|
PHP - Mysql Real Escape String
I have never used real escape string so want to make sure I did it correctly. Also, if I can place it anywhere else to make it even more secure please let me know. This is just the action of a just a simple POST html form.
Here it is. Code: [Select] <?php require ('staffarea/sql.php'); $showform="false"; $mcid = mysql_real_escape_string($_POST['mcid']); $age = mysql_real_escape_string($_POST['age']); $description = mysql_real_escape_string($_POST['description']); if(!mysql_query("INSERT INTO `somedatabase`.`appsubmissions` (`id`, `username`, `age`, `description`, `status`) VALUES (NULL, '$mcid', '$age', '$description', 'Pending');")) { echo '<div class=blockrow><b><font size=4>Submission Error</font><br /><br />Something went wrong. Contact Staff in the Support Forums and give them this information:<br /><br /></b><font color=red>'; echo mysql_error(); echo "</font>"; echo '<br /><br /><a href="/forumdisplay.php?f=14">Support Forums</a></div>'; } else { $lastID=mysql_insert_id(); echo "<div class=blockrow><font size=3><b>$mcid, Thank You for your Building Application!</b></font><br /><br />"; echo "Your Unique Application ID: <b>", $lastID; echo "</b> (save this so you can check the application status later)<br /><br /> Your application was submitted successfully. Please allow Staff 24 hours to accept or deny your application. If after 48 hours you still do not have building rights, assume the application was denied and re-submit with different information. DO NOT submit an application more than every 48 hours, doing so will get your account banned for spamming.<br /><br /> While waiting, you might check out the <a href=/index.php?pageid=mcguide>Ultimate Guide</a>.</div>"; } mysql_close($con); ?> Similar Tutorialsi have made function of prepare or check the mysql real escapte string but when i run this code it gives two warnings msg Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO) in C:\wamp\www\cart\include\db.php on line 42 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\cart\include\db.php on line 42 kindly tell me what is this msg about how to solve it my code is 37 public function mysql_prep($value){ 38 $magic_quotes_active=get_magic_quotes_gpc(); 39v$new_enough_php=function_exists("mysql_real_escape_string"); 40 if($new_enough_php){ 41if($magic_quotes_active){ $value=stripslashes($value);} 42 $value= mysql_real_escape_string($value);} 43 else { 44 if($magic_quotes_active){$value=addslashes($value);} 45} 46 return $value; 48 } on the first column do I need to escape that? "pm_id" if so how do i do that with the right syntax is it like this? pm_id = '.mysql_real_escape_string.' Code: [Select] <?php $mail2 = "INSERT INTO pm SET pm_id = '', sendto = '".mysql_real_escape_string($to)."', sentfrom = '".mysql_real_escape_string($from)."' ?> Also when you create a new row with a id having auto increment. do i have to do id ="" so there isnt ever two rows matching the same id? Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors: Code: [Select] Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors. What going on? I have used it like this befo ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems.. ~AJ <?php require_once('connect.php'); if(isset($_COOKIE['user'])){}else{ header( 'Location: members.php'); } if (isset($_POST['sendBtn'])){ $messageFrom = $_COOKIE['user']; $messageTo = $_POST['messageTo']; $hash = $messageTo.$messageFrom.time(); $hash = md5($hash); mysql_select_db("majik"); $sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')"; echo '<center>Your message was sent to: '.$messageTo.'</center>'; } ?> I am having problems with these slashes. They keep showing up when I echo data.... The code is to update a field in a mysql database table. Here is my code: Code: [Select] $query = mysql_query("SELECT * FROM `bus` WHERE username='$username'"); $row = mysql_fetch_array($query); $bio = $row['about']; $bio = str_replace("<br />","\r\n",$bio); if(isset($_POST['submit'])){ if(empty($errors)){ if($password == $pass){ $about1 = mysql_real_escape_string($_POST["about"]); $about1 = str_replace("\r\n","<br />",$about1); mysql_query("UPDATE bus SET about='$about1' WHERE username='$username'"); }else{$errors[] = 'Incorrect Password';} } } When I run this and put: About: I'm very tired today It's been