www.webdeveloper.com
Page 4 of 4 FirstFirst ... 234
Results 46 to 50 of 50

Thread: Search Function with multiple variables in SQL

  1. #46
    Join Date
    Sep 2008
    Posts
    408
    As for using variables that aren't ints.

    Using what I posted, instead of intval() you can use mysql_real_escape_string(). Personally, use intval() when the input should be a number, otherwise mysql_real_escape_string() it. Also, when I know it should be a number don't use quotes either, etc (with both):

    PHP Code:
    $sql="SELECT * FROM $tbl_name WHERE technology='".mysql_real_escape_string($_GET['technology'])."' AND `range`=".intval($_GET['range'])." AND output='".mysql_real_escape_string($_GET['output'])."' AND configuration=".floatval($_GET['configuration']); 
    In that string, creating the SQL knowing that technology can be a string\number, range is a int, output is a string\number, and configuration is a float.

  2. #47
    Join Date
    Nov 2008
    Posts
    2,477
    You might need to be a bit careful with just injecting intval though depending on the data in question since it will return 0 on failure. Injecting a 0 may or may not give undesirable results. Personally I like to do some more robust validation rather than relying on intval alone. Depends on what you are doing of course.

  3. #48
    Join Date
    Sep 2008
    Posts
    408
    Indeed, personally use a function inside my Database object,

    PHP Code:
    $variable $Database->anti_hack($variable,$is_html_allowed); 
    However, like using intval as a quick and easy test. as for inserts\updates those are more controlled but for pumping out data with a select, intval does more then enough. Inserts\Updates usually have a lot more validation going on before hand though and then is only executed when everything is a-okay.

    monkey, for personal references and examples, here's two pages on SQL Injection:
    http://www.tizag.com/mysqlTutorial/m...-injection.php
    http://us3.php.net/manual/en/securit...-injection.php

    Another note, SQL Injection can happen on ANY user input, even things like ORDER BY, LIMIT, etc. So anything that has user input must be cleaned\validated (as for ORDER BY usually I'll setup up an array of approved sorts and if it's not in that list to use a default value, or use a switch to create an ORDER BY using a different name then the column). Alright, starting to rant a bit, bottom line, Good luck monkey.

  4. #49
    Join Date
    Apr 2009
    Posts
    107
    Ok I am just having a bad coding day, I am trying to create an insert page that will insert new products into the database. Here is the code:
    PHP Code:
    <?php 
    include "db.php";
    include 
    "error.php";

    $tbl_name "product";

    $connect mysql_connect($hostname,$username,$password,$tbl_name);
        if (!
    $connect)
          {
          die(
    'Could not connect:' mysql_error());
          }
      
    mysql_select_db($database$connect);

    $sql="INSERT INTO $tbl_name (product, technology, `range`, output, configuration) VALUES ('$_POST[product]','$_POST[technology]','$_POST[`range`]','$_POST[output]','$_POST[configuration]')";
        if (!
    mysql_query($sql,$connect))
          {
          die(
    'Error: ' mysql_error());
          }
        echo 
    "1 record added";
        
    mysql_close($connect);
    ?>
    When this page just displays blank, no errors. Any thoughts?

  5. #50
    Join Date
    Sep 2008
    Posts
    408
    $_POST[`range`] to $_POST['range'] and add single quotes to all the $_POST's also those are perfect areas to worry about SQL Injection.

    Lastly, after adding the single quote's to the posts, break them out of the string

    PHP Code:
    $sql "INSERT INTO $tbl_name (product, technology, `range`, output, configuration) VALUES ('".$_POST['product']."','".$_POST['technology']."','".$_POST['range']','".$_POST['output']."','".$_POST['configuration']."')"; 
    Or as:

    PHP Code:
    $sql "INSERT INTO $tbl_name (product, technology, `range`, output, configuration) VALUES ('{$_POST['product']}','{$_POST['technology']}','{$_POST['range']}','{$_POST['output']}','{$_POST['configuration']}')"
    Personally prefer the first method as it's easier to see and work with in color coded text editors. right with the first back ticks on the range, however the second one is a PHP variable so single quotes.

    Once you get that working, try adding some anti hacking (SQL Injection) functionality.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles