tags:

views:

1117

answers:

7
Q: 

Sanitize user input destined for database in PHP

I have this code:

$query = "select id from votes where username = '$user' and article_id  = $this->id";

I tried this code to sanitize it:

$query = sprintf("select id from votes where username = '$user' and article_id = $this->id", 
    mysql_real_escape_string($user), 
    mysql_real_escape_string($password));

but I get this error for the mysql_real_escape lines:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 146 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 146

I get the user name here, I dont know if its safe enough:

function getUsername(){ return $this->username; }

Thx

+7  A: 

You need a mysql connection before you can use mysql_real_escape_string.

whichdan  2009-06-05 17:06:47
I do have connection, I mean the site works and connects to the db, before inserting those lines. Thx.
Slzr  2009-06-07 17:42:54
That's not what the error is saying! Try using your link identifier as the second argument for your mysql_real_escape_strings and see if that helps.
whichdan  2009-06-08 00:50:51
+3  A: 

Not sure if this is what's causing your problem, but I believe the variables in your sprintf statement shouldn't be '$user' and '$this->id', but they should be '%s'

http://us2.php.net/sprintf

JasonV  2009-06-05 17:07:11
Not to mention that he is trying to replace an article_id with a variable called $password.
Abinadi  2009-06-05 17:09:39
Why use sprintf() at all - PHP has variable interpolation in strings. OTOH, a SQL statement built with sprintf() is just as unsafe as an interpolated one... Both methods should be avoided.
Tomalak  2009-06-05 17:10:55
@Tomalak - I know, but was merely highlighting a bug in his code, not proposing a better method.
JasonV  2009-06-05 17:13:45
+1  A: 

I'd recommend using a mature DB abstraction layer like Zend_Db (there are tons of them out there). Implementing your own homebrew solution is not something I'd recommend for a production system.

n3rd  2009-06-05 17:08:01
+2  A: 

You need a connection to use mysql_real_escape_string() because it uses the server's encoding type to help santitize.

Also the sprintf() should look something like this

$query = sprintf("SELECT id FROM votes WHERE username = '%s' and article_id = %d", 
    mysql_real_escape_string($user), 
    mysql_real_escape_string($password));
Ólafur Waage  2009-06-05 17:08:25
In mine, I wasn't sure if the id was necessarily an integer, so I just went with a string format.
JasonV  2009-06-05 17:11:28
+7  A: 

I would suggest using prepared statements for this instead of sprintf

John Rasch  2009-06-05 17:09:21
Great idea if the mysql interface supported them. He would need to switch to mysqli or PDO to use prepared statements.
jmucchiello  2009-06-05 17:12:27
If he's using PHP 5 or greater mysqli is included
John Rasch  2009-06-05 17:21:53
+3  A: 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO)

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established

Did you check the link ? Is it active ? You need to be connected before to use mysql_real_escape_string() Don't you forget to set the password ?

Try: 

mysql -u mexautos -p

(type Enter if no password)

Also, check out your sprintf() function, you need to use the %s to bind your variable

$a = 'Foo';
$b = 'Bar';
$foo = sprintf('Foo Bar %s %s', $a, $b);
Boris Guéry  2009-06-05 17:10:57
The error does seem access related.
Ted Johnson  2009-06-05 17:22:20
Trying to connect throught the console is a way to check the privilege in raw way !
Boris Guéry  2009-06-05 18:51:09
A: 

Like the other said, not '$user' but '%s' and you need an open connection.

@Tomalak sprintf is faster - that's the reason why to use it - it is a native C function.

shazarre  2009-06-05 17:15:08
sprintf is faster than what? When interacting with the database, that's not an especially good reason...
Paul Fisher  2009-06-06 15:50:37
sprintf is faster than build PHP string interpolation, and it wasn't related whit the database subject, but whit Tomalak's comment.
shazarre  2009-06-06 19:28:59

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases