Jump to content
  • Announcements

    • boen_robot

      Guidelines and Netiquette   03/28/2017

      Posting Problems:   Having problems posting your topic? Read through this: To join, you agree to our terms and conditions and fill out and submit a registration form. An activation email will be sent to your email adress, so you'll need to verify your account. After that the account has to be validated by one of the moderators. This will mean that it can take up to a day to be activated. A couple of things to remember to ensure approval: Don't use an email address in one of those $2 four character .com domains eg. xyds.com. These will be deleted and the domain added to the banned list. Don't use an email address that is within a domain with a bad reputation for spam. A Google search is run on every email address and email domain. Don't sign up with an email address that doesn't exist, doesn't work or requires the sender to answer a quiz before their email can get to you. Put your country and or state and city in the signup form. Blank forms will go to the botton of the "to do" list. And make sure that your email address and your country match, saying you're from Alabama and using a .ru email address is not going to get you activated. After a membership is activated the first few posts will be monitored. Posting spam or unapproved topics described in the agreement results in an immediate ban. The email provider and the IP addresses associated with the account will be banned and all posts will be deleted. These strict measures have been deemed necessary to hinder spam. Sorry for any inconvenience this causes, but it's not liable to change. If, after reading this, you still can't post and don't understand why, contact one of the Moderators listed here.   Topic Guidelines   Including the following information can expedite an accurate response from board members: Must be a Specific Problem or Question related to web design and development Include Code in Question (wrap with   for small blocks of code and for longer blocks   ) Include Code Author Include Extra Notes/Modifications/Attempts Include web link to page/file when possible Content Guidelines   You may not post, upload, link to, or email any Content that contains, promotes, gives instruction about, or provides prohibited Content. Prohibited Content includes any Content that breaks any local, state, county, national or international law. Prohibited Content also includes: No direct or indirect advertising or websites, forums, products, services No hijacking of posts (do not post your question in someone elses) Content that infringes upon any rights [ex. MP3s and ROMs] (including, but not limited to, copyrights and trademarks) Abusive, threatening, defamatory, racist, or obscene Viruses or any other harmful computer software False Information or libel Spam, chain letters, or Pyramid schemes Gambling or Illicit drugs Terrorism Hacking or cheating for internet/online games Warez, Roms, CD-Keys, Cracks, Passwords, or Serial Numbers Pornography, nudity, or sexual material of any kind Excessive profanity Invasive of privacy or impersonation of any person/entity Hacking materials or information Posting Tips   There are more BBcodes than there are buttons for on the reply menu. To get the full list, click "BB Code Help" underneath the clickable smilie face menu. Use   for small snippets of code Use   for lengthy snippets of code Use   if your snippet is HTML (optional) Use   if your snippet is SQL (optional) Rules of Conduct   Be nice. There's no need for calling someone stupid if they ask an 'easy' question. Keep your avatars and signatures absolutely child friendly. We have a younger audience on this forum. Keep your language appropriate for the same reason above. Do not PM moderators for help on the forum. Post on the topic, or create a new one.   Spam:   Recently, as you have all without doubt noticed, we have had lots of spam and advertisement on the forum. Therefore, we'd like to alert you as to what to do when you have found any of the aforementioned annoying messages: it. Immediately. Give a clear reason, please, if the advertising is not evident. DO NOT POST! Report, let the post stay as is, and we will get to it, meanwhile if you continue to post as normal in the other threads, it won't be on the top so long. Refrain from PMing the member. This won't help at all, as they are most likely spambots anyway. Thank you.       Images in signatures:   After thinking of users on dial-up, we have decided to enforce the following rules regarding signatures. Please pay heed to them. Respecting these rules is respecting the members on this forum with dial-up. Signature rules: No animated images AT ALL. No matter the amount of animation. Maximum image widthxheight: 300x150 Maximum image (file) size: 15kb Use calm colors. Do not use highly contrasting images in your signature, as this can get really annoying when seeing several posts from one member in the same thread. The same prohibited content goes for images as for posts. Lastly, use common sense. No lengthy signatures please. Save us some scrolling. Thank you.       Links in signatures:   Please understand that w3schools.com only exists because of voluntary work and is barely supported by the advertising littered throughout the tutorials and the forum. So, please, stop advertising other sites. DO not post links that drive traffic away from the w3schools domain - especially to a site that offers similar if not identical information. Please help support the site by keeping individuals on it. Thank you. Here are some guidelines as to what you can put in your signature: w3schools links --> allowed w3.org links --> allowed browser links --> allowed html editor links --> allowed personal sites --> allowed tutorial sites competing with w3schools --> NOT allowed sites completely irrelevant to webprogramming and this forum --> NOT allowed   Thanks for understanding, and for taking the time to read this. ~W3Schools Modstaff~
Sign in to follow this  
westman

