CODEWITHSUNDEEP
phpsql-injectioncode-injectionsanitizationsanitize
jcslzr
jcslzr

Reputation: 435

Sanitize user input destined for database in PHP

I have this code:

$query = "select id from votes where username = '$user' and article_id  = $this->id";

I tried this code to sanitize it:

$query = sprintf("select id from votes where username = '$user' and article_id = $this->id", 
    mysql_real_escape_string($user), 
    mysql_real_escape_string($password));

but I get this error for the mysql_real_escape lines:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 146 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 146

I get the user name here, I dont know if its safe enough:

function getUsername(){ return $this->username; }

Thx

Upvotes: 0

Views: 2877

Answers (7)

shazarre
shazarre

Reputation: 225

Like the other said, not '$user' but '%s' and you need an open connection.

@Tomalak sprintf is faster - that's the reason why to use it - it is a native C function.

Upvotes: 0

Boris Guéry
Boris Guéry

Reputation: 47614

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO)

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established

Did you check the link ? Is it active ? You need to be connected before to use mysql_real_escape_string() Don't you forget to set the password ?

Try:

mysql -u mexautos -p

(type Enter if no password)

Also, check out your sprintf() function, you need to use the %s to bind your variable

$a = 'Foo';
$b = 'Bar';
$foo = sprintf('Foo Bar %s %s', $a, $b);

Upvotes: 3

John Rasch
John Rasch

Reputation: 63485

I would suggest using prepared statements for this instead of sprintf

Upvotes: 7

Ólafur Waage
Ólafur Waage

Reputation: 70011

You need a connection to use mysql_real_escape_string() because it uses the server's encoding type to help santitize.

Also the sprintf() should look something like this

$query = sprintf("SELECT id FROM votes WHERE username = '%s' and article_id = %d", 
    mysql_real_escape_string($user), 
    mysql_real_escape_string($password));

Upvotes: 2

n3rd
n3rd

Reputation: 6089

I'd recommend using a mature DB abstraction layer like Zend_Db (there are tons of them out there). Implementing your own homebrew solution is not something I'd recommend for a production system.

Upvotes: 1

JasonV
JasonV

Reputation: 596

Not sure if this is what's causing your problem, but I believe the variables in your sprintf statement shouldn't be '$user' and '$this->id', but they should be '%s'

https://www.php.net/sprintf

Upvotes: 3

whichdan
whichdan

Reputation: 1897

You need a mysql connection before you can use mysql_real_escape_string.

Upvotes: 8

Related Questions