tags:

views:

85

answers:

6
Q: 

PHP Protect query from mysqyl Injection.

How can I add mysql_real_escape_string() to this:::

$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', 
                      firstname='$firstname', lastname='$lastname', email='$email', 
                      active='No', activecode='$activecode', dateofbirth='$dateofbirth', 
                      gender='$gender', title='$title', occupation='$occupation', 
                      address='$address', city='$city', country='$country', zip='$zip',
                      mobile='$mobile', telephone='$telephone', fax='$fax', 
                      website='$website'
                     ");
+2  A:  
$result = mysql_send("  INSERT  customers
                        SET     user='".mysql_real_escape_string($username)."', 
                                pword='".mysql_real_escape_string($pass1)."', 
                                firstname='".mysql_real_escape_string($firstname)."', 
                                lastname='".mysql_real_escape_string($lastname)."', 
                                email='".mysql_real_escape_string($email)."', 
                                active='No', 
                                activecode='".mysql_real_escape_string($activecode)."', 
                                dateofbirth='".mysql_real_escape_string($dateofbirth)."', 
                                gender='".mysql_real_escape_string($gender)."', 
                                title='".mysql_real_escape_string($title)."', 
                                occupation='".mysql_real_escape_string($occupation)."', 
                                address='".mysql_real_escape_string($address)."', 
                                city='".mysql_real_escape_string($city)."', 
                                country='".mysql_real_escape_string($country)."', 
                                zip='".mysql_real_escape_string($zip)."', 
                                mobile='".mysql_real_escape_string($mobile)."', 
                                telephone='".mysql_real_escape_string($telephone)."', 
                                fax='".mysql_real_escape_string($fax)."', 
                                website='".mysql_real_escape_string($website)."'
                    ");
Kau-Boy  2010-08-30 10:14:43
lol. that's really ridiculous. "how to add" meant literally. it was just a syntax question.
Col. Shrapnel  2010-08-30 10:28:40
A:  
$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', firstname='".mysql_real_escape_string($firstname)."', lastname='".mysql_real_escape_string($lastname)."', email='".mysql_real_escape_string($email)."', active='No', activecode='".mysql_real_escape_string($activecode)."', dateofbirth='".mysql_real_escape_string($dateofbirth)."', gender='".mysql_real_escape_string($gender)."', title='".mysql_real_escape_string($title)."', occupation='".mysql_real_escape_string($occupation)."', address='".mysql_real_escape_string($address)."', city='".mysql_real_escape_string($city)."', country='".mysql_real_escape_string($country)."', zip='".mysql_real_escape_string($zip)."', mobile='".mysql_real_escape_string($mobile)."', telephone='".mysql_real_escape_string($telephone)."', fax='".mysql_real_escape_string($fax)."', website='".mysql_real_escape_string($website)."'");
Maulik Vora  2010-08-30 10:15:24
+2  A: 

I make it this way (assuming HTML form's field names exactly match a database field name):

$fields = explode(" ","user pword firstname lastname email ative activecode dateofbirth gender title occupation address city country zip mobile telephone fax website");

$_POST['active'] = "Mo"; // I know it's kinda dirty but it works. 
$sql = "INSERT INTO customers SET ".makeDdbSet($fields);

function makeDdbSet($fields) {
  $q='';
  foreach ($fields as $v) $q.="`$v` = '".mysql_real_escape_string($_POST[$v])."', ";
  return trim($q,", ");
}

looks neat to me.

Col. Shrapnel  2010-08-30 10:22:16
A really nice and handy function! But I would have added all lines in the foreach to an ARRAY $q and than used the implode() function and not trimming the last comma.
Kau-Boy  2010-08-30 11:24:11
@Kau that's perfectionism that spoils you. there is not a single reason to use array here. Same amount of code and other differences are negligible
Col. Shrapnel  2010-08-30 11:45:38
+1  A: 

dont, just call a stored proc :P

f00  2010-08-30 12:42:29
+2  A: 

Escaping is quite old-school. Instead, use prepared statements to separate queries and data.

This saves you lots of headaches.

$sql = "INSERT customers SET user=:user, pword = :pword .....";
$sth = $dbh->prepare($sql);
$sth->execute(array('user => $username, 'pword' => $password));

Depending on where you get the data from, you might also directly have it in an array.

For example, in case you get a lot of data from a form, with the variable names pword, user and so on you can directly use that array 

$sth->execute($_POST);
Alex  2010-08-30 12:47:13
it's twice more code than current approach. Any way to make it shorter?
Col. Shrapnel  2010-08-30 13:03:49
You could create a function which would generate SQL and prepared data array for you.(eg: function insert_into($table, $data) )
knagode  2010-08-30 14:47:00
+2  A: 

Maybe you can take some time and check out Doctrine ORM.

Saving to database would then look like:

$customer = new Customer();
$customer->fromArray($data); // $data = array("firstname"=>"John", ...)
$customer->save();

Everything will be escaped, your program will also be more readable ...

knagode  2010-08-30 12:56:31
from where do you get that "John"?
Col. Shrapnel  2010-08-30 13:02:45
The simpliest example would probably be: $customer->fromArray($_POST); --> every field from POST which matches column in "customer table" will be saved into database.
knagode  2010-08-30 13:50:15
well with actual data it will be way more code than now. what's the benefit?
Col. Shrapnel  2010-08-30 14:41:10
Less code doesn't mean better program. Doctrine simply makes your program more readable, it fasten your development and give you much more power than SQL. You can check it out here: http://www.doctrine-project.org (ORM section).
knagode  2010-08-30 23:03:47
Why should I check out somewhere? Why can't you show that more readable code right here? Is it too hard to do it using your ORM?
Col. Shrapnel  2010-09-02 07:07:29
Example: you have news and news_comment table.Get news by id: $news = Doctrine::getTable("News")->find(1);Get news comments: foreach($news->Comments as $comment){ echo $comment->content; }// insert new comment for current news: $comment = new NewsComment(); $comment->content="blah"; $news->Comments[] = $comment; $news->save(); I hope you see the some difference :)
knagode  2010-09-03 18:08:11
You can also write escaped queries like $news = Doctrine_Query::create()->from("News")->where("hidden", false)->execute();
knagode  2010-09-03 18:10:10

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases