Jump to content

Real Escape string question

PRodgers4284

By PRodgers4284
in PHP Coding Help

 Share

Recommended Posts

PRodgers4284 Regular Member

PRodgers4284

Posted
Posted

I am trying to make my code my secure and prevent sql injection attacks, i have the following code that add records to a sql database and im wondering if am going about this in the correct way:

 

<?php 


if (isset($_POST['submit'])) {   

$error_stat = 0;   
$jobtitle_message = '';  
$jobcatergory_message = '';  
$joblocation_message = '';  
$employmenttype_message = '';  
$salary_message = '';  
$date_message = '';  
$educationallevel_message = '';  
$description_message = '';  
$filesize_message = ''; 
$filetype_message = ''; 



$jobtitle = $_POST['jobtitle'];   
$jobcatergory = $_POST['jobcatergory'];   
$joblocation = $_POST['joblocation'];   
$employmenttype= ($_POST['employmenttype']);   
$salary = $_POST['salary'];   
$date = $_POST['date'];   
$educationallevel = $_POST['educationallevel'];   
$description = $_POST['description'];   
$name = $_POST['name'];  
$type = $_POST['type'];  
$size = $_POST['size'];  
$path = $_POST['path'];  


//Error checking   



// Job Title check)   
if (!$jobtitle) {  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  

//Set the message to tell the user to enter a username  
    $jobtitle_message = '*Please enter a job title*';  
}  

else if (ctype_digit($jobtitle)) {   
   $error_stat = 1;   
   $jobtitle_message .= '*Invalid Job Title*';   
}   

else if ( preg_match( '/\W/', $jobtitle)){  
     $error_stat = 1;   
    $jobtitle_message = '*Invalid jobtitle, letters only, no spaces*';   

}   

$jobtitle = $_POST['jobtitle'];   
$jobtitle = trim($jobtitle);   

   if (strlen($jobtitle) > 30){   
   $error_stat = 1;   
   $jobtitle_message = '*Job Title must be 20 characters or less*';   
}   






//  Job Catergory Check)    
if ($jobcatergory == 'Please Select'){  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  
    $jobcatergory_message = '*Please select a Job Catergory*';  
}  





//    Job Location Check)    
if ($joblocation == 'Please Select'){  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  
    $joblocation_message = '*Please select a Job location*';  
}  


// Employment Type Check)    
if ($employmenttype == 'Please Select'){  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  
    $employmenttype_message = '*Please select Employment type*';  
}  





// Salary check)   
if (!$salary) {  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  

//Set the message to tell the user to enter a username  
$salary_message = '*Please enter job salary*';  
}  

else if (!ctype_digit($salary)) {   
   $error_stat = 1;   
   $salary_message .= '*Invalid salary*';   
}  




//Date check)   
if (empty($date)) {  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  

//Set the message to tell the user to enter a dob  
$date_message = '*Please enter job closing date*';  
}  

//Check the format and explode into $parts  
  elseif (!ereg("^([0-9]{2})/([0-9]{2})/([0-9]{4})$",   
          $date, $parts)){  
     $error_stat = 1;       

//Set the message to tell the user the date is invalid  
$date_message = '*Invalid date, must be DD/MM/YYYY format*';  
}  
      
  elseif (!checkdate($parts[2],$parts[1],$parts[3]))  
  {  
  $error_stat = 1;   
    
  //Set the message to tell the date is invalid for the month entered  
    $date_message = '*Invalid date, month must be between 1-12*';  
}  
    

// Job Description check)   
if (!$description) {  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  

//Set the message to tell the user to enter a username  
    $description_message = '*Please enter a job description*';  
}  
    
    
    
//    Educational Level Check)    
if ($educationallevel == 'Please Select'){  
//Set the error_stat to 1, which means that an error has occurred  
    $error_stat = 1;  
    $educationallevel_message = '*Please select Educational level required*';  
}  


if( $_FILES['userfile']['size'] > 2000000 ){ 
    //Set the error_stat to 1, which means that an error has occurred 
    $error_stat = 1; 
    $filesize_message = '*Filesize too large *'; 

    } 
     
    $fileTypes = array("application/pdf", "application/msword"); 

    if( !in_array("{$_FILES['userfile']['type']}", $fileTypes) ){ 
    $error_stat = 1; 
    $filetype_message = '*Filetype not allowed *'; 

