The Little Guy Posted August 21, 2010 Share Posted August 21, 2010 I am very confused.... In my database I have lots of comments, but when displayed on the page, a few catch my eye... Here is one, it displays wrong 1. addslashes() is not sufficient enough to prevent SQL injection. Use mysql_real_escape_string(). 2. You are not enclosing your values in quotes, this just means they need to have a space in their submission to inject SQL. 3. You should not ever echo out mysql_error() to an end user. Log it for your own purposes, but show the user a generic error message. Your query would be better off like this: <?php $sql = mysql_query("SELECT * FROM users_table WHERE username='".mysql_real_escape_string($_POST['username'])."' AND password='".mysql_real_escape_string($_POST['password'])."' LIMIT 1")or die('Sorry, there has been a database error. The webmaster has been notified of the error. Please try again later.'); ?> but this one displays correctly: (That was me, the latest Anonymous poster) One *last* thing. You're saving the passwords as plain text. BAD idea, especially with the SQL injection problems you have. Someone with the right knowledge can easily steal all your user's passwords. I'd recommend using md5() to has the passwords (at very least md5, though sha1 would be nicer). Try this: <?php $sql = mysql_query("SELECT * FROM users_table WHERE username='".mysql_real_escape_string($_POST['username'])."' AND password=md5('".mysql_real_escape_string($_POST['password'])."') LIMIT 1")or die('Sorry, there has been a database error. The webmaster has been notified of the error. Please try again later.'); ?> And make sure you md5() the passwords when you insert them into the database initially. Do you see where the php tags are? when my script see it, it formats the php but some format not only the php, but the text as well, and I am not sure why. if you take a look at this page http://beta.phpsnips.com/snippet.php?id=4 and scroll down to the date: 08/20/2008 The first comment displays nice The second displays okay, "Would be better off as: " is formated as php and shouldn't be The third one formats the entire post as php Here is my php to check each comment (it is in a while loop): $comment = preg_split("/^(<\?php.*?[^\'\"]\?>[^\'\"])/ms", $cow['comment'], -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY); foreach($comment as $line){ preg_match('/<\?php.*?\?>/s', $line, $matches); if($matches[0]){ echo '<div class="phpComment">'; highlight_string($line); echo '</div>'; }else{ echo nl2br(htmlentities(str_replace('<br />','',$line))); } } Anyone see what is wrong, and why it is formating funky? Quote Link to comment Share on other sites More sharing options...
premiso Posted August 21, 2010 Share Posted August 21, 2010 Not really anything helpful but a note on this: 3. You should not ever echo out mysql_error() to an end user. Log it for your own purposes, but show the user a generic error message. That is correct, which is why you should use trigger_error then on your production system make sure display_errors is set to off. So just replace the or die with or trigger_error then it is an easy switch between testing and production. Oh and I failed to get the question out of that TLDR; Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted August 23, 2010 Author Share Posted August 23, 2010 my question is, why is it placing code around text that shouldn't have code around it? Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted August 24, 2010 Author Share Posted August 24, 2010 Does anyone know? Am I not clear enough? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.