Akenatehm Posted November 27, 2008 Share Posted November 27, 2008 Hey Guys, I have this script that deletes records from the database and is set to prevent SQL Injection but I need to edit the insert record script to also prevent SQL Injection. Here is the script: $insert="INSERT INTO `users` (username,password,email) values('$username','$password','$email')"; Here is the Delete Script with MySQL Injection Prevention Already: <?php $delete="DELETE FROM `users` WHERE 'username' = ".mysql_real_escape_string($username)." OR 'email' = ".mysql_real_escape_string($email).""; ?> Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted November 27, 2008 Share Posted November 27, 2008 This also encrypts the password: $insert=sprintf("INSERT INTO `users` (username,password,email) values('%s',PASSWORD('%s'),'%s')", mysql_real_escape_string($username), mysql_real_escape_string($password), mysql_real_escape_string($email)); Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 27, 2008 Author Share Posted November 27, 2008 Thanks. Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 27, 2008 Author Share Posted November 27, 2008 I just realised that I do not want encyption. Could you please re do the script without encryption please. Thanks for doing it though. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted November 27, 2008 Share Posted November 27, 2008 it is exactly the same, just with out the PASSWORD() function, so it would look like this: $insert=sprintf("INSERT INTO `users` (username,password,email) values('%s','%s','%s')", mysql_real_escape_string($username), mysql_real_escape_string($password), mysql_real_escape_string($email)); Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 27, 2008 Author Share Posted November 27, 2008 Ok, what are the %s doing? Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted November 27, 2008 Share Posted November 27, 2008 They are a type specifier that says what type the argument data should be treated as. %s means that it will treat what ever value that goes that as a string. Since I used the sprintf function, those are REQUIRED and if removed will not work properly. As you can see, there are 3 %s and that means you need 3 additional parameters passed to sprintf, which I did with the three mysql_real_escape_string functions. Here is the list of other values other than %s: * % - a literal percent character. No argument is required. * b - the argument is treated as an integer, and presented as a binary number. * c - the argument is treated as an integer, and presented as the character with that ASCII value. * d - the argument is treated as an integer, and presented as a (signed) decimal number. * e - the argument is treated as scientific notation (e.g. 1.2e+2). The precision specifier stands for the number of digits after the decimal point since PHP 5.2.1. In earlier versions, it was taken as number of significant digits (one less). * u - the argument is treated as an integer, and presented as an unsigned decimal number. * f - the argument is treated as a float, and presented as a floating-point number (locale aware). * F - the argument is treated as a float, and presented as a floating-point number (non-locale aware). Available since PHP 4.3.10 and PHP 5.0.3. * o - the argument is treated as an integer, and presented as an octal number. * s - the argument is treated as and presented as a string. * x - the argument is treated as an integer and presented as a hexadecimal number (with lowercase letters). * X - the argument is treated as an integer and presented as a hexadecimal number (with uppercase letters). Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 27, 2008 Author Share Posted November 27, 2008 Wow thats some pretty advanced stuff. I understand a bit of it though. Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.