mysql_real_escape_string

Recommended Posts

westman    10

Hi all,
I used to use
$name = mysql_real_escape_string($name);
to clean information to store in my database on php 5.4

Now I am using php 5.6 and it seams to be a problem.

I was given this code to replace mysql_real_escape_string...
 

function IsInjected($str)
{
  $injections = array('(\n+)',
              '(\r+)',
              '(\t+)',
              '(%0A+)',
              '(%0D+)',
              '(%08+)',
              '(%09+)'
              );
  $inject = join('|', $injections);
  $inject = "/$inject/i";
  if(preg_match($inject,$str))
    {
    return true;
  }
  else
    {
    return false;
  }
}

 

The only problem is that I do not understand the code or how to use it.

Is there an easier way to clean information and stop SQL injection?  

Share this post


Link to post
Share on other sites
Ingolme    794

The mysql library is deprecated for security reasons, use PDO or MySQLi.

To stop injection, escaping is no longer the correct solution, the proper solution is to use prepared statements. W3Schools has a tutorial page about prepared statements.

Share this post


Link to post
Share on other sites
westman    10

Prepared statements look fun but I have 1,000's of lines of code in different files all using
$conn1 = mysql_connect("$servername","$username","$password") or die ("could not connect to mysql");
mysql_select_db("$dbname") or die ("no database"); 
not
$conn1 = new mysqli($servername, $username, $password, $dbname);

Do I need to change all my code if I start using mysqli and how will it effect everything else?

Share this post


Link to post
Share on other sites
Ingolme    794

You will need to change your code. As of PHP 5.5, the server will show warning messages if you're using the mysql library and in PHP 7 the mysql library will no longer be supported. If you're interested in keeping your code working on newer platforms you will have to update it to use a newer library.

Share this post


Link to post
Share on other sites
westman    10

I see that $name = mysql_real_escape_string($name); is not needed to protect agents SQL injections when mysqli is use in a prepared statement on data INSERT.

How do we protect our database with SELECT, UPDATE, and DELETE?

Share this post


Link to post
Share on other sites
Ingolme    794

When using prepared statements you don't have to worry about SQL injection, MySQL escapes the data for you. It doesn't matter whether it's INSERT, SELECT, UPDATE, DELETE or anything else. Just put placeholders anywhere where variables would have been used.

Here are examples of different queries with placeholders in them:

INSERT INTO table (field1, field2) VALUES (?, ?)
SELECT * FROM table WHERE id = ?
UPDATE table SET field1 = ? WHERE id = ?
DELETE FROM table WHERE id = ?

 

Share this post


Link to post
Share on other sites
westman    10

Is this code safe, up to date, and useful?

$stmt = $conn->prepare("SELECT * FROM database WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
while($row = $result->fetch_assoc()) {
$id[] = $row['id'];
$name[] = $row['name'];
$age[] = $row['age'];
}}
$stmt->close();

The following code instead of the above.
$id = $row["id"];
$name = $row["name"];
$age = $row["age"];

Edited by westman

Share this post


Link to post
Share on other sites
Gabrielphp    6
On 26.04.2017 at 3:04 AM, westman said:

Is this code safe, up to date, and useful?


