mysql_real_escape_string()?

[rofl90]

$user = mysql_real_escape_string(stripslashes(htmlentities(ucwords(strtolower($_POST["userid"])))));

$pass = md5(mysql_real_escape_string(stripslashes(htmlentities($_POST["password"]))));

 

thats my sql injection protection, it all works, except for when I add mysql_real_escape_string into the mix.

 

What exactly does it change?/do?

[cooldude832]

the escape function does what it says

it Escapes the string for safe entry into your version of MySql

[uniflare]

basically adds backslashes to anything in the given string that could/would compromise the sql syntax.

 

eg:

 

this "string" here

 

would become

 

this \"string\" here

 

php.net/mysql_real_escape_string

php.net/mysql_escape_string

[rofl90]

In my context what would it change it to?

[cooldude832]

nothing to everything it is dependent on the post data and your version of mysql

 

http://us3.php.net/manual/en/function.mysql-real-escape-string.php

[uniflare]

well it depends what $_POST["userid"] and $_POST["password"] are.

 

say : username = "testuser";

and  password = "testpassword";

 

it would change nothing.

[roopurt18]

There is a very high chance your use of htmlentities() is incorrect.  Take a look at this thread for the explanations why:

http://www.phpfreaks.com/forums/index.php/topic,185847.0.html

[rofl90]

my posts are text and text000

[rofl90]

also removing mysql_real_escape_string() makes it work, so its obviously that.. is there any other way..

[kenrbnsn]

What do you mean

also removing mysql_real_escape_string() makes it work

 

Please explain what is happening when you use mysql_real_escape_string() vs. when you don't.

 

Ken

[uniflare]

if username = "text" and password = "text000"

 

mysql_real_escape_string($username) = "text"

mysql_real_escape_string($password) = "text000"

 

just use mysql_escape_string() unless you echoing the password/username, then just use htmlentities($username);

 

NOTE: mysql_escape_string MUST be used AFTER a connection to mysql has been established, ie:

 

<?php

mysql_connect();
mysql_select_db();
$query = "SELECT * FROM `table` WHERE `username`='".mysql_escape_string($_POST['userid'])."' AND `password`='".md5($_POST['password'])."'";
$Result = mysql_query($query);
print_r(mysql_fetch_array($Result);
mysql_close();

?>

 

hope this helps,

[roopurt18]

$user = mysql_real_escape_string(stripslashes(htmlentities(ucwords(strtolower($_POST["userid"])))));
$pass = md5(mysql_real_escape_string(stripslashes(htmlentities($_POST["password"]))));

 

How are you using these after the assignments?  Have you tried echo'ing the query you're generating and checking that it is correct?

[rofl90]

Ahh after a mysql conn one second lemme try that.

 

Yay it works now, takes ages but it works, is it possible to like have soemthing saying this might take a while after you hit login?

[roopurt18]

Takes ages?  It shouldn't.

 

What is the query you're running?

[rofl90]

Validating your credentials... Please wait a moment... 
<?php
/* get the incoming ID and password hash */


/* establish a connection with the database */
$server = mysql_connect("x", "x",
          "x");
if (!$server) die(mysql_error());
mysql_select_db("x");
  
$user = mysql_real_escape_string(strip_tags(htmlentities(ucwords(strtolower($_POST["userid"])))));
$pass = md5(mysql_real_escape_string(strip_tags(htmlentities($_POST["password"]))));

/* SQL statement to query the database */
$query = "SELECT * FROM users WHERE User = '$user'
         AND Password = '$pass'";

/* query the database */
$result = mysql_query($query);

if (mysql_fetch_row($result)) {
  /* access granted */
  
  $sql = "update users set online='<img src=\"/images/online.png\" border=\"0\" />' WHERE User = '$user'";
  mysql_query($sql) or die(mysql_error());
  
  session_start();
  header("Cache-control: private");
  $_SESSION["access"] = "granted";
  $_SESSION["user"] = $user;
  header("Location: index2.php");
  
  
} else
  /* access denied &#8211; redirect back to login */
  header("Location: index.php?a=Login has failed, please try again.");
?>

[roopurt18]

SELECT * FROM users WHERE User = '$user'
         AND Password = '$pass'

If you have a lot of users in your DB, create an index on `User` and maybe the first 5 or 6 characters of `Password`.  That should help the select query run quickly.

 

update users set online='<img src=\"/images/online.png\" border=\"0\" />' WHERE User = '$user'

The index above will also help with the speed of this query.  But why on Earth are you storing an image path in the database?  Change your `online` field to a TINYINT and set it to 1 if the user is online and 0 if they are not.  Alternatively you can use an ENUM field.  Then you use your program logic to display the online.png graphic for that user if they DB says they are online.

 

If you have relatively few users in your database, then it might be taking ages due to numerous factors.  A heavy server load, slow internet connection, something else inefficient in your program, or a million and one other possibilities.

[Naez]

Just throwing this out there:

 

since you are md5 hashing the password anyways, there is no reason to format it further.  If you hash something there's no way it can be a SQL insertion.

[rofl90]

Thanks both of you, there are only 2 users

 

the server is based in the uk, im getting a 103ms on cmd *boo*

 

I don't need indexing, but thanks for the tip with the online/offline, I'll try that.

 

Ty!

[Psycho]

A couple things. I wouldn't suggest using htmlentities when inserting data into the database. I woud use it when displaying the data. the problem is that htmlentities converts characters to their HTML character code, so the ampersand character '&' becomes '&'. Now you will have problems with character lengths. If a db field only takes 10 characters and the input field accepts 10 characters an input by the user of 'some&else' will result in a string that is 13 characters long.

 

Also, there is no need to do anything character escaping with the password. Just use MD5($_POST["password"]). The results will always be safe for insertion.

[rofl90]

I have changed the md5 stuff, and now I just have strip_tags, anyway theres no registration, I have a personal option in my personal admin panel to add an account, so I add clients/staff's accounts. Anyone recommend some good american server based hosting