very hard I get the about1 string as: I\\\'m very tired today\r\nIt\\\'s been very hard Why??? '[$username]' is using a variable from a cookie varifying that you are logged in, this code works except i need to put real escape strings and protection from mysql injection and dont really know where to put them. Code: [Select] if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } [CODE] Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems Code: [Select] <? if(isset($_POST['upload'])) { include 'dbconnection.php'; $ttitle = mysql_real_escape_string($_POST['ttitle']); $ttitle2 = mysql_real_escape_string($_POST['ttitle2']); $query = "INSERT INTO test ( ttitle, ttitle2) ". "VALUES ('$ttitle', '$ttitle2' )"; mysql_query($query) or die('Error, query failed : ' . mysql_error()); echo "<br>File uploaded<br>"; } ?> The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded. From the server: PHP.ini file: (ver 5.2.17) magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site. As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great.... thanks in advance I think ive finished the piece of code below, after using escape string for the first time. Ive also put my connection details in a different folder on my hosting account root (worried that this would of been displayed in the event of a parsing eror), is there anything else I can do to make my site secure? Code: [Select] <?php include('func.php'); include($_SERVER['DOCUMENT_ROOT'].'/include/db.php'); ?> <!--$INC_DIR = $_SERVER["DOCUMENT_ROOT"]. "/include/";--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Chained Select Boxes using PHP, MySQL and jQuery</title> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js"></script> <script type="text/javascript"> $(document).ready(function() { $('#wait_1').hide(); $('#drop_1').change(function(){ $('#wait_1').show(); $('#result_1').hide(); $.get("func.php", { func: "drop_1", drop_var: $('#drop_1').val() }, function(response){ $('#result_1').fadeOut(); setTimeout("finishAjax('result_1', '"+escape(response)+"')", 400); }); return false; }); }); function finishAjax(id, response) { $('#wait_1').hide(); $('#'+id).html(unescape(response)); $('#'+id).fadeIn(); } </script> </head> <body> <p> <form action="" method="post"> Name: <input type="text" name="Name" /><br /> Phone: <input type="text" name="Phone" /><br /> Email: <input type="text" name="Email" /><br /> Postcode: <input type="text" name="Postcode" /><br /> Web Address: <input type="text" name="Website" /><br /><br /> <select name="drop_1" id="drop_1"> <option value="" selected="selected" disabled="disabled">Select a Category</option> <?php getTierOne(); ?> </select> <span id="wait_1" style="display: none;"> <img alt="Please Wait" src="ajax-loader.gif"/> </span> <span id="result_1" style="display: none;"></span> <br /> </form> </p> <p> <?php if(isset($_POST['submit'])){ $drop = mysql_real_escape_string($_POST['drop_1']); $tier_two = mysql_real_escape_string($_POST['Subtype']); echo "You selected "; echo $drop." & ".$tier_two; } $Name = mysql_real_escape_string($_POST["Name"]); $Phone = mysql_real_escape_string($_POST["Phone"]); $Email = mysql_real_escape_string($_POST["Email"]); $Postcode = mysql_real_escape_string($_POST["Postcode"]); $Website = mysql_real_escape_string($_POST["Website"]); echo "<br>"; echo $Name; echo "<br>"; echo $Website; $query = ("INSERT INTO business (`id`, `Name`, `Type`, `Subtype`, `Phone`, `Email`, `Postcode`, `Web Address`) VALUES ('NULL', '$Name', '$drop', '$tier_two' , '$Phone', '$Email', '$Postcode', '$Website')"); mysql_query($query) or die ( "<br>Query: $query<br>Error: " .mysql_error()); ?> </body> </html> My hosts version of php just seems to automatically add the backslashes. Adding the escape string just seems to add like 3 of them rather than 1 Is this command out-of-date? Hello, I am building an online game(users make a character and move on a map and so on...)
All user data is stored in a mySQL database and I want the users to interact in real-time, but there can be a 1-3 second delay between the communication, but not exceed 3 seconds even if 500 players are playing at the same time.
But for the purpose of the question let's say the users can only chat between one another, if I'll have a solution for that then I can use the same method for more parts of the game.
