you are using mysqli and so you should take advantage of that fact and use prepared statements. In doing so you, you don't have to escape data and you don't have to worry about SQL injection.

 

So by that I should verify that a registration key doesn't already exist with that same string.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.