PHP - Mysql Injection Clean Strings

i am using a Anti MySQL Injection my friend made for me

config.php
//Anti MySQL Injection
function anti_injection($sql) {
   // removes words that contain sql syntax
   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
   $sql = trim($sql); // strip whitespace
   $sql = strip_tags($sql); // strip HTML and PHP tags
   $sql = addslashes($sql); // quote string with slashes
   return $sql;
}

<?php 
include "./config.php";
$title = $_POST[title];
$type = $_POST[type];
$episode = $_POST[episode];
$year = $_POST[year];
$genre = $_POST[genre];
$status = $_POST[status];
$summary = $_POST[summary];
$pictures = $_POST[pictures];
$title = anti_injection($title);
$type = anti_injection($type);
$episode = anti_injection($episode);
$year = anti_injection($year);
$genre = anti_injection($genre);
$status = anti_injection($status);
$summary = anti_injection($summary);
$pictures = anti_injection($pictures); ?>
When i enter the data from the text box and click submit

it still puts the data in to the date base but it shows

]Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\studying\take 2\addin11.php on line 41

Notice: Use of undefined constant type - assumed 'type' in C:\wamp\www\studying\take 2\addin11.php on line 42

Notice: Use of undefined constant episode - assumed 'episode' in C:\wamp\www\studying\take 2\addin11.php on line 43

Notice: Use of undefined constant year - assumed 'year' in C:\wamp\www\studying\take 2\addin11.php on line 44

Notice: Use of undefined constant genre - assumed 'genre' in C:\wamp\www\studying\take 2\addin11.php on line 45

Notice: Use of undefined constant status - assumed 'status' in C:\wamp\www\studying\take 2\addin11.php on line 46

Notice: Use of undefined constant summary - assumed 'summary' in C:\wamp\www\studying\take 2\addin11.php on line 47

Notice: Use of undefined constant pictures - assumed 'pictures' in C:\wamp\www\studying\take 2\addin11.php on line 48

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

And thanks to the Anti MySQL Injection my Primary key in my database dont work :s
can you help? thank you

been wondering about this for a while
do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST
i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id.

Code: [Select]
<?php mysql_query("UPDATE systems SET homes=  $homes + '".mysql_real_escape_string($_POST['homes'])."' 

WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?>

 is this select query code safe from injection?

try {
	$stmt = $db->prepare("SELECT * FROM posts WHERE key=$key");
	$stmt->execute();
	$row = $stmt->fetch();
} 

notice there is no bind.

$stmt->bindParam(':key', $key);

the reason i am asking is that i have many $key variable in the query and i do not know how to use bind in a query such as this...

SELECT count(*) FROM posts WHERE MATCH (file) AGAINST 
('$key' IN BOOLEAN MODE) OR MATCH (user) AGAINST ('$key' IN BOOLEAN MODE)

the $key is not an array and the $key does not change it's value.
Edited by kalster, 04 January 2015 - 05:52 PM.

Hey guys, I have used this code before on a linux server and know that it works, however after porting my site over to a windows server running apache, php and mysql; the following code seems to make one of my scripts crash.


$queryfam1 = "SELECT * FROM wp_users WHERE user_login='$username'";
$resultfam1 = mysql_query($queryfam1) or die(mysql_error());
$row21 = mysql_fetch_array($resultfam1) or die(mysql_error());


I have no idea of a result as there is no error reported, it simply dies and does not tell me what is happening with it.

Any ideas?

I am building a project that requires I store query strings in a table (stage_reqs) which are called to determine permissions. These strings will look something like this:

Code: [Select]
select salesman from jobs where salesman is not NULL and job_id='".$this->job_id."' limit 1
The variable value needs to be determined from within the function it is being accessed in. Can I use eval to do this?

Thanks,
Chris

Hello friends

if i've this

$text = "i love adult sites"

then i wanna clean it by elminate words like
adult - bad - kill - die
so it be

$clean = "i love sites"

as you can see it eliminated the word adult

how it could be which code can i use ?

thanks in advance

What is the cleanest way to write this if?