I can't use websockets because my webhost doesn't support it( I don't want to use pusher.com).
I know I can make real-time apps with ajax long polling, but I think that with 500 players playing at the same time it's not the best solution.
So, finally:
How can I make user interaction as close as possible to a real-time game?
(Without too much load on the hosting server)
(I am sorry if some of my terms are not correct - I am just getting back to coding after a long time...)
Edited by Mythion, 17 August 2014 - 02:34 AM. here i am again... so i have this algorithm that computes the current academic year for our school.. it outputs the correct academic year on a browser.. but when i try to insert it into my database, the data inserted goes wrong.. it just keeps on inserting -1 instead of the string 2011-2012 here's my code: Code: [Select] <?php $year = date('Y'); $currentyear = $year; $lastyear = $year - 1; $nextyear = $year + 1; if (date('m') < 6) { $current_ay = $lastyear."-".$currentyear; } else if (date('m') >= 6) { $current_ay = $currentyear."-".$nextyear; } echo $current_ay; $insertSQL = "INSERT INTO tbl_elections (election_id) values ($current_ay)"; mysql_select_db($database_organizazone_db, $organizazone_db); $Result1 = mysql_query($insertSQL, $organizazone_db) or die(mysql_error()); ?> *the database column to be inserted into is of varchar data type I am trying to add a value, input into a form, to a MySQL database. However, something must be wrong with the casting, because if there is a space in the form value, then I get an error, as in: //$_POST['string'] == '1blah 2blah'; sql = "INSERT INTO table (some_string) VALUES ($_POST[string])"; $sql_result = mysql_query($sql) or die ('The error is as follows: ' . mysql_error() . '<br /><br />Value could not be added.'); Then I get the following error: The error is as follows: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2blah' at line 1 I've entered paragraphs into a database before, so this error is now to me. The column 'some_value' is a type: varchar(50). Hi, i have a syntax error on my query string but can't figure out what's wrong : $qry = "UPDATE members SET firstname = '".$fname"', lastname = '".$lname"', passwd = '".md5($password)."' WHERE member_id = '".$_SESSION['SESS_MEMBER_ID']"'"; Any help would be appreciated. Eddy. Hi, how do I store as a string (in a variable) a mysql query b/c what I'm doing below outputs Resource id in client browser: Code: [Select] <?php //database connection set up etc $show=mysql_query("SELECT file_Name FROM xdocument WHERE doc_id=95"); print $show; ?> Any help much appreciated, thanks. Hi All, I was hoping to recive some help. I need a DB quiery for a sales DB we have, i have the code (below) and it works as intended. Code: [Select] <?php $db_host = ''; $db_user = ''; $db_pwd = ''; $database = ''; $table = 'nexus_purchases'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die("Can't connect to database"); if (!mysql_select_db($database)) die("Can't select database"); // sending query $result = mysql_query("Select ps_name,ps_member,ps_custom_fields from nexus_purchases where ps_name like 'Varified Owner'"); if (!$result) { die("Query to show fields from table failed"); } $fields_num = mysql_num_fields($result); echo "<h1>Table: {$table}</h1>"; echo "<table border='1'><tr>"; // printing table headers for($i=0; $i<$fields_num; $i++) { $field = mysql_fetch_field($result); echo "<td>{$field->name}</td>"; } echo "</tr>\n"; // printing table rows while($row = mysql_fetch_row($result)) { echo "<tr>"; // $row is array... foreach( .. ) puts every element // of $row to $cell variable foreach($row as $cell) echo "<td>$cell</td>"; echo "</tr>\n"; } mysql_free_result($result); ?> The part i need help with is, this quirey returns, Now the app that deals with our club shop, (nexus) adds bits to the DB I.e ( a:2:{i:3;s:8: ) So in the two feilds when buying club membership someone enters x hae and ST24 And nexus adds a:2:{i:3;s:8:"X HAE";i:4;s:4:"ST24";} to the table in ps_custom_fields What i would like to do is strip out everything not in quotes and get left with "X HAE" "ST24" I hope someone could help me out, Thanks in Advance. Can someone please explain to me why I cant seem to get my mysql update line to work. I have been trying for a while an still nothing. I am new in php and need some help getting this to work. Please be gentle. a good explaination in newbie talk would be appreciated. The session variable I echoed out does work so I know I am reading the variable in from the other page. thanks <?php session_start(); /* Server side scripting with php CISS 225 Lab # Final Project */ //This section will create variables collected from information sent //by the post method on the createUserProcess. /* $_SESSION['city'] = $_POST['city']; $_SESSION['state'] = $_POST['state']; $_SESSION['zipCode'] = $_POST['zipCode']; $_SESSION['profession'] = $_POST['profession']; $_SESSION['activities'] = $_POST['activities']; $_SESSION['hobbies'] = $_POST['hobbies']; */ $city = $_POST['city']; $state = $_POST['state']; $zipCode = $_POST['zipCode']; $profession = $_POST['profession']; $activities = $_POST['activities']; $hobbies = $_POST['hobbies']; $db = mysql_connect("localhost", "root", ""); mysql_select_db("accountprofile",$db); echo $_SESSION['Email']; //$query = "UPDATE accountprofile SET city = '$city', state = '$state', zipcode = '$zipCode', profession = '$profession', " . " //activities = '$activities', hobbies = '$hobbies' WHERE lastName = 'Hildebrand'"; $query = "UPDATE accountprofile SET city = '$city', state = '$state', zipcode = '$zipCode', profession = '$profession', activities = '$activities', hobbies = '$hobbies' WHERE userName = " .$_SESSION['Email'].""; mysql_query($query,$db); if (mysql_error()) { echo "$query<br />"; echo mysql_error(); } echo "THANK YOU!<br />"; echo "Your profile has been completed!<br />"; ?> Hi guys, I have a very simple add.php to add data to a mySQL db. I have a menu/list drop down as one of my fields on my form and this shows an array of results from another table (ranks of the RAF) within my db. When I click the save button I have it process a INSERT INTO command but all i get inputted into my staff table is the first word... eg if I chose "Pilot Officer" from the list menu and then click save all that would appear in my db is "Pilot". Any clues? I will paste the php below... Code: [Select] <?php include('config.php'); ?> <form action='' method='POST' enctype='multipart/form-data'> <p><b>Rank:</b><br /> <select name="rank" id="rank"> <option selected>Please Select</option> <?php $query = "SELECT * FROM ranks ORDER BY rank ASC"; $result = mysql_query($query); while($row = mysql_fetch_array($result)) { echo "<option value=". $row["rank"] .">". $row["rank"] ."</option>"; } ?> </select> <p><b>Forename:</b><br /> <input name="forename" type="text" id="forename" value="" size="40"> <p><b>Surname:</b><br /><input name='surname' type='text' id="surname" value='' size="40" /> <p><b>Category:</b><br /> <select name="category" id="category"> <option selected>Please Select</option> <?php $query = "SELECT * FROM categories"; $result = mysql_query($query); while($row = mysql_fetch_array($result)) { echo "<option value=". $row["category"] .">". $row["category"] ."</option>"; } ?> </select> <p><b>Email:</b><br /><input name='email' type='text' id="email" value='' size="50" /> <p><b>Mobile:</b><br /> <input name='mobile' type='text' id="mobile" value='' size="40" /> </p> <input type='submit' value='Save' /> <input type='hidden' value='1' name='submitted' /> </form> <?php if (isset($_POST['submitted'])) { $rank = mysql_real_escape_string($_POST['rank']); $forename = mysql_real_escape_string($_POST['forename']); $surname = mysql_real_escape_string($_POST['surname']); $category = mysql_real_escape_string($_POST['category']); $email = mysql_real_escape_string($_POST['email']); $mobile = mysql_real_escape_string($_POST['mobile']); $sql = "INSERT INTO `staff` (`rank` , `forename` , `surname` , `category` , `email` , `mobile` ) VALUES ( '$rank' , '$forename' , '$surname' , '$category' , '$email' , '$mobile')"; mysql_query($sql) or die(mysql_error()); echo (mysql_affected_rows()) ? "Staff Added":"Nothing Added"; } ?> I want to perform a query which returns a subset of the fields in a table. One particular mySQL field is VARCHAR I have a query like this: $query = mysql_query("SELECT * FROM table WHERE code LIKE '3%') ; It's my understanding this should return all values which begin with "3", but it only returns about a dozen of the values 3, 30-39, 300-399, etc. (It works with string fields, but this field contains numerals.) Any help appreciated. thanks, Tom Hi to everybody I need ur help because I’m trying to make a script in php to write the same data but with different date in MySQL depending on the splitting ($data06).... like a schedule...
