escaping against mysql attacks

  • buzzby
  • Novice
  • Novice
  • buzzby
  • Posts: 25

Post 3+ Months Ago

i feel that i am nearly there but am not sure why i am getting this error. i borrowed and adapted this code to suit but am falling at the last hurdle. please can someone advise as to whether the code is right and also what am i missing.

Code: [ Select ]
<?php echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?".">"; ?>

<head>
<SCRIPT LANGUAGE="JavaScript">
function redirect () { setTimeout("go_now()",1800000); }
function go_now () { window.location.href = "competition_ferrari.php"; }
</script>
<link rel="STYLESHEET" type="text/css" href="partystylesheet.css">
<title>COMPETITION - WIN A FERRARI</title>
</head>
<?php
require("mail.inc.php");
if(isset($_POST['Submit'])){
    $dbhost = 'localhost';
    $dbuser = '';
    $dbpass = '';
    $dbname = 'formresults';
    $connection = mysql_connect($dbhost, $dbpass, $dbuser) or die(mysql_error());
    if(!is_resource($connection)) {
        echo "Failed to connect to the server\n";
        // ... log the error properly
    } else {     
        // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
        if(get_magic_quotes_gpc()) {
            $name              = stripslashes($_POST['name']);
            $address          = stripslashes($_POST['address']);
            $pcode             = stripslashes($_POST['pcode']);
            $email             = stripslashes($_POST['email']);
            $terms             = stripslashes($_POST['terms']);
            $specialoffers     = stripslashes($_POST['specialoffers']);
            $newsletter         = stripslashes($_POST['newsletter']);
        } else {
            $name              = $_POST['name'];
            $address          = $_POST['address'];
            $pcode             = $_POST['pcode'];
            $email             = $_POST['email'];
            $terms             = $_POST['terms'];
            $specialoffers     = $_POST['specialoffers'];
            $newsletter         = $_POST['newsletter'];
        }
    $db_selected = mysql_select_db('formresults', $connection);
    mysql_select_db($dbname) or die(mysql_error());
    $name = $_POST['name'];
    $address = $_POST['address'];
    $pcode = $_POST['pcode'];
    $email = $_POST['email'];
    $terms = $_POST['terms'];
    $specialoffers = $_POST['specialoffers'];
    $newsletter = $_POST['newsletter'];
    $query = sprintf("INSERT INTO competition_ferrari (name, address, pcode, email, terms, specialoffers, newsletter) VALUES ('$name', '$address', '$pcode', '$email', '$terms', '$specialoffers', '$newsletter')", mysql_real_escape_string($name, $connection),mysql_real_escape_string($address, $connection), mysql_real_escape_string($pcode, $connection), mysql_real_escape_string($email, $connection), mysql_real_escape_string($terms, $connection), mysql_real_escape_string($specialoffers, $connection), mysql_real_escape_string($newsletter, $connection), $_POST['Submit']);
mysql_query($query) or die(mysql_error());
if (mysql_affected_rows($connection) > 0) {
echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
echo "<div class='clearfix'></div>";
echo "<table width='100%' cellspacing='0' cellpadding='4' class='textstyle12b'><tr><td>";
echo "<strong>Thank you for entering our 'WIN A FERRARI' competition</strong><br><br>";
echo "<br><br>";
echo "</td></tr></table>";
echo "<body onLoad=redirect() text=#000000 link=#00FFFF vlink=#C0C0C0>";
echo "</body>";
}
}
} else {
    if (empty($_POST['name']) || empty($_POST['address']) || empty($_POST['pcode']) || empty($_POST['email']) || empty($_POST['terms']) || empty($_POST['specialoffers']) || empty($_POST['newsletter']))
{
    echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
    echo "<div class='clearfix'></div>";
    echo "<span class='textstyle'>";
