Could you critique my webpage? - Page 2 - DiscussWorldIssues - Socio-Economic Religion and Political Uncensored Debate

**Terinalo** · 08-14-2009, 09:57 PM

You're just making it yourself difficult to follow the code
PHP Code: $username = mysql_real_escape_string( $input );
$result = mysql_query( "SELECT id FROM users WHERE username = '$username'" );

The strip_tags() is useless with regards to sanitizing the input before sending it to the database. HTML, XML, PHP tags, etc. can do no harm there because the query parser won't understand the tags, they're just strings for the parser.

The strtolower() could be needed in some cases (ie if you force usernames to be lowercase), but it's certainly not needed to sanitize input. SQL statements don't need to be uppercase, we just write them that way for clarity reasons only.

And then all str_replace() calls are done with one single mysql_real_escape_string(). That functions asks the mysql library to escape all "dangerous" characters, you can't do it any better yourself. If the MySQL team decides to add a character somewhere, they'll update the library and your code will be fine without the need for any changes. Added bonus: this function is binary safe so it can be used to sanitize binary data (ie an image) that goes to the database.
NOTE: mysql_real_escape_string() needs an open database connection! If you have multiple connections, you can pass the correct one as an optional second parameter. In turn it will do the escaping correct for any character set you might be using.

Don't think you're safe now, because this really is just part 1. Oh, just for the record, there is an alternative where you don't need to escape any data at all. If you work with bound parameters, you are not vulnerable to sql injections at all. But that's a more advanced topic. Ok Thank you. Ive added mysql_real_escape_string($input) to everwhere ive used a $_GET or $_POST just to be safe.

Now I supose is the difficult part, how do I get users to come to my site? ive added it to google and yahoo but im pretty sure the only hits im geting are me and users from this forum...

**Terinalo** · 12-08-2009, 08:28 PM

Thanks for you help guys especially Rainwind All2human and nrith, I think I have now added all your recomendations.

**art_fan_12** · 12-08-2009, 09:57 PM

Looks nice. Great idea as well. That is my biggest problem with web pages. I have zounds of coding knowledge, but not an idea worth a damn.

**Enjknsua** · 12-09-2009, 03:17 AM

http://www.speedtile.net/

08-14-2009, 09:57 PM	#21
Terinalo Join Date Oct 2005 Posts 471 Senior Member	You're just making it yourself difficult to follow the code PHP Code: $username = mysql_real_escape_string( $input ); $result = mysql_query( "SELECT id FROM users WHERE username = '$username'" ); The strip_tags() is useless with regards to sanitizing the input before sending it to the database. HTML, XML, PHP tags, etc. can do no harm there because the query parser won't understand the tags, they're just strings for the parser. The strtolower() could be needed in some cases (ie if you force usernames to be lowercase), but it's certainly not needed to sanitize input. SQL statements don't need to be uppercase, we just write them that way for clarity reasons only. And then all str_replace() calls are done with one single mysql_real_escape_string(). That functions asks the mysql library to escape all "dangerous" characters, you can't do it any better yourself. If the MySQL team decides to add a character somewhere, they'll update the library and your code will be fine without the need for any changes. Added bonus: this function is binary safe so it can be used to sanitize binary data (ie an image) that goes to the database. NOTE: mysql_real_escape_string() needs an open database connection! If you have multiple connections, you can pass the correct one as an optional second parameter. In turn it will do the escaping correct for any character set you might be using. Don't think you're safe now, because this really is just part 1. Oh, just for the record, there is an alternative where you don't need to escape any data at all. If you work with bound parameters, you are not vulnerable to sql injections at all. But that's a more advanced topic. Ok Thank you. Ive added mysql_real_escape_string($input) to everwhere ive used a $_GET or $_POST just to be safe. Now I supose is the difficult part, how do I get users to come to my site? ive added it to google and yahoo but im pretty sure the only hits im geting are me and users from this forum... Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

12-08-2009, 08:28 PM	#22
Terinalo Join Date Oct 2005 Posts 471 Senior Member	Thanks for you help guys especially Rainwind All2human and nrith, I think I have now added all your recomendations. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

12-08-2009, 09:57 PM	#23
art_fan_12 Join Date Oct 2005 Posts 465 Senior Member	Looks nice. Great idea as well. That is my biggest problem with web pages. I have zounds of coding knowledge, but not an idea worth a damn. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

12-09-2009, 03:17 AM	#24
Enjknsua Join Date Nov 2005 Posts 570 Senior Member	http://www.speedtile.net/ Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)