Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Safety PHP

Status
Not open for further replies.

Determ

Technical User
Jun 19, 2009
3
DE
Moin Moin dr. Friends,

have a Question about Safety in PHP.

<?php
error_reporting(E_ALL);
//echo "<pre>\n";
//var_dump($_POST);
//echo"</pre>\n";

if (empty($_POST['cen'])){
echo "Keine Eingabe/No Input back to <a href=cen.php> entry</a>";
}else {
echo "Welcome you have\n";

$link = mysql_connect("", "", "");
mysql_select_db("Norm");

$auswa = "select * from cen where Norm like '%$cen%' or KurzEN like '%$cen%' Limit 0,9";
$sar = mysql_db_query("Norm", $auswa);
$nam = mysql_num_rows($sar);

$result = mysql_query($auswa) or die("Fehler0 / Error");
$num =mysql_num_rows($result);

$query = "SELECT
cen.Norm,
cen.Year,
cen.KurzEN,
cen.Reference,
cen.Comm,
cen.Code,
cen.ISO,
cen.other,
cen.Files,
iso.Norm as Stand,
iso.Year as Jahr,
iso.KurzISO,
iso.Reference as refer,
iso.Code as cde,
iso.Files,
enstand.Designation,
enstand.Comments
FROM cen
left join enstand on (cen.Norm = enstand.Designation)
LEFT JOIN iso ON (cen.ISO = iso.Norm)
WHERE
cen.Norm LIKE '".$_POST['cen']."' or cen.KurzEn like '".$_POST['cen']."'
ORDER BY cen.Norm ASC LIMIT 0,5";


$result1 = mysql_query($query) or die("Fehler1 / Error");

this Part works verry fine. But what we can make more safety for Injection.

The Problem is that People can give a Number (12345 or Bicycle as Word) in the Form in.
I self try mysql_real_escape take some Views to Prepared Statements, but it´s not so right
for this Script.

If you have maybe some Ideas or Help, let me know your Opinion.
Sory write a long Time no more so mutch in english

Greetings and a nice Weekend
 
escape all variables used in the sql queries by using mysql_real_escape_string().

 
deprecated, yes... 'new' .... no.

but i suspect that it won't be dropped for quite a while as (i) in all my tests, for typical website queries, mysql is at least as fast as mysqli, and not as processor intensive; and (ii) doing so would break backwards compatiblity for so many thousands of websites that people will stick on earlier versions of php; which would in turn not be in the best interests of the wider php community and hosts etc.

that said, I'm all for updating code for reasons of portability so i'd recommend using pdo or some other abstraction layer.

 
Moin Moin dr. Friends,

thanks for all Answers. We take for this Time the >> mysql_real_escape <<.
That what jpadie wrote, some Parts (Working with a Database) have a old XAMMP, Moves
and we need this Form.
Maybe the next Generation become the new Part.

Nice Day and 73 for now
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top