    echo "Please return back to complete the missing fields";
    echo "</span>";
    echo "<form>";
    echo "<input type='button' value='Go Back' onclick='history.back(-1)' class='textstyle'>";
    echo "</form>";
    exit;
}
if(!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $_POST['email']))
{
    echo "<body leftmargin='0' topmargin='0'>";
    echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
    echo "<div class='clearfix'></div>";
    echo "<table width='100%' cellspacing='0' cellpadding='4' class='textstyle'><tr><td>";
    echo "<form>";
    echo "Enter a valid email address<br /><br /><input type='button' value='Go Back' onclick='history.back(-1)'>";
    echo "</form>";
    echo "</td></tr></table>";
    echo "</body>";
    exit;
}
}
}
else
{
?>
<body>
<div class="mainimage" style="text-align:left">
<img src="../images/ferraricompmain_web.jpg">
</div>
<div class="clearfix"></div>
<form id="form1" name="form1" method="post" action="competition_ferrari.php">
<div class="attribute">*Name: </div><div class="txfields"><input name="name" type="text" size="50" maxlength="255" id="name" />
</div>
<div class="clearfix"></div>
<div class="attribute"> *Address: </div>
<div class="txfields">
<textarea name="address" cols="50" rows="4" id="address"></textarea>
</div>
<div class="clearfix"></div>
<div class="attribute">*Post Code: </div>
<div class="txfields"><input name="pcode" type="text" size="20" maxlength="255" id="pcode" />
</div>
<div class="clearfix"></div>
<div class="attribute">*Email Address: </div><div class="txfields"><input name="email" type="text" size="50" maxlength="255" id="email"/></div>
<div class="clearfix"></div>
<div class="attribute" style="height: 220px">&nbsp; </div><div class="txfields">
<p>Terms &amp; Conditions<br/>
1. No purchase necessary - this is a free prize draw. <br/>
2. Closing date for entry into the Ferrari free prize draw is 05/12/08.<br/>
3. Winner will be picked at random from all entries received on 07/12/08. <br/>
4. Winner will be notified within 21 days of closing date by either e/mail or phone that they have won the bike. <br/>
5. If the prize is not claimed within 21 days of notification, another prize winner will be drawn and the original prize winner forfeits the prize. <br/>
6. The prize fund consists of 1 x Ferrari CX 20 Cycle, suitable for children aged 6 - 8 years.<br/>
7. In the event the prize becomes unavailable, it may be replaced by one of equal or greater value. <br/>
8. One entry per household.<br/>
9. The prize is non-transferable and non-refundable. There is no cash alternative.<br/>
10. Offer is open to residents of UK mainland only. <br/>
11. Promoter's decision is final and in the event of a dispute, no correspondence will be entered into. <br/>
12. Prize draw is not open to employees or families of Hamleys.<br/>
13. Promoter: Hamleys of London.<br/>
14. The winner's name will be made available if you write to: Hamleys, 6th Floor 2 Fouberts Place, London, W1F 7PA. <br/></p></div>
<div class="clearfix"></div>
<div class="chkbx"><input name="terms" type="checkbox" value="yes" id="terms"/>
</div>
<div class="chkbxtxt">*I have read and agreed to the terms and conditions</div>
<div class="clearfix"></div>
<div class="chkbx"><input name="specialoffers" type="checkbox" id="specialoffers" value="yes" checked/>
</div>
<div class="chkbxtxt">*YES, I would like to recieve special offers</div>
<div class="clearfix"></div>
<div class="chkbx">
<input name="newsletter" type="checkbox" id="newsletter" value="yes" checked/>
</div>
<div class="chkbxtxt">*YES, I want to recieve the Hamleys.com email newsletter full of orders, exclusive products and competitons.
</div>
<div class="clearfix"></div>
<div class="submitbutton"><input name="Submit" type="submit" value="Enter" />
</div>
<div class="clearfix"></div>
<div class="chkbxtxt">*please fill in all fields.
</div>
</form>

