[RESOLVED] mysql_real_escape string help

mhodge87

In an effort to secure the db, i'm trying to understand this function. This is what I got after reading about it for an hour lol...🙂

//variables

$cid = $_POST[cid];
$fname = $_POST[fname];
$lname = $_POST[lname];
$email = $_POST[email];
$psswd = $_POST[password];
$rating = $_POST[rating];

//insert info
$sql= sprintf("INSERT INTO userinfo('cid', 'firstn', 'lastn', 'email', 'psswd', 'rating) 
		Values('%s', '%s', '%s', '%s', '%s', '%s')"
		mysql_real_escape_string($cid, $con), 
		mysql_real_escape_string($fname, $con), 
		mysql_real_escape_string($lname, $con), 
		mysql_real_escape_string($email, $con), 
		mysql_real_escape_string($psswd, $con), 
		mysql_real_escape_string($rating,$con));

Is this correct? Keep in mind it passes this info in a mysql_query($sql, $con) below that. It isn't going through. I think my brain is fried lmao

laserlight

Your idea is correct, and that's what is most important. You do have some typo errors though ("('cid', 'firstn', 'lastn', 'email', 'psswd', 'rating)" should be "(cid, firstn, lastn, email, psswd, rating)" or since this is MySQL "(cid, firstn, lastn, email, psswd, rating)"), and you should quote the string indices for $POST (e.g., $POST['cid'] instead of $_POST[cid]) and also check that such incoming variables exist (by using [man]isset[/man] or [man]empty[/man]) before using them.

mhodge87

Thanks for the help. Below is my code in its entirety and i'll put the error that i recieve.

<?php 
//make connection to database

If (isset($_POST['fname']) && isset($_POST['lname']) && isset($_POST['email']) && isset($_POST['password']) && isset($_POST['rating']));
{


$con = mysql_connect("localhost","root","******");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("zid", $con);

//variables

$cid = $_POST['cid'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$psswd = $_POST['password'];
$rating = $_POST['rating'];


	$sql= sprintf("INSERT INTO userinfo(cid, firstn, lastn, email, psswd,rating) 
	Values('%s', '%s', '%s', '%s', '%s', '%s')"
	mysql_real_escape_string($cid, $con), 
	mysql_real_escape_string($fname, $con), 
	mysql_real_escape_string($lname, $con), 
	mysql_real_escape_string($email, $con), 
	mysql_real_escape_string($psswd, $con), 
	mysql_real_escape_string($rating,$con));



if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "Registration Sent!";

mysql_close($con)

}
	echo("You need to completly fill out the form before submitting");


 ?>

The error is: Parse error: syntax error, unexpected T_STRING in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\newatc.php on line 28

laserlight

You have an extra semi-colon after the isset checks, then have a missing semi-colon after the mysql_close() call. By way on advice concerning code formatting, I would suggest:

<?php

if (isset($_POST['fname'], $_POST['lname'], $_POST['email'], $_POST['password'], $_POST['rating']))
{
    //make connection to database
    $con = mysql_connect("localhost","root","******");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

mysql_select_db("zid", $con);

//variables
$cid = $_POST['cid'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$psswd = $_POST['password'];
$rating = $_POST['rating'];

$sql = sprintf("INSERT INTO userinfo(cid, firstn, lastn, email, psswd, rating)
                VALUES ('%s', '%s', '%s', '%s', '%s', '%s')"
               mysql_real_escape_string($cid, $con),
               mysql_real_escape_string($fname, $con),
               mysql_real_escape_string($lname, $con),
               mysql_real_escape_string($email, $con),
               mysql_real_escape_string($psswd, $con),
               mysql_real_escape_string($rating,$con));

if (!mysql_query($sql, $con))
{
    die('Error: ' . mysql_error());
}

echo "Registration Sent!";

mysql_close($con);
}
else
{
    echo "You need to completly fill out the form before submitting";
}

?>

Note that you do not actually need to assign $POST['cid'] to $cid (and the others) if you never actually change $cid or further validate the incoming data. You could use $POST['cid'] directly.

mhodge87

laserlight wrote:

You have an extra semi-colon after the isset checks, then have a missing semi-colon after the mysql_close() call. By way on advice concerning code formatting, I would suggest:

<?php

if (isset($_POST['fname'], $_POST['lname'], $_POST['email'], $_POST['password'], $_POST['rating']))
{
    //make connection to database
    $con = mysql_connect("localhost","root","******");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

mysql_select_db("zid", $con);

//variables
$cid = $_POST['cid'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$psswd = $_POST['password'];
$rating = $_POST['rating'];

$sql = sprintf("INSERT INTO userinfo(cid, firstn, lastn, email, psswd, rating)
                VALUES ('%s', '%s', '%s', '%s', '%s', '%s')"
               mysql_real_escape_string($cid, $con),
               mysql_real_escape_string($fname, $con),
               mysql_real_escape_string($lname, $con),
               mysql_real_escape_string($email, $con),
               mysql_real_escape_string($psswd, $con),
               mysql_real_escape_string($rating,$con));

if (!mysql_query($sql, $con))
{
    die('Error: ' . mysql_error());
}

echo "Registration Sent!";

mysql_close($con);
}
else
{
    echo "You need to completly fill out the form before submitting";
}

?>

Note that you do not actually need to assign $POST['cid'] to $cid (and the others) if you never actually change $cid or further validate the incoming data. You could use $POST['cid'] directly.

I've done all that (even copied and pasted your recommended code into it, but i still get unexpected T_STRing error on line 24 which is the first line of the MYSQL_REAL_ESCAPE_STRING functions. and btw, thanks for the help, its greatly appreciated.

laserlight

Oh, you are missing a comma:

$sql = sprintf("INSERT INTO userinfo(cid, firstn, lastn, email, psswd, rating)
                    VALUES ('%s', '%s', '%s', '%s', '%s', '%s')"

should be:

$sql = sprintf("INSERT INTO userinfo(cid, firstn, lastn, email, psswd, rating)
                    VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",

mhodge87

thanks so much! I sincerely appreciate it