MySQL_real escape_string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sss123
Forum Newbie
Posts: 11
Joined: Thu Sep 30, 2010 8:11 pm

MySQL_real escape_string

Post by sss123 »

Hi there,

Can anyone see what is wrong with this code? I've been fiddling about with it for days now and just can't get it to work. I know it's something small and silly but I just can't find it!

Thanks in advance for any help. It is much appriciated.

<?php
$con = mysql_connect("**********","**********","***********");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("safe", $con);

$number = preg_replace('/[^0-9]/', '', $_POST['number']);
$number = (int) $number;

$realname = mysql_real_escape_string($_POST['realname');

if (substr_count("@", $_POST['email']) == 1){
$email = mysql_real_escape_string($_POST['email']);
} else {
die("Your email doesn't appear to be valid, please double check it and resubmit");
}

$comments = mysql_real_escape_string($_POST['comments']);

$sql="INSERT INTO Enquiries (Name, Number, Email, Comments, Date)
VALUES
('$realname','$number','$email','$comments', CURDATE())";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "";

mysql_close($con)
?>

Thanks again. Kind regards

Mike
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: MySQL_real escape_string

Post by twinedev »

You are missing the closing square bracket for the $_POST['realname']

-Greg
User avatar
DigitalMind
Forum Contributor
Posts: 152
Joined: Mon Sep 27, 2010 2:27 am
Location: Ukraine, Kharkov

Re: MySQL_real escape_string

Post by DigitalMind »

sss123, read error messages in future
sss123
Forum Newbie
Posts: 11
Joined: Thu Sep 30, 2010 8:11 pm

Re: MySQL_real escape_string

Post by sss123 »

Hi Greg,

Thank you very much for your useful post. That has solved the problem. However I wonder if you could check one more line of the code:

if (substr_count("@", $_POST['email']) == 1){
$email = mysql_real_escape_string($_POST['email']);
} else {
die("Your email doesn't appear to be valid, please double check it and resubmit");
}

For some reason, even if a normal email address (e.g. my own) is entered, it won't accept it. It displays "Your email doesn't appear to be valid..."

Thanks again for your time and help. It is much appriciated.

Kind regards

Mike
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: MySQL_real escape_string

Post by John Cartwright »

Why don't you actually try validating against the email, instead of just checking for the @ symbol.

Code: Select all

if (!empty($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
   echo 'valid email';
} else {
   echo 'not valid email';
}
sss123
Forum Newbie
Posts: 11
Joined: Thu Sep 30, 2010 8:11 pm

Re: MySQL_real escape_string

Post by sss123 »

Hi John,

Thank you for your post. I will replace my code with yours!

What does validating actually do?

Kind regards,

Mike
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: MySQL_real escape_string

Post by John Cartwright »

–verb (used with object), -dat·ed, -dat·ing.
1.
to make valid; substantiate; confirm: Time validated our suspicions.
It ensures your email is of proper format.
Post Reply