help me out with code excecution??

srikanth

A source of potential problems is considered a dynamic web application is the "polution" of input with bad, if not downright malicious data.

/ assumed $name is user data culled from a POSTed HTML form... /
$query = "SELECT * FROM members WHERE firstname = '" . $name ."';"
$result = mysql_query($query);
Can any one help me out??
How will i catch malformed (malicious?) POST/GET data in $name.

tomhath

Maybe http://us2.php.net/mysql_real_escape_string

srikanth

i had tries with link can you please code in php if possible

tomhath

Their example for using mysql_real_escape_string:

    if(get_magic_quotes_gpc()) {
        $product_name        = stripslashes($_POST['product_name']);
        $product_description = stripslashes($_POST['product_description']);
    } else {
        $product_name        = $_POST['product_name'];
        $product_description = $_POST['product_description'];
    }

    // Make a safe query
    $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
                mysql_real_escape_string($product_name, $link),
                mysql_real_escape_string($product_description, $link),
                $_POST['user_id']);

    mysql_query($query, $link);

srikanth

will this catch malformed (malicious?) POST/GET data in $name?
if(get_magic_quotes_gpc()) {
$firstname = stripslashes($POST['first_name']);
} else {
$firstname = $POST['first_name'];
}

// Make a safe query
$query = sprintf("SELECT * FROM custimers where lastname = '" . $name ."';"
mysql_real_escape_string($firstname, $link),
$_POST['user_id']);

mysql_query($query, $link);

will this work out for my code????

srikanth

in my first posted question it is
assume $name is user data called from a POSTed HTML form...

tomhath

It should escape any attempt at SQL injection. Test it to be sure, just echo teh SQL instead of running it to see what you have.

What problem were you having with the link I posted? Can you get to the php manual somewhere else? You really need to have the manual available.

srikanth

is this the one that works out correctly??
<?php

if (isset($_POST['first_name'])) {
// Connect

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');

if(!is_resource($link)) {

    echo "Failed to connect to the server\n";
    // ... log the error properly

} else {

    // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.

    if(get_magic_quotes_gpc()) {
        $last_name = stripslashes($_POST['last_name']);
       } else {
        $last_name = $_POST['last_name'];
       }

    // Make a safe query
    $query = sprintf("SELECT * FROM `customers` WHERE `last_name` = '%s'",
                     mysql_real_escape_string($last_name, $link);

    mysql_query($query, $link);

    if (mysql_affected_rows($link) > 0) {
        echo "Product inserted\n";
    }
}

} else {
echo "Fill the form properly\n";
}
?>

tomhath

Looks like it should work.

Roger_Ramjet

I would suggest that you just start using php5 so that you can use PDO Prepared Statements

" * The parameters to prepared statements don't need to be quoted; the driver handles it for you. If your application exclusively uses prepared statements, you can be sure that no SQL injection will occur. (However, if you're still building up other parts of the query based on untrusted input, you're still at risk).

Prepared statements are so useful that they are the only feature that PDO will emulate for drivers that don't support them. This ensures that you will be able to use the same data access paradigm regardless of the capabilities of the database. "