until i started using the techniques for avoiding sql injection, i
have been using a normal insert and select sql query which worked
fine.
i have a registration page where a user enters their username and if
this already exists i display a message by executing a select query
and if the username does not exist then i run an insert query.
after adopting the technique to avoid sql injection
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
$email = stripslashes($_POST["email"]);
}
else
{
$username = $_POST["username"];
$email = $_POST["email"];
}
previously my select and insert query were
INSERT INTO individuals(username, email) values('$username', '$email')
Select username from individuals where username = '$username'
presently the insert query is
$insertquery = sprintf("INSERT INTO individuals (username, email)
VALUES ('%s', '%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($email));
This insert query is working however the select query is not doing its
task as before of checking if the username already exists or not, even
if i register with the same username again it does not alert that the
username exists.
the select query is
$selectqueryusername = sprintf("Select username from individuals where
username='%s'", mysql_real_escape_string($username));
should i change the syntax of the above select query or is there
something else in need to do to fix the select query.
also for insert query if i have a numeric value i should be writting
%d correct, i have a numeric value however before inserting that
numeric value i am appending a character "-" to combine area code and
phone number example 09-123 4567 so i am considering this as %s as
there is a character. is this correct.
please advice.
thanks. 2 2076
..oO(Sudhakar)
>until i started using the techniques for avoiding sql injection, i have been using a normal insert and select sql query which worked fine.
i have a registration page where a user enters their username and if this already exists i display a message by executing a select query and if the username does not exist then i run an insert query.
after adopting the technique to avoid sql injection
if(get_magic_quotes_gpc()) { $username = stripslashes($_POST["username"]); $email = stripslashes($_POST["email"]); }
else { $username = $_POST["username"]; $email = $_POST["email"]; } previously my select and insert query were
INSERT INTO individuals(username, email) values('$username', '$email') Select username from individuals where username = '$username'
presently the insert query is
$insertquery = sprintf("INSERT INTO individuals (username, email) VALUES ('%s', '%s')", mysql_real_escape_string($username), mysql_real_escape_string($email));
This insert query is working however the select query is not doing its task as before of checking if the username already exists or not, even if i register with the same username again it does not alert that the username exists.
What does "not doing its task" mean? Do you get any error messages? Do
you have any error checking at all? Does MySQL complain about something?
>the select query is
$selectqueryusername = sprintf("Select username from individuals where username='%s'", mysql_real_escape_string($username));
Looks OK.
>should i change the syntax of the above select query or is there something else in need to do to fix the select query.
The posted code is not enough to say where the problem might be.
>also for insert query if i have a numeric value i should be writting %d correct
Correct, if it's an integer.
>i have a numeric value however before inserting that numeric value i am appending a character "-" to combine area code and phone number example 09-123 4567 so i am considering this as %s as there is a character. is this correct.
Correct. This is not a number anymore, but a string.
Micha
On May 21, 5:24 am, Michael Fesser <neti...@gmx.dewrote:
.oO(Sudhakar)
until i started using the techniques for avoiding sql injection, i
have been using a normal insert and select sql query which worked
fine.
i have a registration page where a user enters their username and if
this already exists i display a message by executing a select query
and if the username does not exist then i run an insert query.
after adopting the technique to avoid sql injection
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
$email = stripslashes($_POST["email"]);
}
else
{
$username = $_POST["username"];
$email = $_POST["email"];
}
previously my select and insert query were
INSERT INTO individuals(username, email) values('$username', '$email')
Select username from individuals where username = '$username'
presently the insert query is
$insertquery = sprintf("INSERT INTO individuals (username, email)
VALUES ('%s', '%s')",
mysql_real_escape_string($username),
mysql_real_escape_string($email));
This insert query is working however the select query is not doing its
task as before of checking if the username already exists or not, even
if i register with the same username again it does not alert that the
username exists.
What does "not doing its task" mean? Do you get any error messages? Do
you have any error checking at all? Does MySQL complain about something?
the select query is
$selectqueryusername = sprintf("Select username from individuals where
username='%s'", mysql_real_escape_string($username));
Looks OK.
should i change the syntax of the above select query or is there
something else in need to do to fix the select query.
The posted code is not enough to say where the problem might be.
also for insert query if i have a numeric value i should be writting
%d correct
Correct, if it's an integer.
i have a numeric value however before inserting that
numeric value i am appending a character "-" to combine area code and
phone number example 09-123 4567 so i am considering this as %s as
there is a character. is this correct.
Correct. This is not a number anymore, but a string.
Micha
Agreed - the posted code should do what is intended - the bug lies
elsewhere.
C. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Ken in Melbourne Australia |
last post by:
If I use the curly bracket syntax (referred to as the
complex syntax) within a string, how do I get to call a
function within it?
The php manual says that the first (or previous)
character for...
|
by: huey_jiang |
last post by:
Hi All,
I am trying to figure out a right syntax to convert an integer array
into hex array. sprintf worked for me on doing single integer:
int i, Iarray, n=15;
char buf;
sprintf(buf,...
|
by: jt |
last post by:
I need to produce 1 character array from 3 others. I tried sprintf and it
terminates on the first 0, null, 0x00 it sees in tmp data.
All 3 args print out nice by themselves.
By trying to make...
|
by: jimjim |
last post by:
Hello,
I was wondering about the implications of giving as an argument to sprintf a
different data type from the one specified in the format argument. This type
of question along with some...
|
by: aap |
last post by:
I have the following code
#define MAX 32
struct A
{
char carr;
int iarr;
int i;
};
void main()
{
|
by: Frankie |
last post by:
Hello:
New user here...first post to group.
I'm getting an SQL syntax error when I try to run the following query:
$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,...
|
by: Henryk |
last post by:
Hey there,
I have some problems with the following code snippet on a Virtex-4
PowerPC with a GCC based compiler
char chData;
sprintf(&chData, "%+05.0f", -0.038f); --I get "-000" ???...
|
by: krister |
last post by:
Hello,
I'm working in a quite large system that has some limitations. One of
those is that I can't use printf() to get an output on a screen. I'm
forced to use a special function, let's call it...
|
by: phobia1 |
last post by:
Hi once again.
We have just changed our ISP and things that worked fine now do not, Obviously its in the differences of MYSQL and PHP versions.
Have fixed most of the problems but this UPDATE...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |