SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Hybrid View

  1. #1
    SitePoint Guru
    Join Date
    Oct 2004
    Location
    uk
    Posts
    853
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    preventing sql injections

    Hi guys

    I am told that this is not safe to mysql injections, I want to use mysql_real_escape_string. but im not exactly sure how to implement it into my code

    Can anyone Help?


    PHP Code:
    <?php



      
    // Get the search variable from URL

      
    $location $_GET['location'] ;
      
    $category $_GET['category'] ;
        
    $salarytype $_GET['salarytype'] ;
          
    $salary $_GET['salary'] ;
            
    $jobtype $_GET['jobtype'] ;
              
    $order =$_GET['order'];
      
    $var = @$_GET['category'] ;
      
    $var2 = @$_GET['location'] ;
        
    $var3 = @$_GET['salary'] ;
          
    $var4 = @$_GET['jobtype'] ;







    // Build SQL Query  



       

    $query "SELECT *, date_format(startdate,'%d/%m/%Y') startdate FROM jobs WHERE 1=1  ";

    if (!empty(
    $category)) {
      
    $query .= "AND category='mysql_escape_string($category)' ";
    }

    if (!empty(
    $location)) {
      
    $query .= "AND location='$location' ";


    if (!empty(
    $salarytype)) {
      
    $query .= "AND salarytype='$salarytype' ";
    }

    if (!empty(
    $salary)) {
      
    $query .= "AND salary >= $salary ";
    }

    if (!empty(
    $jobstatus)) {
      
    $query .= "AND jobstatus='$jobstatus' ";



    $query.= "ORDER BY '$order' ASC";

  2. #2
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    if (!empty($category)) {
      
    $query .= "AND category='mysql_escape_string($category)' ";

    mysql_escape_string is a PHP function. You should use it like this:
    PHP Code:
    if (!empty($category)) {
      
    $query .= "AND category='".mysql_escape_string($category)."' ";


  3. #3
    SitePoint Guru
    Join Date
    Oct 2004
    Location
    uk
    Posts
    853
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is this correct

    It hasn't changed anything in the url?


    What should I be looking for to be changed?

    PHP Code:

    $query 
    "SELECT *, date_format(startdate,'%d/%m/%Y') startdate FROM jobs WHERE 1=1  ";

    if (!empty(
    $category)) {

      
    $query .= "AND category='".mysql_escape_string($category)."' ";




    if (!empty(
    $location)) {

      
    $query .= "AND location='".mysql_escape_string($location)."' ";



    if (!empty(
    $salarytype)) {

      
    $query .= "AND salarytype='".mysql_escape_string($salarytype)."' ";



    if (!empty(
    $salary)) {

      
    $query .= "AND salary='".mysql_escape_string($salary)."' ";



    if (!empty(
    $jobstatus)) {

      
    $query .= "AND jobstatus='".mysql_escape_string($jobstatus)."' ";



    $query.= "ORDER BY '$order' ASC"

  4. #4
    SitePoint Evangelist
    Join Date
    Apr 2006
    Location
    Halifax, Canada
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That is correct, but you may want to use mysql_real_escape_string instead of mysql_escape_string. You will need to open a database connection for mysql_real_escape_string to work though.

    You should be looking for the actual SQL query to be changed. The URL should stay the same.
    Paul Butler.org
    JSSpamBlock - Reduce WordPress spam.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •