[SOLVED] Reversing Script to Preventing SQL Injection

Hey Guys, I have this script that deletes records from the database and is set to prevent SQL Injection but I need to edit the insert record script to also prevent SQL Injection.

Here is the script:

$insert="INSERT INTO `users` (username,password,email) values('$username','$password','$email')";

Here is the Delete Script with MySQL Injection Prevention Already:

<?php
$delete="DELETE FROM `users` WHERE 'username' = ".mysql_real_escape_string($username)." OR 'email' = ".mysql_real_escape_string($email)."";
?>

This also encrypts the password:

$insert=sprintf("INSERT INTO `users` (username,password,email) values('%s',PASSWORD('%s'),'%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($email));

Thanks.

I just realised that I do not want encyption. Could you please re do the script without encryption please. Thanks for doing it though.

it is exactly the same, just with out the PASSWORD() function, so it would look like this:

$insert=sprintf("INSERT INTO `users` (username,password,email) values('%s','%s','%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($email));

Ok, what are the %s doing?

They are a type specifier that says what type the argument data should be treated as.

%s means that it will treat what ever value that goes that as a string. Since I used the sprintf function, those are REQUIRED and if removed will not work properly.

As you can see, there are 3 %s and that means you need 3 additional parameters passed to sprintf, which I did with the three mysql_real_escape_string functions.

Here is the list of other values other than %s:

    *  % - a literal percent character. No argument is required.

    * b - the argument is treated as an integer, and presented as a binary number.

    * c - the argument is treated as an integer, and presented as the character with that ASCII value.

    * d - the argument is treated as an integer, and presented as a (signed) decimal number.

    * e - the argument is treated as scientific notation (e.g. 1.2e+2). The precision specifier stands for the number of digits after the decimal point since PHP 5.2.1. In earlier versions, it was taken as number of significant digits (one less).

    * u - the argument is treated as an integer, and presented as an unsigned decimal number.

    * f - the argument is treated as a float, and presented as a floating-point number (locale aware).

    * F - the argument is treated as a float, and presented as a floating-point number (non-locale aware). Available since PHP 4.3.10 and PHP 5.0.3.

    * o - the argument is treated as an integer, and presented as an octal number.

    * s - the argument is treated as and presented as a string.

    * x - the argument is treated as an integer and presented as a hexadecimal number (with lowercase letters).

    * X - the argument is treated as an integer and presented as a hexadecimal number (with uppercase letters).

Wow thats some pretty advanced stuff. I understand a bit of it though. Thanks!