For example if $data06 = annual and $data03 = “2019/01/01” programm must create in MySQL : 2019/01/01 2020/01/01 2021/01/01 2022/01/01 2023/01/01
if $data06=“half year” will create 10 date , increasing 6 moths ...
But I have a problem at finish of code switch ($data06) { case 'annual': $numrate = 5; $aumdata = "+12 months"; break; case 'half year': $numrate = 10; $aumdata = "+6 month"; break;
default: echo "error"; $sql = "INSERT into $nometb ( name, scadenza ) values ( '$data01', '$data03' )"; if ($conna->query($sql) === TRUE) {} else {die('ERROR'. $conna->error); }
//IMPORT NEXT AND NEW DATE $newDate = date_create($data03); for ($mul = 2; $mul <= $numrate; ++$mul) {
$datanuova = date_create($data03); $datanuova->modify($aumdata); $datanuova->format('yy/m/d'); $newDate = $datanuova->format('yy/m/d');
$sql = "INSERT into $nometb ( name, scadenza ) values ( '$data01', '$newDate' )"; if ($conna->query($sql) === TRUE) {} else {die('ERROR'. $conna->error); }
//HERE THERE IS ERROR $data03 = $newDate;
if ($conna->query($sql) === TRUE) {} else {die('ERRORE NELL\'IMPORTAZIONE'. $conna->error); } }
} }
}
How I can resolve ?
many thanks Francesco Hi there, is it possible to join a variable and a string inside a $_POST variable inside a mysql query (UPDATE in this case) Here is what i am trying to accomplish: $update = "UPDATE mona SET STKFF='$_POST[$counter."NAME"]' WHERE id='$userid'"; if (!mysql_query($update)) { die('Error: ' . mysql_error()); } else echo " <br> Update Complete"; Its the '$_POST[$counter."NAME"]' bit that im worried about, is this possible without having to do: $foo=$counter."NAME" '$_POST[$foo]' Thanks Chris Hi All, I'm working on PHP scripts to interact with a web hosted MySQL DB for an Android Application. Simply what I am trying to do is in the PHP script is run a SELECT statement which will return the value of a column, UserType, and compare the result of this to a string, which will then execute code depending on it's value. This user type can only be either 'student' or 'lecturer'. Any help with this would be much appreciated.
<?php
require "init.php";
$user = $_GET["userID"];
#Selects column account type where the idNum equals $user which is passed from my app.
$sql1 = "select accountType from user_info where idNum = '$user'";
$result1 = mysqli_query($con,$sql1);
$row1 = mysqli_fetch_assoc($result1);
#This is where I am stuck. Simply, I am trying to run the code in the loop where the result of $sql1 equals 'Student'. The else will run if it is not #student and therefore is 'Lecturer'. I'm also not sure if my code inside the IF is fully correct either as it's not running that far.
if($row1['accountType'] == 'Student')
{
$sql2 = "select courseCode from user_info where idNum = '$user'";
$result2 = mysqli_query($con,$sql2);
$row2 = mysqli_fetch_assoc($result2);
$sql3 = "select * from module_details where classListCourseCode = '".$row2['courseCode']."'";
$result3 = mysqli_query($con,$sql3);
$response = array();
while($row = mysqli_fetch_array($result3))
{
array_push($response,array("moduleID"=>$row[0],"lecturerID"=>$row[1],"moduleName"=>$row[2],"classListCourseCode"=>$row[3]));
}
echo json_encode(array("server_response"=>$response));
}
Thanks in advance. |
|||||||