Jump to content

SanitizeForSQL function to pdo

brown2005

By brown2005
in PHP Coding Help

 Share

Recommended Posts

brown2005 Advanced Member

brown2005

Posted
Posted (edited) 

$username = SanitizeForSQL($username);
$pwdmd5 = md5($password);

$stmt = $db->query("SELECT * FROM people
INNER JOIN people_emails ON people_id=people_emails_person
INNER JOIN members ON people_id=members_person
WHERE members_username='$username'
AND members_password='$pwdmd5'
AND people_emails_primary='1'
AND people_emails_valid='y'");

$row_count = $stmt->rowCount();

if($row_count <= 0){
$this->HandleError("Error logging in. The username or password does not match");
return false;
}


function SanitizeForSQL($str)
{
if( function_exists( "mysql_real_escape_string" ) )
{
$ret_str = mysql_real_escape_string( $str );
}
else
{
$ret_str = addslashes( $str );
}
return $ret_str;
}

 

 

hi, above is the code I used whilst using the old mysql_ which I have converted to pdo:

 

   global $db;

      $username = $username;
      $password = md5($password);

       $stmt = $db->prepare("SELECT * FROM people
	   INNER JOIN people_emails ON people_id=people_emails_person
	   INNER JOIN members ON people_id=members_person
	   WHERE members_username= :username
	   AND members_password= :password
	   AND people_emails_primary='1'
	   AND people_emails_valid='y'");

      $stmt->execute(array(':username' => $username,':password' => $password));

      $row_count = $stmt->rowCount();

      if($row_count <= 0){
          $this->HandleError("Error logging in. The username or password does not match");
          return false;
      }

   while($row = $stmt->fetch(PDO::FETCH_ASSOC)){
 $_SESSION['name_of_user']  = $row['people_first'];
          $_SESSION['email_of_user'] = $row['people_emails_email'];
   }

         return true;

 

is this the correct way to prevent sql injections instead of using the function SanitizeForSQL($str)

Edited by brown2005
Link to comment
Share on other sites
Christian F. Member

Christian F.

Posted
Posted

Yes, prepared statement automatically safeguard the data against SQL injections.

 

However, your password handling is not adequate. Plain MD5 is pretty much the same as saving the password in plain text, as far as security goes. I recommend using bcrypt (PHP 5.3+) or PHPass instead.

For a short introduction to the whys, and links to the above, please see this video:

 

PS: You're not checking for SQL errors after executing the query, which you should be doing.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.