Jump to content

SanitizeForSQL function to pdo


brown2005

Recommended Posts

$username = SanitizeForSQL($username);
$pwdmd5 = md5($password);

$stmt = $db->query("SELECT * FROM people
INNER JOIN people_emails ON people_id=people_emails_person
INNER JOIN members ON people_id=members_person
WHERE members_username='$username'
AND members_password='$pwdmd5'
AND people_emails_primary='1'
AND people_emails_valid='y'");

$row_count = $stmt->rowCount();

if($row_count <= 0){
$this->HandleError("Error logging in. The username or password does not match");
return false;
}


function SanitizeForSQL($str)
{
if( function_exists( "mysql_real_escape_string" ) )
{
$ret_str = mysql_real_escape_string( $str );
}
else
{
$ret_str = addslashes( $str );
}
return $ret_str;
}

 

 

hi, above is the code I used whilst using the old mysql_ which I have converted to pdo:

 

   global $db;

      $username = $username;
      $password = md5($password);

       $stmt = $db->prepare("SELECT * FROM people
	   INNER JOIN people_emails ON people_id=people_emails_person
	   INNER JOIN members ON people_id=members_person
	   WHERE members_username= :username
	   AND members_password= :password
	   AND people_emails_primary='1'
	   AND people_emails_valid='y'");

      $stmt->execute(array(':username' => $username,':password' => $password));

      $row_count = $stmt->rowCount();

      if($row_count <= 0){
          $this->HandleError("Error logging in. The username or password does not match");
          return false;
      }

   while($row = $stmt->fetch(PDO::FETCH_ASSOC)){
 $_SESSION['name_of_user']  = $row['people_first'];
          $_SESSION['email_of_user'] = $row['people_emails_email'];
   }

         return true;

 

is this the correct way to prevent sql injections instead of using the function SanitizeForSQL($str)

Link to comment
https://forums.phpfreaks.com/topic/274150-sanitizeforsql-function-to-pdo/
Share on other sites

Yes, prepared statement automatically safeguard the data against SQL injections.

 

However, your password handling is not adequate. Plain MD5 is pretty much the same as saving the password in plain text, as far as security goes. I recommend using bcrypt (PHP 5.3+) or PHPass instead.

For a short introduction to the whys, and links to the above, please see this video:

 

PS: You're not checking for SQL errors after executing the query, which you should be doing.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.