Inquisitor_Ehrenstein Posted January 20, 2013 Share Posted January 20, 2013 When I try to setup a contact form application I'm working on, it doesn't work. I'm using "root" as the username and password. This is what I get for the username and password entires in the database: PHP is 5.4.4 and MySQL is 5.5.25 Username: {mysql_real_escape_string(root Password: {mysql_real_escape_string(root This is the code I'm using: Install.php <html> <head> <title> Install contact form </title> </head> <body> <form action="install-script.php" method="post"> <fieldset> <label for="new_admin_username">Username of administrator account:</label> <input type="text" name="new_admin_username" size="40" class="required"/> <br> <label for="new_admin_password">Password:</label> <input type="text" name="new_admin_password" size="40" class="required"/> <br><!-- <label for="new_admin_confirm_password">Confirm password:</label> <input type="password" name="new_admin_confirm_password" size="40" class="required"/> <br> --> </fieldset> <fieldset align="center"> <input type="submit" value="Install"/> </fieldset> </form> </body> </html> install-script.php <?php require 'dbconnect.php'; // Get user account information from installation form $new_admin_username = trim($_REQUEST['new_admin_username']); $new_admin_password = trim($_REQUEST['new_admin_password']); // Create the user table $create_user_table = " CREATE TABLE /*$dbprefix*/users ( user_id int AUTO_INCREMENT PRIMARY KEY, username varchar(30) NOT NULL, password varchar(30) NOT NULL ); "; mysql_query($create_user_table) or die(mysql_error()); // Create table for storing messages $create_message_table = " CREATE TABLE /*$dbprefix*/messages ( message_id int AUTO_INCREMENT PRIMARY KEY, sender_name varchar(50) NOT NULL, sender_email varchar(50) NOT NULL, sender_message varchar(2000) NOT NULL ); "; mysql_query($create_message_table) or die(mysql_error()); // Create user account $new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)". "VALUES ('{mysql_real_escape_string($new_admin_username)}',". "'{mysql_real_escape_string($new_admin_password)}');"; mysql_query($new_admin_create_account) or die(mysql_error()); ?> Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/ Share on other sites More sharing options...
Jessica Posted January 20, 2013 Share Posted January 20, 2013 You can't put a function within a string like that. As you should be able to deduce from your bad data. Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/#findComment-1407140 Share on other sites More sharing options...
Inquisitor_Ehrenstein Posted January 20, 2013 Author Share Posted January 20, 2013 You can't put a function within a string like that. As you should be able to deduce from your bad data. Ok, thanks. The book I have showed an example like that. How do I make user input secure, since it needs to have an escape like that? EDIT I just tried this: // Create user account $new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)". "VALUES ({mysql_real_escape_string('$new_admin_username')},". "{mysql_real_escape_string('$new_admin_password')});"; mysql_query($new_admin_create_account) or die(mysql_error()); The username and password are "root" as they should be. Will this code escape the SQL code that's being input? Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/#findComment-1407150 Share on other sites More sharing options...
Jessica Posted January 20, 2013 Share Posted January 20, 2013 You can't use functions inside a string. So where CAN you use them? Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/#findComment-1407152 Share on other sites More sharing options...
Inquisitor_Ehrenstein Posted January 20, 2013 Author Share Posted January 20, 2013 You can't use functions inside a string. So where CAN you use them? It looks like the string is coming after the function. EDIT It looks like now the string is inside the function. Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/#findComment-1407156 Share on other sites More sharing options...
DavidAM Posted January 20, 2013 Share Posted January 20, 2013 She's talking about the PHP string (not the mySQL string value) This statement: $new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)". "VALUES ('{mysql_real_escape_string($new_admin_username)}',". "'{mysql_real_escape_string($new_admin_password)}');"; is building a string. This part "VALUES ('{mysql_real_escape_string($new_admin_username)}'," is a string (literal). While you can use variables inside a (double-quoted) string, you can not use a function inside a string. You have to break the string assignment up and concatenate the function's return value. $new_admin_create_account = "INSERT INTO users (username, password)" . "VALUES ('" . mysql_real_escape_string($new_admin_username) . "'," . "'" . mysql_real_escape_string($new_admin_password) . "');"; Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/#findComment-1407162 Share on other sites More sharing options...
Jessica Posted January 20, 2013 Share Posted January 20, 2013 You cannot put mysql_real_escape_string INSIDE OF ANOTHER STRING. If you do echo "strlen($str)"; you will not get the strlen of $str. Move your function OUT OF THE STRING. Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/#findComment-1407163 Share on other sites More sharing options...
Inquisitor_Ehrenstein Posted January 21, 2013 Author Share Posted January 21, 2013 Ok, I see how it works. In " . mysql_real_escape_string($new_admin_username) . " , ". and ." are separating mysql_real_escape_string($new_admin_username) out of the string. Link to comment https://forums.phpfreaks.com/topic/273405-i-cant-get-the-new-username-and-password-to-enter-correctly-for-an-application-im-creating/#findComment-1407194 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.