    } 




$uploadDir = 'applicationforms/';   

if (isset($_POST['submit']) && $error_stat == 0) {  


    $fileName = $_FILES['userfile']['name'];  
    $tmpName  = $_FILES['userfile']['tmp_name'];  
    $fileSize = $_FILES['userfile']['size'];  
    $fileType = $_FILES['userfile']['type'];  

    // the files will be saved in filePath   
    $filePath = $uploadDir . $fileName;  

    // move the files to the specified directory  
    // if the upload directory is not writable or  
    // something else went wrong $result will be false  
    $result    = move_uploaded_file($tmpName, $filePath);  
      
      
    include("database.php");  

    if(!get_magic_quotes_gpc())  
    {  
        $fileName  = addslashes($fileName);  
        $filePath  = addslashes($filePath);  
    }    
} 
  

      
$account = mysql_fetch_array(mysql_query("SELECT * FROM employers WHERE username='" . $_SESSION["username"] . "'"));   

$username = $account["username"];  

} 
$count_sql = "select * FROM job WHERE username='" . $_SESSION["username"] . "'"; 
$count_result = mysql_query($count_sql); 
$count = mysql_num_rows($count_result); 


if ($count >= 4) { 
echo "<h4>Error, You cannot add .</h4>"; 
echo "<h4>There are already 4 existing jobs in the database, to add another job please deleting an existing one.</h4>"; 
} 



//Then, only run the query if there were no errors (if $error_stat still equals 0)   
else if (isset($_POST['submit']) && $error_stat == 0) {   
   mysql_query("INSERT INTO job (username, jobtitle, jobcatergory, joblocation, employmenttype, salary, date, educationallevel, description, name, type, size, path) VALUES ('$username', '$jobtitle', '$jobcatergory', '$joblocation', '$employmenttype', '$salary', '$date', '$educationallevel', '$description', '$fileName', '$fileType', '$fileSize', '$filePath')");   
      
echo "<h3>Job has been successfully added to the database!</h3>";   
   echo "<p>Thankyou, <b>$username</b></p>";   
   echo "<p>Back to main page.</p>";  
      echo "<a href=\"index2.php\">Login</a>"; 
       
        
}  




//Then, for the form, only show it if 1) the form hasn't been submitted yet OR 2) there is an error   
elseif (!isset($_POST['submit']) || $error_stat == 1) {   



?>

 

Would it be sufficient to use: "$jobtitle = (mysql_real_escape_string($_POST['jobtitle']));" at the begining of the code for the values being added to the database?

     

 

Link to comment
Share on other sites
conker87 Member

conker87

Posted
Posted

On second thoughts, you could just look at the phpinfo() function, if magic_quotes are on, then use:

<?php
$jobtitle = mysql_real_escape_string(stripslashes($_POST['jobtitle']));
?>

That way you don't need to set up an if statement for all $_POST data.

 

Unless you can do

<?php
mysql_real_escape_string(stripslashes($_POST));
?>

To catch all $_POST'd data?

Link to comment
Share on other sites
PRodgers4284 Regular Member

PRodgers4284

Posted
  • Author
Posted

Hey thanks for the reply

 

I have updated the code, just wondering would this be sufficient method to use to stop sql injection:

 

Heres a snippet of the code:

 

$jobtitle = mysql_real_escape_string(stripslashes($_POST['jobtitle']));
$jobcatergory = mysql_real_escape_string(stripslashes($_POST['jobcatergory'])); 
$joblocation = mysql_real_escape_string(stripslashes($_POST['joblocation']));
$employmenttype = mysql_real_escape_string(stripslashes($_POST['employmenttype']));
$salary = mysql_real_escape_string(stripslashes($_POST['salary'])); 
$date = mysql_real_escape_string(stripslashes($_POST['date']));  
$educationallevel = mysql_real_escape_string(stripslashes($_POST['educationallevel']));
$description = mysql_real_escape_string(stripslashes($_POST['description']));
$name = mysql_real_escape_string(stripslashes($_POST['name']));  
$type = mysql_real_escape_string(stripslashes($_POST['type']));
$size = mysql_real_escape_string(stripslashes($_POST['size']));
$path = mysql_real_escape_string(stripslashes($_POST['path']));

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.