PRodgers4284 Posted March 14, 2008 Share Posted March 14, 2008 I am trying to make my code my secure and prevent sql injection attacks, i have the following code that add records to a sql database and im wondering if am going about this in the correct way: <?php if (isset($_POST['submit'])) { $error_stat = 0; $jobtitle_message = ''; $jobcatergory_message = ''; $joblocation_message = ''; $employmenttype_message = ''; $salary_message = ''; $date_message = ''; $educationallevel_message = ''; $description_message = ''; $filesize_message = ''; $filetype_message = ''; $jobtitle = $_POST['jobtitle']; $jobcatergory = $_POST['jobcatergory']; $joblocation = $_POST['joblocation']; $employmenttype= ($_POST['employmenttype']); $salary = $_POST['salary']; $date = $_POST['date']; $educationallevel = $_POST['educationallevel']; $description = $_POST['description']; $name = $_POST['name']; $type = $_POST['type']; $size = $_POST['size']; $path = $_POST['path']; //Error checking // Job Title check) if (!$jobtitle) { //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; //Set the message to tell the user to enter a username $jobtitle_message = '*Please enter a job title*'; } else if (ctype_digit($jobtitle)) { $error_stat = 1; $jobtitle_message .= '*Invalid Job Title*'; } else if ( preg_match( '/\W/', $jobtitle)){ $error_stat = 1; $jobtitle_message = '*Invalid jobtitle, letters only, no spaces*'; } $jobtitle = $_POST['jobtitle']; $jobtitle = trim($jobtitle); if (strlen($jobtitle) > 30){ $error_stat = 1; $jobtitle_message = '*Job Title must be 20 characters or less*'; } // Job Catergory Check) if ($jobcatergory == 'Please Select'){ //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; $jobcatergory_message = '*Please select a Job Catergory*'; } // Job Location Check) if ($joblocation == 'Please Select'){ //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; $joblocation_message = '*Please select a Job location*'; } // Employment Type Check) if ($employmenttype == 'Please Select'){ //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; $employmenttype_message = '*Please select Employment type*'; } // Salary check) if (!$salary) { //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; //Set the message to tell the user to enter a username $salary_message = '*Please enter job salary*'; } else if (!ctype_digit($salary)) { $error_stat = 1; $salary_message .= '*Invalid salary*'; } //Date check) if (empty($date)) { //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; //Set the message to tell the user to enter a dob $date_message = '*Please enter job closing date*'; } //Check the format and explode into $parts elseif (!ereg("^([0-9]{2})/([0-9]{2})/([0-9]{4})$", $date, $parts)){ $error_stat = 1; //Set the message to tell the user the date is invalid $date_message = '*Invalid date, must be DD/MM/YYYY format*'; } elseif (!checkdate($parts[2],$parts[1],$parts[3])) { $error_stat = 1; //Set the message to tell the date is invalid for the month entered $date_message = '*Invalid date, month must be between 1-12*'; } // Job Description check) if (!$description) { //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; //Set the message to tell the user to enter a username $description_message = '*Please enter a job description*'; } // Educational Level Check) if ($educationallevel == 'Please Select'){ //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; $educationallevel_message = '*Please select Educational level required*'; } if( $_FILES['userfile']['size'] > 2000000 ){ //Set the error_stat to 1, which means that an error has occurred $error_stat = 1; $filesize_message = '*Filesize too large *'; } $fileTypes = array("application/pdf", "application/msword"); if( !in_array("{$_FILES['userfile']['type']}", $fileTypes) ){ $error_stat = 1; $filetype_message = '*Filetype not allowed *'; } $uploadDir = 'applicationforms/'; if (isset($_POST['submit']) && $error_stat == 0) { $fileName = $_FILES['userfile']['name']; $tmpName = $_FILES['userfile']['tmp_name']; $fileSize = $_FILES['userfile']['size']; $fileType = $_FILES['userfile']['type']; // the files will be saved in filePath $filePath = $uploadDir . $fileName; // move the files to the specified directory // if the upload directory is not writable or // something else went wrong $result will be false $result = move_uploaded_file($tmpName, $filePath); include("database.php"); if(!get_magic_quotes_gpc()) { $fileName = addslashes($fileName); $filePath = addslashes($filePath); } } $account = mysql_fetch_array(mysql_query("SELECT * FROM employers WHERE username='" . $_SESSION["username"] . "'")); $username = $account["username"]; } $count_sql = "select * FROM job WHERE username='" . $_SESSION["username"] . "'"; $count_result = mysql_query($count_sql); $count = mysql_num_rows($count_result); if ($count >= 4) { echo "<h4>Error, You cannot add .