|
PHP - Mysqli Safe Insert
Hi guys, I've been around here for a few years, but for some reason my other account doesn't seem to 'exist' anymore which was real annoying. I also noticed the captcha here was kind of buggy has anyone else been getting that? I'd enter it in case sensative 9-10 times before it would finally work.
Anyways, I've been looking through a lot of research in upgrading my server from Mysql to Mysqli funtions. What I am curious about though is other peoples opinions and thoughts on how to make user input safer. For the time being I've just been using mysql_real_escape_string and htmlspecialchars. I've done quite a bit of research on this and there really isn't much for any guides on how to keep your data clean and safe. I've seen a lot of posts that anymore these two functions are not enough to secure your data. So I'm curious what people in this community are doing (annonomysly) to keep your user input safe. I'm also looking into prepared statements as well with Mysqli. Anyways any responses are much appreciated, would love to chat with you guys about this!
Does anyone know if there was some deal with why I can't access my origional account? I entered in all of the only 5 email addresses I use. It said it sent an email to the one, but it never appeared in junk/inbox.
Similar TutorialsHaving issue insertinginto database. The code are below followed by result. thanks for any advice Form code:
<html> <script type="text/javascript">document.write(mmddyy);</script> <form action="crud-insert.php" method="post">
<p><label for="id">id:</label>
<?php
$sql = "INSERT INTO infotbl (id, target, purpose, user, password, email, visits, lastused)
if ($conn->query($sql) === TRUE) {
$conn->close(); how i can make a insert using this fuctions I m learning php, as using this functions (mysqli abstract) but after update wont work any more.
/** insert data array */
public function insert(array $arr)
{
if ($arr)
{
$q = $this->make_insert_query($arr);
$return = $this->modifying_query($q);
$this->autoreset();
return $return;
}
else
{
$this->autoreset();
return false;
}
}
complement
/** insert query constructor */
protected function make_insert_query($data)
{
$this->get_table_info();
$this->set_field_types();
if (!is_array(reset($data)))
{
$data = array($data);
}
$keys = array();
$values = array();
$keys_set = false;
foreach ($data as $data_key => $data_item)
{
$values[$data_key] = array();
$fdata = $this->parse_field_names($data);
foreach ($fdata as $key => $val)
{
if (!$keys_set)
{
if (isset($this->field_type[$key]))
{
$keys[] = '`' . $val['table'] . '`.`' . $val['field'] . '`';
}
else
{
$keys[] = '`' . $val['field'] . '`';
}
}
$values[$data_key][] = $this->escape($val['value'], $this->is_noquotes($key), $this->field_type($key), $this->is_null($key),
$this->is_bit($key));
}
$keys_set = true;
$values[$data_key] = '(' . implode(',', $values[$data_key]) . ')';
}
$ignore = $this->ignore ? ' IGNORE' : '';
$delayed = $this->delayed ? ' DELAYED' : '';
$query = 'INSERT' . $ignore . $delayed . ' INTO `' . $this->table . '` (' . implode(',', $keys) . ') VALUES ' . implode(',',
$values);
return $query;
}
before update this class i used to insert data like this
$db = Sdba::table('users');
$data = array('name'=>'adam');
$db->insert($data);
this method of insert dont works on new class. if i try like this i got empty columns and empty values.
thanks for any help complete class download http://goo.gl/GK3s4E
I am trying to make a login which works perfectly until I try and add remember me functionality into the User class.
Hi, I have an app that access a MySQL database via a php script. For some reason when it is an SQL INSERT it returns -11 but as I said the INSERTS executes successfully. The app requesting the service sends in sequence:
char* txtSQL[]={"INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)",
"INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)",
"INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)",
"INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)",
"UPDATE activity set value=333 where value=130",
"SELECT sum(value) from activity where mac='a9c4952de6b4'",
"DELETE from activity WHERE value=333"};
I set a monitor to check what was being returned and got:
query=INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)
HttpResponse: - httpResponseCode: -11
query=INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)
HttpResponse: - httpResponseCode: -11
query=INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)
HttpResponse: - httpResponseCode: -11
query=INSERT INTO activity (mac,jd,date,time,area,type,value) VALUES ('a9c4952de6b4',2458454,'2018-12-01','10:22','Area0002','h',130)
HttpResponse: - httpResponseCode: -11
query=UPDATE activity set value=333 where value=130
HttpResponse: 4 * httpResponseCode: 201 -------------------------------------->As can be seem the INSERTS above returned error but worked OK
query=SELECT sum(value) from activity where mac='a9c4952de6b4'
HttpResponse: 1379 * httpResponseCode: 200
query=DELETE from activity WHERE value=333
HttpResponse: 4 * httpResponseCode: 201
The PHP script do ing the job i s as be low :
<?php
include('connection.php');
//these are just in case setting headers forcing it to always expire
header('Cache-Control: no-cache, must-revalidate');
error_log(print_r($_POST,TRUE));
if( isset($_POST['query']) && isset($_POST['key']) ){ //checks if the tag post is there and if its been a proper form post
header('Content-type: application/x-www-form-urlencoded');
if($_POST['key']==$SQLKEY){ //validates the SQL key
$query=urldecode($_POST['query']);
if(get_magic_quotes_gpc()){ //check if the worthless pile of crap magic quotes is enabled and if it is, strip the slashes from the query
$query=stripslashes($query);
}
$conn = new mysqli($DB_ADDRESS,$DB_USER,$DB_PASS,$DB_NAME); //connect
if($conn->connect_error){ //checks connection
header("HTTP/1.0 400 Bad Request");
echo "ERROR Database Connection Failed: " . $conn->connect_error, E_USER_ERROR; //reports a DB connection failure
} else {
$result=$conn->query($query); //runs the posted query
if($result === false){
header("HTTP/1.0 400 Bad Request"); //sends back a bad request error
echo "Wrong SQL: " . $query . " Error: " . $conn->error, E_USER_ERROR; //errors if the query is bad and spits the error back to the client
} else {
if (strlen(stristr($query,"SELECT"))>0) { //tests if it's a SELECT statement
$csv = ''; // bug fix Undefined variable: csv
while ($fieldinfo = $result->fetch_field()) {
$csv .= $fieldinfo->name.",";
}
$csv = rtrim($csv, ",")."\n";
//******************************** echo $csv; //prints header row
$csv = '';
$result->data_seek(0);
while($row = $result->fetch_assoc()){
foreach ($row as $key => $value) {
$csv .= $value.",";
}
$csv = rtrim($csv, ","); //."\n";
}
echo $csv; //prints all data rows
} else {
header("HTTP/1.0 201 Rows");
echo $conn->affected_rows; //if the query is anything but a SELECT, it will return the number of affected rows (INSERT IS RETURNING -11)
}
}
$conn->close(); //closes the DB
}
} else {
header("HTTP/1.0 400 Bad Request");
echo "-Bad Request"; //reports if the secret key was bad
}
} else {
header("HTTP/1.0 400 Bad Request");
echo "*Bad Request";
}
?>
Any help will be much appreciated. Paulo Borges Code: [Select] $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1 using this below is it safe against hackers? Code: [Select] $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: Code: [Select] $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ? Advice please. I am setting up a new machine here and I can't remember which to download. What information do you need to be aware of to know whether to install 'non thread safe' or 'thread safe'. I did some googling but didn't find anything that was clear. And is 5.3 good to go or should I stick with 5.2. Thanks in advance for your input! Hello all. Just wanted to run this past you guys to see if I am missing anything important. I am making a script that I plan to allow a lot of other people around the web to use, so I want to make sure it's as bullet proof as possible. I am passing two values and grabbing them with a _GET, one is a big number, and the other is only letters and 8 characters long. her's my code so far. Code: [Select] <?php $clan = $_GET['clanid']; // make sure its an INT //if(isint($clan)){ if(ereg("[^0-9]", $clan)){ //im an int. echo ("ERROR Invalid CLANID"); die; } // make sure its a 8 letter only word. $style=$_GET['style']; // cut style down to 8 characters long. $style=substr($style, 0, 8); if(ereg("[^a-zA-Z]+", $style)) { // Contains only letters. echo("ERROR Invalid STYLE NAME"); die; } ?> to my noob php eye's it looks pretty solid, I cant think of any way a malicious user could get past it, but like I said, thought I would run it past you guys first , you can never be to careful. I have a button that uses $_POST to send information to another page. The data is in a hidden input so it's not possible for users to change information. I have nothing to check if the data is correct on the other page. Is it still possible for people to change the $_POST data though? Or somehow send false $_POST data to the other page? Hi guys, I have been using the same code for years now to include my default page and pull content into my layouts.
