mysql_real_escape_string

ashley98860615

I am setting up an update details section on my site and i was wondering if using mysql_real_escape_string in the format below is enough to prevent injection attacks? if not what would be better?

$firstname = mysql_real_escape_string($_POST['first_name']);

UPDATE users SET first_name='$firstname' WHERE username='$_SESSION[username]'"

also would i need to do this on any other functions (registering, logging in etc)?

thanks

Rodney_H_

I was wondering if you have any limits posted on the site? Something saying:

"First names should only have letters"

If so, you can use regex to detect anything OTHER than letters and stop the script with a customized error message to the user BEFORE you insert the new first name.

Or, you can also do a combination of using the htmlentities() function and then escape that:

<?php
$firstname = htmlentities($_POST['first_name'], ENT_QUOTES, 'UTF-8');

$query = "UPDATE users 
      SET first_name = '" . mysql_real_escape_string($firstname) . "' 
      WHERE username = '" . $_SESSION[username] . "' 
      LIMIT 1";
// etc...
?>

ashley98860615

i tried using htmlentities but i can't get it to work, i've tried two ways - one before my sql outside an if statement and oneinside the if statement, both let me put numbers in.

i am also having troubles checking whether form feilds are filled out.. here's my code - be great if you could have a look at it and see whats wrong. thanks

function updatedetails () {


$result = mysql_query("SELECT * FROM users WHERE username='".$_SESSION[username]."'")  or die('<center><strong><font color=red>Select query failed. ' . mysql_error() . '</font></strong></center>'); 
$myrow = mysql_fetch_array($result);

$firstname = htmlentities($_POST['first_name'], ENT_QUOTES, 'UTF-8');
$lastname = htmlentities($_POST['last_name'], ENT_QUOTES, 'UTF-8');
$email = $_POST['email'];
$info = $_POST['info'];
$react = $_POST['react'];

if(!isset($firstname) || !isset($lastname) || !isset($email)) {
if($react == 'update') {
	mysql_query("UPDATE users SET first_name='".mysql_real_escape_string($firstname)."', last_name='".mysql_real_escape_string($lastname)."', email='".mysql_real_escape_string($email)."', info='".mysql_real_escape_string($info)."' WHERE username='".$_SESSION[username]."' LIMIT 1") or die('<center><strong><font color=red>Query failed. ' . mysql_error() . '</font></strong></center>');
	print "<center><strong><font color=green>Update successfull<br /><br /></font><strong><center>";
} 
}
else {
	echo "<center>NOTE:Required form elements are indicated by a *</center><br /><form id='update' name='update' method='post' action=''>
  <table align='center' width='503' border='1' cellpadding='10'>
      <tr width='300'>
      <td width='130' align='left' valign='top'><strong>Username:</strong></td>
      <td width='321' align='left' valign='top'><em>$_SESSION[username]</em></td>
    </tr>

<tr>
  <td width='130' align='left' valign='top'><strong>First name:*</strong></td>
  <td width='321' align='left' valign='top'>
  <input name='first_name' type='text' id='last_name'value='$myrow[first_name]' class='textarea'/>Letters only!</td>
</tr>
<tr>
  <td width='130' align='left' valign='top'><strong>Surname:*</strong></td>
  <td width='321' align='left' valign='top'>
  <input type='text' name='last_name' id='last_name' value='$myrow[last_name]' class='textarea'/>Letters only!</td>
</tr>
<tr>
  <td width='130' align='left' valign='top'><strong>Email address:*</strong></td>
  <td width='321' align='left' valign='top'>
  <input name='email' type='text' size='40' id='email' value='$myrow[email]' class='textarea'></td>
</tr>
<tr>
  <td align='left' valign='top'><strong>Bio:</strong></td>
  <td align='left' valign='top'><textarea name='info' cols='50' id='info' rows='5' class='textarea'>$myrow[info]</textarea></td>
</tr>
<tr>
  <td colspan='2' align='center' valign='top'><input type='hidden' name='react' value='update'><input type='submit' name='Submit' value='Submit'></td>
</tr>
  </table></form>";
  }
}

it's on a page that using a switch statement to switch between operations

Rodney_H_

ashley98860615 wrote:
i tried using htmlentities but i can't get it to work, i've tried two ways - one before my sql outside an if statement and oneinside the if statement, both let me put numbers in.

Ashley,

Why don't you read what the htmlentities() function does and doesn't do here: http://www.php.net/htmlentities

In a nutshell, if you want to stop users from entering numbers, you will typically do this using regular expressions. You will need to look at the ereg() functions: http://www.php.net/ereg

ashley98860615 wrote:
i am also having troubles checking whether form feilds are filled out..

You are checking to see if they are set, which is good, but you are not checking to see if they have a value. The problem is, if the form fields are on the form, but the user doesn't fill out a value in them and submits the form, they will be set. They won't, however, have any values associated with them: Their values will be empty. You can check for this a couple of different ways, using the strlen() function, the empty() function, etc. Another way is to change this line of code:

if(!isset($firstname) || !isset($lastname) || !isset($email)) {

to this:

if(trim($firstname) == ''  || trim($lastname) == '' || trim($email) == '') {