[rpgmaker]

Hello id thought this would be the best place to come to ask about sql inections. I have been watching http://www.youtube.c...h?v=bORZlmyDw0s

And noticed they just use one function to stop sql would this work ?? The function they use is:

function mres($input){
if (get_magic_quotes_gpc()){
$input = stripslashes($input);
}
return mysql_real_escape_string($input);
}

And then here it is in my login script:

function mres($input){
if (get_magic_quotes_gpc()){
$input = stripslashes($input);
}
return mysql_real_escape_string($input);
}



if(isset($_POST['login']))
{	
ini_set('session.cookie_httponly',true);
if(isset($_SESSION['last_ip']) == false){
	$_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
	}
	
	if ($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']){
	
	session_unset();
	session_destroy();
	
	}
$user= mres($_POST['username']);
$pass= mysql_real_escape_string($_POST['password']);
$pass2 = strip_tags($pass);
$pass1 = md5($pass2);

$mod = 1 ;

$sql = "SELECT * FROM users WHERE username='".$user."' AND password = '".$pass1."'";
$result = mysql_query($sql) or die(mysql_error());
$battle_get = mysql_fetch_array($result);

if ( $battle_get['mod'] == 1 ) {
				$month = time() + 3600*24*30;
				$hour = time() + 3600*1*1;
				$LastLogin = date('l, M d, Y H:i:s');
				$_SESSION['user'] = $_POST['username'];
				setcookie("save_user", stripslashes(htmlentities($user22)), $hour); 
				setcookie("save_pass", stripslashes(htmlentities($user22)), $month);
				$username = stripslashes(htmlentities($user22));
				$result = mysql_query("UPDATE users SET LastLogin = '$LastLogin' WHERE username='$username'");
				header("location: home.php"); 
}
	
}

Has you can see from my login script i check the ip on every page so that if some one logs in has bob with the ip has 1.2.3 then try's to edit the session and edits the username then it will log the person out and destory the session ( this works great )



But id just like to know does the function make em safe from sql injection ?

You can see ive used the function for the username because the password is md5

$user= mres($_POST['username']);

Also can some 1 explain what the function does ? And wouldn't i have to change $input to every virable i have ?

This post has been edited by rpgmaker: 25 May 2012 - 02:00 PM

[CTphpnwb]

Learn to use prepared statements and you can forget about SQL injection.

[rpgmaker]

So im guessing the function won't protect me ? Im guessing this is what you mean http://php.net/manua...-statements.php ?? I think i can get the hang of that doesn't look that bad. So im guessing if i use prepared statements then ill be safe ? Will i have to escape any of my variables or anything still ?

[Slice]

rpgmaker, on 25 May 2012 - 03:16 PM, said:

Will i have to escape any of my variables or anything still ?

No, that's the beauty of prepared statements. Just make sure you use placeholders in queries and don't try to insert raw data.

Check out this great post for an introduction to PDO, in the tutorials section.

[e_i_pi]

Also, check out Dormilichs Be Prepared For Your Database Tutorial. Reading both tutorials will greatly help you understand how to use PDOs.

[rpgmaker]

Thanks evryone i found a good connect tutorial here Here Which Dormilich has mentioned in the first tutorial link which was given. That tutorial seems easier to understand. I think ill spend the next few days trying to under stand the placeholders in queries and hope that know one can sql inject it. Im guessing this would be safe from sql inections

$statement = $db->prepare("SELECT recipe_name FROM recipes WHERE fish_type = ? AND chef_name = ? LIMIT 20");
$statement->execute(array($_POST['fish'], $_POST['chef']));

while ($result = $statement->fetchObject()) {
    echo $result->recipe_name;
    echo "<br />";
}

And the connect

// Fill in all the info we need to connect to the database.
// This is the same info you need even if you're using the old mysql_ library.
$host = 'localhost';
$port = 3306; // This is the default port for MySQL
$database = 'myDatabase';
$username = 'myDatabaseUser';
$password = 'myDatabaseUserPassword';

// Construct the DSN, or "Data Source Name".  Really, it's just a fancy name
// for a string that says what type of server we're connecting to, and how
// to connect to it.  As long as the above is filled out, this line is all
// you need :)/>
$dsn = "mysql:host=$host;port=$port;dbname=$database";

// Connect!
$db = new PDO($dsn, $username, $password);

This code was given in the tutorial. Just wanted to know if its safe from sql injection so i can base all my coding on it. E.g every time i want to connect use the same code etc...

[Dormilich]

as has been repeatedly said, Prepared Statements are immune to SQL Injections …

[rpgmaker]

Thanks just wanted to confirm it. Thanks to everyone here.

[noname_clark]

Dormilich, on 25 May 2012 - 04:29 PM, said:

as has been repeatedly said, Prepared Statements are immune to SQL Injections …

Wait, with PHP 5 though, you don't need to prepare them anymore, all data sent through forms POST'ing already has the characters escaped out, right? Or am I wrong on that?
Because I remember when my server switched from PHP 4 to 5 I didn't have to worry about escaping quotes out (on at least the forms that only I used)
Is preparing form data really still necessary?

[Dormilich]

the one has nothing to do with the other. what you observed was done through magic_quotes_gpc, which is IIRC removed in PHP 5.4. however escaping is not a guarantee for SQL safety as there are a lot of injections techniques not using ' at all.

and yes, peparing is the only absolutely safe method there is.