$stmt = $conn->prepare("SELECT * FROM database WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
while($row = $result->fetch_assoc()) {
$id[] = $row['id'];
$name[] = $row['name'];
$age[] = $row['age'];
}}
$stmt->close();

The following code instead of the above.
$id = $row["id"];
$name = $row["name"];
$age = $row["age"];

Lemme edit it a bit.

try {
	$sql = "SELECT * FROM database WHERE email = :email";
	$stmt = $conn->prepare($sql);
	$stmt->bindParam(":email", $email);
	$stmt->execute();
	$numRows = $stmt->rowCount();

	if($numRows > 0)
	{
		while($row = $stmt->fetch())
		{
			$id = $row['id'];
			$name = $row['name'];
			$age = $row['age'];
		}
	}
} catch (PDOException $e) {
	echo "Error: " . $e->getMessage();
}

I have corrected a bit of mistyped methods that you used there. This should be secure enough.

Share this post


Link to post
Share on other sites
Ingolme    794

Yes, that's secure. I don't believe rowCount() works like that in PDO, though. Just remove the rowcount part and check that you were able to fetch a row instead:

if($row = $stmt->fetch(PDO::FETCH_ASSOC) {
  $id = $row['id'];
  $name = $row['name'];
  $age = $row['age'];
} else {
  echo 'No data available';
}

 

Share this post


Link to post
Share on other sites
westman    10

But I am not using PDO I am using MySQLi.
So is...

 

$stmt = $conn->prepare("SELECT * FROM database WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
while($row = $result->fetch_assoc()) {
$id = $row["id"];
$name = $row["name"];
$age = $row["age"];
}}
$stmt->close();


ok for MySQLi?

Share this post


Link to post
Share on other sites
Gabrielphp    6
13 hours ago, Ingolme said:

Yes, that's secure. I don't believe rowCount() works like that in PDO, though. Just remove the rowcount part and check that you were able to fetch a row instead:


if($row = $stmt->fetch(PDO::FETCH_ASSOC) {
  $id = $row['id'];
  $name = $row['name'];
  $age = $row['age'];
} else {
  echo 'No data available';
}

 

Have you tried it? It works just like that, it counts the rows.

http://php.net/manual/en/pdostatement.rowcount.php

Edited by Gabrielphp

Share this post


Link to post
Share on other sites
Ingolme    794

This is from the page you just linked to

Quote

PDOStatement::rowCount() returns the number of rows affected by the last DELETE, INSERT, or UPDATE statement executed by the corresponding PDOStatement object.

The query here is a SELECT statement.

Share this post


Link to post
Share on other sites
Ingolme    794
On 2017-04-25 at 9:04 PM, westman said:

Is this code safe, up to date, and useful?


$stmt = $conn->prepare("SELECT * FROM database WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
while($row = $result->fetch_assoc()) {
$id[] = $row['id'];
$name[] = $row['name'];
$age[] = $row['age'];
}}
$stmt->close();

The following code instead of the above.
$id = $row["id"];
$name = $row["name"];
$age = $row["age"];

The problem is that in MySQLi, fetch_assoc() doesn't work with prepared statements. To get results in MySQLi you have to use bind_result() and then fetch(). I've found that store_result() is necessary too. This is why I prefer PDO to MySQLi.

Share this post


Link to post
Share on other sites
westman    10

I may have about 20-30 different connections with different queries on a page.
Should I use
$conn->close();
after each query or and the bottom of the page?

Share this post


Link to post
Share on other sites
Ingolme    794

You should only need one connection for each database host. If you are continually opening and closing connections then your code is going to run very slow. You should open one connection, perform all the queries, then close the connection when the script is finished.

Share this post


Link to post
Share on other sites
westman    10

what about having 20-30 different connections with different queries on a page.
starting each connection/query with
$stmt = $conn->prepare("something");
Should I use
$stmt->close();
after each connection/query or and the bottom of the page?

Share this post


Link to post
Share on other sites
Ingolme    794

You only need one connection, only close the connection after all of your database work is done. You can close a prepared statement once you're done using it.

Share this post


Link to post
Share on other sites
justsomeguy    939

To be clear, a connection and a query aren't the same.  You can run all of your queries on one connection.  For mysqli, you create a new connection when you create a new mysqli object:

http://php.net/manual/en/mysqli.quickstart.connections.php

You should only need 1 mysqli object (and therefore 1 connection) for the page, if you're creating 30 mysqli objects then that's a design problem.

Any connections that are still open when PHP finishes will be closed automatically, you don't have to close them yourself.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×