Code: [Select]
<div <?php if (!empty($otherfans)) {echo "class=\"newstext\"";} else {echo "class=\"newstext pts\""; } ?>>

Hey guys

 I have a lot of inputs from my form. Is there a way I can do like a for each or something instead of of having to write

$myusername = stripslashes($_POST['name');
$mypassword = stripslashes($_POST['pass']);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

.... for all 16 fields?

thanks

Hi,

Here is a tiny bit of my code


$r = mysql_query ($query);

while ($row = mysql_fetch_array ($r, MYSQL_ASSOC)) {
 


echo "<tr>

<td align=\"center\">";  echo date("M-d-Y", mktime(0, 0, 0, $row['month'], $row['day'], $row['year'])); echo "</td> ";

    if ($row['presenter1status'] == '0')
              {
              echo "<td align=\"center\"><font color=\"#FF9900\">{$row['presenter1']}</font></td>";
              }
          elseif ($row['presenter1status'] == '1')
              {
              echo "<td align=\"center\"><font color=\"green\">{$row['presenter1']}</font></td>";
              }
          elseif ($row['presenter1status'] == '2')
              {
              echo "<td align=\"center\"><font color=\"red\">{$row['presenter1']}</font></td>";
              }


    if ($row['presenter2status'] == '0')
              {
              echo "<td align=\"center\"><font color=\"#FF9900\">{$row['presenter2']}</font></td>";
              }
          elseif ($row['presenter2status'] == '1')
              {
              echo "<td align=\"center\"><font color=\"green\">{$row['presenter2']}</font></td>";
              }
          elseif ($row['presenter2status'] == '2')
              {
              echo "<td align=\"center\"><font color=\"red\">{$row['presenter2']}</font></td>";
              }
            
            
             if ($row['engineerstatus'] == '0')
              {
              echo "<td align=\"center\"><font color=\"#FF9900\">{$row['engineer']}</font></td>";
              }
          elseif ($row['engineerstatus'] == '1')
              {
              echo "<td align=\"center\"><font color=\"green\">{$row['engineer']}</font></td>";
              }
          elseif ($row['engineerstatus'] == '2')
              {
              echo "<td align=\"center\"><font color=\"red\">{$row['engineer']}</font></td>";
              }
            
echo "</tr>


I was wondering if there is a better way of doing this as I think including this many ifesle statements in a while loop that could go round about 40 times might be very heavy on the resources.

Thanks

My code here

Code: [Select]
  setcookie('hide_div', $_COOKIE['hide_div'].','.$_GET['hide'],time()+32000000);
When I set it, it works wonderful, but then when I see view it in my cookie it shows this code between my $_GET['hide'] values

Code: [Select]
%2C
how do I clean it up and just make it show my " , "?

Thank you

Hi,

I am creating a website but am having trouble with the following:

I have an include file(db.inc) which contains the following:

function clean($input, $maxlength)
{
$input = substr($input, 0, $maxlength);
$input = EscapeShellCmd($input);
return ($input);
}

The file I am having the problem with is my view.php file. I get the following error:

Notice: Undefined variable: file in C:\wamp\www\fermpix\view.php on line 4

Line 4 contains the following:

$file = clean($file, 4);

My view.php does have the line:

include 'db.inc';


Does anybody have any idea what the issue might be?

Cheers
Paul

Hey all,

I would like to some how clean up an if statement to be a little cleaner.

Code: [Select]
if(condition && condition && (condition && condition) || (condition && condition) || (condition && condition))

How can I do that?

I've been messing around with clean urls in php and I've been having some trouble. I'm working on a private messaging system and when I go to "sitename.com/mail/view.php?page=inbox" it correctly displays the users inbox messages but when I put "sitename.com/mail/view/inbox/" it just displays the page like the GET value isn't set. Why is that?

this is the HTACCESS file for clean url

RewriteEngine on

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_FILENAME}\.php -f

RewriteRule ^view/([a-z]) view.php?page=$1 [NC,L]

 

Hi

Im trying to write a script to clean up my image directory which has quite a lot of unused images that have built up over time.
In order to do this I am doing the following.

First Create a database table called 'image_clean' Then I'm searching through 3 tables and collecting all the image file names and dumping the names in the table 'image_clean'

Can do that no problem. So now I have all the images I need in this one table 'image_clean' I now want to go through my directory 'image_uploads' and delete anything thats not in the 'image_clean' table.

I know how to delete the files using unlink Im just unsure how to search through the directory file by file and check the file against the database. Im asumming I need to put them in an array. Could anyone give be a clue or two to get me started.

I have no problem checking a database against a directory but when its the other way round 'checking a directory against a database I'm lost. What I might do is pop the files to delete in a new database called 'image_delete' so that I can then check the images to delete before I write the unlink script. But I'm just not sure how to pick up each file and compare it to the table.

Thanks in advance.

I created a new homepage for my network of sites I run. I tried to go for a simple and clean look. The pages themselves function how I'd like, but I'm unsure if the menu system is easy to understand or not.   I even added a time limited message on the front page of the site indicating that the logo was clickable, but purposely left it off of other sub-pages to try and keep the design as clean as possible.   Check it out, let me know what you think.   http://ctenetwork.com