I found the code online and its a bit confusing so was just wondering if its still safe to use, and is it all needed nowadays?
or is there a simpler way i could be doing this?
Thanks for any help
<?php
if (isset($_GET['nav']))
{
if (strpos($_GET['nav'], "/"))
{
$direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/";
$file = substr(strrchr($_GET['nav'], "/"), 1);
if (file_exists($direc.$file.".php"))
{
require($direc.$file.".php");
} else {
require("error.php");
}
} else {
if (file_exists(basename($_GET['nav']).".php"))
{
require(basename($_GET['nav']).".php");
} else {
require("error.php");
}
}
} else {
require("links.php");
}
?>
I am using seo friendly urls so when someone makes a post named "this is a post" the url will point to www.example.com/topic/this_is_a_post But when the user enters a character in their post name that means something in a url(? /) it obviously breaks. How can i make the urls safe from this without str_replace as i want to keep the characters. Hello,
I've noticed that there are services that I can pay to have my code
checked for possibly unsafe / insecure code.
But I'd rather audit the code myself, as my code is not meant to make money.
Is there a list of safe ways to use PHP?
Also is there any automatic way to do this that is free?
For instance is there a code checker?
I've noticed there are a number of ways to do PHP wrongly
that can be easy to overlook. Is there a list of common PHP pitfalls?
Thanks.
Like 6 years ago I had made a forum software for me and my buddies to post on. It had worked all great until my friend had posted a character that skewed my whole database, unintentionly, he knew nothing about computers. But I really haven't dabbed in PHP since 2008, I'm just now getting back into it again. I need to know how I can make data from an input to be put into an MySQL database and not screw up my code. So something along the lines that make the code safe and not exploitable. Also any third party scripts on captcha would be great! Hey guys! I have a doubt and this is a question that relates Flash and PHP... I have a flash (swf) file that grabs/sends variables from/to php. That swf file is FULLY encrypted and the paths to the PHP urls are also encrypted. Is there any other way a hacker could find out where and which my PHP files are located/named? Any ideas, suggestions? Thanks in advance! Cheers, I am trying to implement what I call private uploads. Basically, users can check a box to indicate they want their file "private" If so, the upload location is then (exampled as): _domain_/private-folder/$randomfolder Upon uploading their file, the random folder is created, their file moved to the directory, the upload information stored to the database, .htaccess file is created like so: info to add to new .htaccess: Code: [Select] <files "*.*"> Deny from All </files> <files "*.*"> Allow from $domains </files> the string $domains is the domains they enter each seperated by a new line in a form textarea. The problem - how can I make sure this is safe. i.e. I want the string to be obviously proofed with php so that no matter what they input, only domains will be outputted. I don't need code written for me (maybe), I'm just unsure of the necessary methods I should use. I have created this login class (In all honesty this is the most commented and well structured class I have ever written, I usualy just use random functions in a functions.php file, which works but this felt good when I finished it ) I just wanted some advice to how safe and whether the way I have done this is 'good practise', or if there is anything I should add to future proof it. This is the class: Code: [Select] <?php /* Author: Craig Dennis File: user_session.class.php Purpose: Flexible user login class that handles logging in, checking a user is logged in, and logging out. NOTE TO USE THIS CLASS YOU MUST ALREADY HAVE ALREADY CONNECTED TO THE DATABASE Include this file at the top of each page you wish to protect include("inc/user_session.class.php"); //(This could be put at the top of a global include file) Use the following code to check the user is logged in: $user_session = new user_session; //(This could be put at the top of a global include file) $user_session->validate_user(); //(This should only be left on the pages you wish to check for user validation) You will want to use the public redirect_if_logged_in() function instead of validate_user() on the login page like this: $user_session->redirect_if_logged_in(); //(This will redirect a user from the current page to the specified landing page) */ class user_session{ // Change these variables below if the table and fields in your database do not match public $t_name = "admins"; public $t_user = "username"; public $t_pass = "password"; public $t_lastlogin = "last_login"; //set $t_lastlogin = NULL if you do not have this field in your database //Change $login_page and $landing_page if your page names are different to this one public $login_page = "login.php"; public $landing_page = "logged_in.php"; //Change $log_in_error_msg if you wish to change the general error message when the user is unable to log in public $log_in_error_msg = "The username or password you have entered is incorrect or does not exist"; //Do not touch anything below unless you know what your doing /* * logged_in_user() * Returns value of the current logged in username */ public function logged_in_user(){ return $_SESSION['user_username']; } /* * log_in() * Takes 2 parameters ($username, $password) * Attempts to log in with the provided credentials, on success, the username and password are saved in the session for future testing */ public function log_in($username, $password){ $username = stripslashes(mysql_real_escape_string($username)); $password = stripslashes(mysql_real_escape_string($password)); $query_login = mysql_query("SELECT * FROM ".$this->t_name." WHERE ".$this->t_user."='$username' AND ".$this->t_pass."='$password'");; $login_accepted = mysql_num_rows($query_login); if($login_accepted == 1){ if($t_lastlogin != NULL){ $query_update_last_login = mysql_query("UPDATE ".$this->t_name." SET ".$this->t_lastlogin."='".time()."' WHERE ".$this->t_user."='$username'"); } $_SESSION['user_username'] = $username; $_SESSION['user_password'] = $password; return true; }else{ return false; } } /* * check_user() * Returns true if the current session credentials can be found in the database, otherwise returns false */ public function check_user(){ $query_login = mysql_query("SELECT * FROM ".$this->t_name." WHERE ".$this->t_user."='".$_SESSION['user_username']."' AND ".$this->t_pass."='".$_SESSION['user_password']."'"); $login_accepted = mysql_num_rows($query_login); if($login_accepted == 1){ return true; }else{ return false; } } /* * validate_user() * Returns true if the current session credentials can be found in the database, otherwise logs user out and returns false */ public function validate_user(){ $login_accepted = $this->check_user(); if($login_accepted == 1){ return true; }else{ $this->log_out(); return false; } } /* * redirect_if_logged_in() * Redirects the user to the specified landing page if the user is logged in */ public function redirect_if_logged_in(){ if($this->check_user()){ header("Location: ".$this->landing_page); } } /* * log_out() * Logs the user out by setting the session credentials to an empty string and redirecting them to the specified login page */ public function log_out(){ $_SESSION['user_username'] = ""; $_SESSION['user_password'] = ""; header("Location: ".$this->login_page); } } ?> Any comments or advice are appreciated. Hi, I am using parameterized queries on my code, here's the relevant part Code: [Select] $params=$_POST['ITGtable']; $tsql2 = "SELECT COLUMN_NAME, DATA_TYPE, ORDINAL_POSITION, COLUMN_DEFAULT, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=?"; /* Execute the statement with the specified parameter value. Display the returned data if no errors occur. */ $stmt2 = sqlsrv_query( $conn, $tsql2, $params); if( $stmt2 === false ) { echo "Statement 2 could not be executed.\n"; die( print_r(sqlsrv_errors(), true)); } else { $qty = sqlsrv_fetch_array( $stmt2); } Do I really have to sanitize $_POST['ITGtable'] for apostrophe, semicolon, etc, to avoid SQL injection problems? Or just with above code I should be safer (I did not say safe) against SQL injection? And if the answer is "No", what could be the sanitize code of function? I am using sqlsrv and MS-SQL database engine; most of the functions we have for sanitize inputs on MySQL are not available for MS-SQL. Thanks in advance, I built a address book for customers and i realize now im not sure the best way to allow the customer to edit/delete their addresses, but stopping them from pulling/editing other customers info. Even if i use post data only they could still view the page source and see the address ID being posted to the next page and change it, to see or edit someone elses data... Should i encrypt the ID? Is that even good enough? Im using PHP/MYSQL Hi,
Recently I've been trying writing a safe password hash and I wanted to know that if I use an MD5 hash at the end, just so it will be like some short of "packed",so instead of saving a 128 string, I'll use md5 to "pack" it into 32 characters and save up to 96 characters.
I know MD5 isn't safe and all, but the question is, does it lower the security ?
Also, would be happy for feedbacks about my password hash
function hash_($input,$key) {
$op=hash("whirlpool",hash("sha512",$key) . "$" . $input . "$" . hash("sha512",$key));I am using this script for "remember me" option: if (isset($_POST['rememberme'])) { /* Set cookie to last 1 year */ setcookie('username', $_POST['user_name'], time() + 60 * 60 * 24 * 365); setcookie('password', sha1($_POST['user_pass']), time() + 60 * 60 * 24 * 365); } Is it safe to save user data in cookie or there is better way? Can somebody steal password if there is more than one user at same computer? What do you suggest? |
|||||||