Jump to content

Warning: mysql_real_escape_string()


pahunrepublic

Recommended Posts

I tried to put some protection to this code:

<?php 
include_once 'dbinfo.php';
if(isset($_POST['kuldes']))
{
$name = trim($_POST['nev']);
$username = $_POST['felh_nev'];
$password = $_POST['jelszo'];
$email = $_POST['email'];
$phone = $_POST['telefon'];
$gender = $_POST['sex'];
$hobby = $_POST['hobby'];
$regfelt = $_POST['regfelt'];
//*for($i = 0; $i < count($hobby); $i++) {
//$h = $hobby[$i];
//This is replacing the hobby value in $h each time you go through the loop. So you only get the last value in the array.
//MySQL Injection protection
$name = strip_tags($name);
$name = mysql_real_escape_string($name);
$name = stripslashes($name);
$username = strip_tags($username);
$email = strip_tags($email);
$phone = strip_tags($phone);
//$memip = $_SERVER['REMOTE_ADDR'];
$date = date("d-m-Y");
if($name == NULL || $username == NULL || $password == NULL || $email == NULL || $phone == NULL || $gender == NULL)
{
echo "Please complete the form below or one of the boxes is empty.";
}
else
{
if(strlen($username) <= 3 || strlen($username) >= 30){
$final_report.="Your username must be between 3 and 30 characters..";
}
else
{
$select_dbase="SELECT * FROM users WHERE username='$username'";
$result=mysqli_query($connect, $select_dbase);
if(mysqli_num_rows($result) != 0){
	$final_report.="The username is already in use!";  
	}
else
{ 
if(strlen($password) <= 6 || strlen($password) >= 12){
$final_report.="Your password must be between 6 and 12 digits and characters..";
}
else
{
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){ 
$final_report.="Your email address was not valid..";
}
else
{
if(!eregi("^[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,10}$",$phone)){
$final_report.="Phone number is invalid. Only numbers with hyphen. Allowed format: countrycode-areacode-phonenumber";
}
else
{
if(!isset($hobby)){
$final_report.="Youd didn't select any hobbies";
}
else
{
if(!isset($regfelt)){
$final_report.="You didn't accept the terms";
}
else
{
//The implode() function returns a string from the elements of an array.
$h = implode(",", $hobby);
$insert_dbase = 'INSERT INTO users(name,sex,email,phone_number,username,password,hobby) VALUES("' . $name . '","' . $gender . '","' . $email . '",
"' . $phone . '","' . $username . '","' . md5($_POST['jelszo']) . '","'. $h .'")';
mysqli_query($connect,$insert_dbase); 
header("Location: login_form.php");
exit;
}}}}}}}}}
/*You are using the $_POST values without any validation or protection. This can leave you open to sql injection attacks as well as possible xss attacks.  For SQL protection, look at mysql_real_escape(). For the xss, you need to validate the contents of the fields. Just because you put a SELECT list on the form with the name 'hobby' does not mean that the user submitted something from that list. It is very easy to send something completely unexpected. This applies to ALL input from the browser. Use PDO.*/
/*$v1 = 'unchecked';
$v2 = 'unchecked';
$selected_radio = $gender;
if ($selected_radio = 'no') {
$v1 = 'checked';}
else if ($selected_radio = 'ferfi') {
$v2 = 'checked';}*/
?>
<h1>Registration Form</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" name="registration_form" method="POST">
<p>Name: <input type="text" name="nev" value="<?php echo (isset($name) ? $name : ''); //ha $name változó meg lett adva akkor írja ki amit beírt ha nem akkor ''?>" size=25></p>
<p>Username: <input type="text"  name="felh_nev" value="<?php echo (isset($username) ? $username : ''); ?>" size=10></p>
  <p>Password: <input type="password" name="jelszo" size=10></p>
  <!--<p>Password again:<input type="password" name="password_confirmation"></p>-->
    <p>E-mail: <input type="text" name="email" value="<?php echo (isset($email) ? $email : ''); ?>"/></p>
    <p>Phone number: <input type="text" name="telefon" value="<?php echo (isset($phone) ? $phone : ''); ?>"/></p>
<p>Sex: 
       <label><input type="radio" name="sex" value="no" >Female</label>
       <label><input type="radio" name="sex" value="ferfi" >Male</label></p>

<p>Favorite hobbies (Using CTRL you can select more than one):</p>
	<select name="hobby[]" size="4" multiple>
	  <option value="sport">Sport</option>
	  <option value="mozi">Movies</option>
	  <option value="kirandulas">Hiking</option>
	  <option value="olvasas">Reading</option>
  </select>

<!--	<p>Other message:</p>
<textarea name="megjegyzes" cols="40"></textarea>-->

  <p><input name="regfelt" type="checkbox" value="elfogad">I accept the terms!</p>
<p><input name="kuldes" type="submit" value="Submit form">
  <input name="reset" type="reset" value="delete"></p>
<table width="501" border="1">
      <tr>
        <td><?php echo $final_report; ?></td>
      </tr>
    </table>
<p> </p>
</form>

I had no problem with the code until I put this part:

$name = mysql_real_escape_string($name);

It gave me the following error:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in

Anyone can help me why I get this error?

the dbinfo.php's content:

<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'blabla';
$dbname = 'hehehe';
$connect = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
if(!$connect) 
{
die('Connection failed: ' . $mysqli->error());
}
?>

Link to comment
Share on other sites

The problem is with mysqli_real_escape_string() you have to specify which are the strings that must be escaped. I don't know exactly which are the dangerous strings.

OK, the main idea here is to prevent MySQL injection. The better solution would be PDO statements but I tried to rewrite the above code in PDO but without success. Anyone qho can help me with this?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.