Sanitize user input destined for database in PHP
https://stackoverflow.com/questions/956993
-
12-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have this code:
$query = "select id from votes where username = '$user' and article_id = $this->id";
I tried this code to sanitize it:
$query = sprintf("select id from votes where username = '$user' and article_id = $this->id",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
but I get this error for the mysql_real_escape lines:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 146 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 146
I get the user name here, I dont know if its safe enough:
function getUsername(){ return $this->username; }
Thx
Solution
I would suggest using prepared statements for this instead of sprintf
OTHER TIPS
You need a mysql connection before you can use mysql_real_escape_string.
Not sure if this is what's causing your problem, but I believe the variables in your sprintf statement shouldn't be '$user' and '$this->id', but they should be '%s'
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO)
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established
Did you check the link ? Is it active ? You need to be connected before to use mysql_real_escape_string() Don't you forget to set the password ?
Try:
mysql -u mexautos -p
(type Enter if no password)
Also, check out your sprintf() function, you need to use the %s to bind your variable
$a = 'Foo';
$b = 'Bar';
$foo = sprintf('Foo Bar %s %s', $a, $b);
You need a connection to use mysql_real_escape_string() because it uses the server's encoding type to help santitize.
Also the sprintf() should look something like this
$query = sprintf("SELECT id FROM votes WHERE username = '%s' and article_id = %d",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
I'd recommend using a mature DB abstraction layer like Zend_Db (there are tons of them out there). Implementing your own homebrew solution is not something I'd recommend for a production system.
Like the other said, not '$user' but '%s' and you need an open connection.
@Tomalak sprintf is faster - that's the reason why to use it - it is a native C function.
