PHP script help

Barron · 2005-02-24, 01:04 PM

He wasnt trying to log anyone in. I changed the code to fetch the info for the user.

Ramster, there isnt any error checking, you must put that in. Malformed input from a webpage can really screw things up : )

codemonkey · 2005-02-24, 01:50 PM

Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input..

Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters.

so when inserting selecting etc always do this..

PHP Code:


			
$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";

i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder

PHP Code:


			
//Escape the string for the database and add single quotes



function quote($value){

    $value = "'" .mysql_real_escape_string($value) ."'";

    return $value

}

So your code is now...

PHP Code:


			
$query = "SELECT * FROM table WHERE user=". quote($user);

Hope this helps someone out

2005-02-24, 01:50 PM	#2
codemonkey WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Oct 2004 Posts: 44	Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input.. Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters. so when inserting selecting etc always do this.. PHP Code: `$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";` i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder PHP Code: `//Escape the string for the database and add single quotes function quote($value){ $value = "'" .mysql_real_escape_string($value) ."'"; return $value }` So your code is now... PHP Code: `$query = "SELECT * FROM table WHERE user=". quote($user);` Hope this helps someone out __________________ BBW modelling competitions

2005-02-24, 01:04 PM	#1
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	He wasnt trying to log anyone in. I changed the code to fetch the info for the user. Ramster, there isnt any error checking, you must put that in. Malformed input from a webpage can really screw things up : )