</h4>"; echo "<h4>There are already 4 existing jobs in the database, to add another job please deleting an existing one.</h4>"; } //Then, only run the query if there were no errors (if $error_stat still equals 0) else if (isset($_POST['submit']) && $error_stat == 0) { mysql_query("INSERT INTO job (username, jobtitle, jobcatergory, joblocation, employmenttype, salary, date, educationallevel, description, name, type, size, path) VALUES ('$username', '$jobtitle', '$jobcatergory', '$joblocation', '$employmenttype', '$salary', '$date', '$educationallevel', '$description', '$fileName', '$fileType', '$fileSize', '$filePath')"); echo "<h3>Job has been successfully added to the database!</h3>"; echo "<p>Thankyou, <b>$username</b></p>"; echo "<p>Back to main page.</p>"; echo "<a href=\"index2.php\">Login</a>"; } //Then, for the form, only show it if 1) the form hasn't been submitted yet OR 2) there is an error elseif (!isset($_POST['submit']) || $error_stat == 1) { ?> Would it be sufficient to use: "$jobtitle = (mysql_real_escape_string($_POST['jobtitle']));" at the begining of the code for the values being added to the database? Link to comment https://forums.phpfreaks.com/topic/96152-real-escape-string-question/ Share on other sites More sharing options...
conker87 Posted March 14, 2008 Share Posted March 14, 2008 <?php if (get_magic_quotes_gpc()) { $jobtitle = stripslashes($_POST['jobtitle']); } ?> Then do the: <?php $jobtitle = mysql_real_escape_string($_POST['jobtitle']); ?> Link to comment https://forums.phpfreaks.com/topic/96152-real-escape-string-question/#findComment-492216 Share on other sites More sharing options...
conker87 Posted March 14, 2008 Share Posted March 14, 2008 On second thoughts, you could just look at the phpinfo() function, if magic_quotes are on, then use: <?php $jobtitle = mysql_real_escape_string(stripslashes($_POST['jobtitle'])); ?> That way you don't need to set up an if statement for all $_POST data. Unless you can do <?php mysql_real_escape_string(stripslashes($_POST)); ?> To catch all $_POST'd data? Link to comment https://forums.phpfreaks.com/topic/96152-real-escape-string-question/#findComment-492219 Share on other sites More sharing options...
PRodgers4284 Posted March 14, 2008 Author Share Posted March 14, 2008 Hey thanks for the reply I have updated the code, just wondering would this be sufficient method to use to stop sql injection: Heres a snippet of the code: $jobtitle = mysql_real_escape_string(stripslashes($_POST['jobtitle'])); $jobcatergory = mysql_real_escape_string(stripslashes($_POST['jobcatergory'])); $joblocation = mysql_real_escape_string(stripslashes($_POST['joblocation'])); $employmenttype = mysql_real_escape_string(stripslashes($_POST['employmenttype'])); $salary = mysql_real_escape_string(stripslashes($_POST['salary'])); $date = mysql_real_escape_string(stripslashes($_POST['date'])); $educationallevel = mysql_real_escape_string(stripslashes($_POST['educationallevel'])); $description = mysql_real_escape_string(stripslashes($_POST['description'])); $name = mysql_real_escape_string(stripslashes($_POST['name'])); $type = mysql_real_escape_string(stripslashes($_POST['type'])); $size = mysql_real_escape_string(stripslashes($_POST['size'])); $path = mysql_real_escape_string(stripslashes($_POST['path'])); Link to comment https://forums.phpfreaks.com/topic/96152-real-escape-string-question/#findComment-492243 Share on other sites More sharing options...
conker87 Posted March 14, 2008 Share Posted March 14, 2008 Aye that should work pretty fine. Link to comment https://forums.phpfreaks.com/topic/96152-real-escape-string-question/#findComment-492262 Share on other sites More sharing options...
PRodgers4284 Posted March 14, 2008 Author Share Posted March 14, 2008 Thanks for help, appreciate it Link to comment https://forums.phpfreaks.com/topic/96152-real-escape-string-question/#findComment-492273 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.