LOGO
General Discussion Undecided where to post - do it here.

Reply to Thread New Thread
Old 08-14-2009, 09:57 PM   #21
Terinalo

Join Date
Oct 2005
Posts
471
Senior Member
Default
You're just making it yourself difficult to follow the code
PHP Code: $username = mysql_real_escape_string( $input );
$result = mysql_query( "SELECT id FROM users WHERE username = '$username'" );
The strip_tags() is useless with regards to sanitizing the input before sending it to the database. HTML, XML, PHP tags, etc. can do no harm there because the query parser won't understand the tags, they're just strings for the parser.

The strtolower() could be needed in some cases (ie if you force usernames to be lowercase), but it's certainly not needed to sanitize input. SQL statements don't need to be uppercase, we just write them that way for clarity reasons only.

And then all str_replace() calls are done with one single mysql_real_escape_string(). That functions asks the mysql library to escape all "dangerous" characters, you can't do it any better yourself. If the MySQL team decides to add a character somewhere, they'll update the library and your code will be fine without the need for any changes. Added bonus: this function is binary safe so it can be used to sanitize binary data (ie an image) that goes to the database.
NOTE: mysql_real_escape_string() needs an open database connection! If you have multiple connections, you can pass the correct one as an optional second parameter. In turn it will do the escaping correct for any character set you might be using.

Don't think you're safe now, because this really is just part 1. Oh, just for the record, there is an alternative where you don't need to escape any data at all. If you work with bound parameters, you are not vulnerable to sql injections at all. But that's a more advanced topic. Ok Thank you. Ive added mysql_real_escape_string($input) to everwhere ive used a $_GET or $_POST just to be safe.

Now I supose is the difficult part, how do I get users to come to my site? ive added it to google and yahoo but im pretty sure the only hits im geting are me and users from this forum...
Terinalo is offline


Old 12-08-2009, 08:28 PM   #22
Terinalo

Join Date
Oct 2005
Posts
471
Senior Member
Default
Thanks for you help guys especially Rainwind All2human and nrith, I think I have now added all your recomendations.
Terinalo is offline


Old 12-08-2009, 09:57 PM   #23
art_fan_12

Join Date
Oct 2005
Posts
465
Senior Member
Default
Looks nice. Great idea as well. That is my biggest problem with web pages. I have zounds of coding knowledge, but not an idea worth a damn.
art_fan_12 is offline


Old 12-09-2009, 03:17 AM   #24
Enjknsua

Join Date
Nov 2005
Posts
570
Senior Member
Default
http://www.speedtile.net/
Enjknsua is offline



Reply to Thread New Thread

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 

All times are GMT +1. The time now is 12:07 PM.
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 PL2
Design & Developed by Amodity.com
Copyright© Amodity