Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > syntax of sprintf

Freelance Jobs

Reply
syntax of sprintf
Old 05-20-2008, 05:13 PM syntax of sprintf
Ultra Talker

Posts: 254
Trades: 0
Talkupation: sudhakararaog is on a distinguished road
until i started using the techniques for avoiding sql injection, i have been using a normal insert and select sql query which worked fine.

i have a registration page where a user enters their username and if this already exists i display a message by executing a select query and if the username does not exist then i run an insert query.
after adopting the technique to avoid sql injection

if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
$email = stripslashes($_POST["email"]);
}
else
{
$username = $_POST["username"];
$email = $_POST["email"];
}

previously my select and insert query were

INSERT INTO individuals(username, email) values('$username', '$email')
Select username from individuals where username = '$username'

presently the insert query is
$insertquery = sprintf("INSERT INTO individuals (username, email) VALUES ('%s', '%s')",
mysql_real_escape_string($username), mysql_real_escape_string($email));

This insert query is working however the select query is not doing its task as before of checking if the username already exists or not, even if i register with the same username again it does not alert that the username exists.
the select query is

$selectqueryusername = sprintf("Select username from individuals where username='%s'", mysql_real_escape_string($username));

should i change the syntax of the above select query or is there something else in need to do to fix the select query.

also for insert query if i have a numeric value i should be writting %d correct, i have a numeric value however before inserting that numeric value i am appending a character "-" to combine area code and phone number example 09-123 4567 so i am considering this as %s as there is a character. is this correct.

please advice.

thanks.
sudhakararaog is offline
Reply With Quote
View Public Profile
 
 
Register now for full access!
Old 05-20-2008, 05:37 PM Re: syntax of sprintf
tripy's Avatar
Do not try this at home!

Latest Blog Post:
GooTrans, a cross-platform python frontend to Goog...
Posts: 3,621
Name: Thierry
Location: I'm the uber Spaminator !
Trades: 0
Talkupation: tripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond reputetripy has a reputation beyond repute
Rather than using sprintf (which is usually used to format a string) try to look on the PREPARE statement.
It does more or less the same, but is optimized for your database.

If you are using mysql, you must use the mysqli interface, and it's restricted to php5 sadly.
You have a full example there:
http://www.php.net/manual/en/mysqli.prepare.php
__________________
Only a biker knows why a dog sticks his head out the window.
tripy is offline
Reply With Quote
View Public Profile Visit tripy's homepage!
 
Old 05-22-2008, 04:35 AM Re: syntax of sprintf
Ultra Talker

Posts: 254
Trades: 0
Talkupation: sudhakararaog is on a distinguished road
i have commented the sprintf statement to insert values in the table and used a normal insert statement which i used earlier.
also the select query is now doing its task of checking the username if it is already in the table as i have used
$selectqueryusername = "Select username from individuals where username = '$username'"; INSTEAD OF
$selectqueryusername = "Select username from individuals where username='%s'", mysql_real_escape_string($username); OR
$selectqueryemail = sprintf("Select email from individuals where email='%s'", mysql_real_escape_string($emailID));

the sprintf syntax is =
$conn = mysql_connect($hostname, $user, $passwordidb);
$insertquery = sprintf("INSERT INTO individuals (username, email, ....) VALUES ('%s', '%s',....)", mysql_real_escape_string($username, $conn), mysql_real_escape_string($email, $conn), ....);
the simple insert statement is =
$insertquery = "INSERT INTO individuals(username, email, ...) VALUES ('$username', '$email', ...)";
however what i need is the data should be safe before the insert query is executed and presently the way the sprintf is written is not doing what it is supposed to do. i have taken this idea from the following url
http://in2.php.net/mysql_real_escape_string

i have tried different combinations of the sprintf statement some dont work and for some all the values are not being inserted into the table.
following are the combinations i have tried.
1.
$insertquery = sprintf("INSERT INTO individuals (username, password....) VALUES ('%s', '%s', ...)", mysql_real_escape_string($username, $conn), mysql_real_escape_string($password, $conn), ...);
2.
$insertquery = sprintf("INSERT INTO individuals (username, password....) VALUES ('%s', '%s', ...)", mysql_real_escape_string($username), mysql_real_escape_string($password), ...);
3.
$insertquery = sprintf("INSERT INTO individuals (`username`, `password`, ...) VALUES ('%s', '%s', ...)", mysql_real_escape_string($username, $conn), mysql_real_escape_string($password, $conn), ...);
4.
$insertquery = sprintf("INSERT INTO individuals ('username', 'password', ...) VALUES ('%s', '%s', ...)", mysql_real_escape_string($username, $conn), mysql_real_escape_string($password, $conn), ...);
5.
$insertquery = sprintf("INSERT INTO individuals (username, password....) VALUES ('$username', '$password', ...)");
in case of 5 prior to the sql insert statement i have used
$username = mysql_real_escape_string($_POST["username"]); ...

i am not sure which is the right method or if there is any other way.
mainly my approach to avoiding the sql injection is
================================================== ======================
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]); ...
}
else
{
$username = $_POST["username"]; ...
}
$conn = mysql_connect($hostname, $user, $passwordidb);

if(!$conn)
{
}
else
{
mysql_select_db($database, $conn);
$insertqueryresult = mysql_query($insertquery);
mysql_close($conn);
}
================================================== ======================
i would really appreciate if anyone can help me to solve this problem, please suggest the right syntax for sprintf, i have used different combinations in sprintf = " ' ` not sure which is correct.
any help will be greatly appreciated.
waiting for reply.
thanks.
sudhakararaog is offline
Reply With Quote
View Public Profile
 
Reply     « Reply to syntax of sprintf
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > syntax of sprintf

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.35782 seconds with 12 queries