Inquisitor_Ehrenstein Posted January 20, 2013 Share Posted January 20, 2013 (edited) When I try to setup a contact form application I'm working on, it doesn't work. I'm using "root" as the username and password. This is what I get for the username and password entires in the database: PHP is 5.4.4 and MySQL is 5.5.25 Username: {mysql_real_escape_string(root Password: {mysql_real_escape_string(root This is the code I'm using: Install.php <html> <head> <title> Install contact form </title> </head> <body> <form action="install-script.php" method="post"> <fieldset> <label for="new_admin_username">Username of administrator account:</label> <input type="text" name="new_admin_username" size="40" class="required"/> <br> <label for="new_admin_password">Password:</label> <input type="text" name="new_admin_password" size="40" class="required"/> <br><!-- <label for="new_admin_confirm_password">Confirm password:</label> <input type="password" name="new_admin_confirm_password" size="40" class="required"/> <br> --> </fieldset> <fieldset align="center"> <input type="submit" value="Install"/> </fieldset> </form> </body> </html> install-script.php <?php require 'dbconnect.php'; // Get user account information from installation form $new_admin_username = trim($_REQUEST['new_admin_username']); $new_admin_password = trim($_REQUEST['new_admin_password']); // Create the user table $create_user_table = " CREATE TABLE /*$dbprefix*/users ( user_id int AUTO_INCREMENT PRIMARY KEY, username varchar(30) NOT NULL, password varchar(30) NOT NULL ); "; mysql_query($create_user_table) or die(mysql_error()); // Create table for storing messages $create_message_table = " CREATE TABLE /*$dbprefix*/messages ( message_id int AUTO_INCREMENT PRIMARY KEY, sender_name varchar(50) NOT NULL, sender_email varchar(50) NOT NULL, sender_message varchar(2000) NOT NULL ); "; mysql_query($create_message_table) or die(mysql_error()); // Create user account $new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)". "VALUES ('{mysql_real_escape_string($new_admin_username)}',". "'{mysql_real_escape_string($new_admin_password)}');"; mysql_query($new_admin_create_account) or die(mysql_error()); ?> Edited January 20, 2013 by Inquisitor_Ehrenstein Quote Link to comment Share on other sites More sharing options...
Jessica Posted January 20, 2013 Share Posted January 20, 2013 You can't put a function within a string like that. As you should be able to deduce from your bad data. Quote Link to comment Share on other sites More sharing options...
Inquisitor_Ehrenstein Posted January 20, 2013 Author Share Posted January 20, 2013 (edited) You can't put a function within a string like that. As you should be able to deduce from your bad data. Ok, thanks. The book I have showed an example like that. How do I make user input secure, since it needs to have an escape like that? EDIT I just tried this: // Create user account $new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)". "VALUES ({mysql_real_escape_string('$new_admin_username')},". "{mysql_real_escape_string('$new_admin_password')});"; mysql_query($new_admin_create_account) or die(mysql_error()); The username and password are "root" as they should be. Will this code escape the SQL code that's being input? Edited January 20, 2013 by Inquisitor_Ehrenstein Quote Link to comment Share on other sites More sharing options...
Jessica Posted January 20, 2013 Share Posted January 20, 2013 You can't use functions inside a string. So where CAN you use them? Quote Link to comment Share on other sites More sharing options...
Inquisitor_Ehrenstein Posted January 20, 2013 Author Share Posted January 20, 2013 (edited) You can't use functions inside a string. So where CAN you use them? It looks like the string is coming after the function. EDIT It looks like now the string is inside the function. Edited January 20, 2013 by Inquisitor_Ehrenstein Quote Link to comment Share on other sites More sharing options...
DavidAM Posted January 20, 2013 Share Posted January 20, 2013 She's talking about the PHP string (not the mySQL string value) This statement: $new_admin_create_account = "INSERT INTO /*$dbprefix*/users (username, password)". "VALUES ('{mysql_real_escape_string($new_admin_username)}',". "'{mysql_real_escape_string($new_admin_password)}');"; is building a string. This part "VALUES ('{mysql_real_escape_string($new_admin_username)}'," is a string (literal). While you can use variables inside a (double-quoted) string, you can not use a function inside a string. You have to break the string assignment up and concatenate the function's return value. $new_admin_create_account = "INSERT INTO users (username, password)" . "VALUES ('" . mysql_real_escape_string($new_admin_username) . "'," . "'" . mysql_real_escape_string($new_admin_password) . "');"; Quote Link to comment Share on other sites More sharing options...
Jessica Posted January 20, 2013 Share Posted January 20, 2013 You cannot put mysql_real_escape_string INSIDE OF ANOTHER STRING. If you do echo "strlen($str)"; you will not get the strlen of $str. Move your function OUT OF THE STRING. Quote Link to comment Share on other sites More sharing options...
Inquisitor_Ehrenstein Posted January 21, 2013 Author Share Posted January 21, 2013 (edited) Ok, I see how it works. In " . mysql_real_escape_string($new_admin_username) . " , ". and ." are separating mysql_real_escape_string($new_admin_username) out of the string. Edited January 21, 2013 by Inquisitor_Ehrenstein Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.