</body><?php
}
?>
  1. <?php echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?".">"; ?>
  2. <head>
  3. <SCRIPT LANGUAGE="JavaScript">
  4. function redirect () { setTimeout("go_now()",1800000); }
  5. function go_now () { window.location.href = "competition_ferrari.php"; }
  6. </script>
  7. <link rel="STYLESHEET" type="text/css" href="partystylesheet.css">
  8. <title>COMPETITION - WIN A FERRARI</title>
  9. </head>
  10. <?php
  11. require("mail.inc.php");
  12. if(isset($_POST['Submit'])){
  13.     $dbhost = 'localhost';
  14.     $dbuser = '';
  15.     $dbpass = '';
  16.     $dbname = 'formresults';
  17.     $connection = mysql_connect($dbhost, $dbpass, $dbuser) or die(mysql_error());
  18.     if(!is_resource($connection)) {
  19.         echo "Failed to connect to the server\n";
  20.         // ... log the error properly
  21.     } else {     
  22.         // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
  23.         if(get_magic_quotes_gpc()) {
  24.             $name              = stripslashes($_POST['name']);
  25.             $address          = stripslashes($_POST['address']);
  26.             $pcode             = stripslashes($_POST['pcode']);
  27.             $email             = stripslashes($_POST['email']);
  28.             $terms             = stripslashes($_POST['terms']);
  29.             $specialoffers     = stripslashes($_POST['specialoffers']);
  30.             $newsletter         = stripslashes($_POST['newsletter']);
  31.         } else {
  32.             $name              = $_POST['name'];
  33.             $address          = $_POST['address'];
  34.             $pcode             = $_POST['pcode'];
  35.             $email             = $_POST['email'];
  36.             $terms             = $_POST['terms'];
  37.             $specialoffers     = $_POST['specialoffers'];
  38.             $newsletter         = $_POST['newsletter'];
  39.         }
  40.     $db_selected = mysql_select_db('formresults', $connection);
  41.     mysql_select_db($dbname) or die(mysql_error());
  42.     $name = $_POST['name'];
  43.     $address = $_POST['address'];
  44.     $pcode = $_POST['pcode'];
  45.     $email = $_POST['email'];
  46.     $terms = $_POST['terms'];
  47.     $specialoffers = $_POST['specialoffers'];
  48.     $newsletter = $_POST['newsletter'];
  49.     $query = sprintf("INSERT INTO competition_ferrari (name, address, pcode, email, terms, specialoffers, newsletter) VALUES ('$name', '$address', '$pcode', '$email', '$terms', '$specialoffers', '$newsletter')", mysql_real_escape_string($name, $connection),mysql_real_escape_string($address, $connection), mysql_real_escape_string($pcode, $connection), mysql_real_escape_string($email, $connection), mysql_real_escape_string($terms, $connection), mysql_real_escape_string($specialoffers, $connection), mysql_real_escape_string($newsletter, $connection), $_POST['Submit']);
  50. mysql_query($query) or die(mysql_error());
  51. if (mysql_affected_rows($connection) > 0) {
  52. echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
  53. echo "<div class='clearfix'></div>";
  54. echo "<table width='100%' cellspacing='0' cellpadding='4' class='textstyle12b'><tr><td>";
  55. echo "<strong>Thank you for entering our 'WIN A FERRARI' competition</strong><br><br>";
  56. echo "<br><br>";
  57. echo "</td></tr></table>";
  58. echo "<body onLoad=redirect() text=#000000 link=#00FFFF vlink=#C0C0C0>";
  59. echo "</body>";
  60. }
  61. }
  62. } else {
  63.     if (empty($_POST['name']) || empty($_POST['address']) || empty($_POST['pcode']) || empty($_POST['email']) || empty($_POST['terms']) || empty($_POST['specialoffers']) || empty($_POST['newsletter']))
  64. {
  65.     echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
  66.     echo "<div class='clearfix'></div>";
  67.     echo "<span class='textstyle'>";
  68.     echo "Please return back to complete the missing fields";
  69.     echo "</span>";
  70.     echo "<form>";
  71.     echo "<input type='button' value='Go Back' onclick='history.back(-1)' class='textstyle'>";
  72.     echo "</form>";
  73.     exit;
  74. }
  75. if(!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $_POST['email']))
  76. {
  77.     echo "<body leftmargin='0' topmargin='0'>";
  78.     echo "<div class='mainimage'><img src='../images/ferraricompmain_web.jpg'/></div>";
  79.     echo "<div class='clearfix'></div>";
  80.     echo "<table width='100%' cellspacing='0' cellpadding='4' class='textstyle'><tr><td>";
  81.     echo "<form>";
  82.     echo "Enter a valid email address<br /><br /><input type='button' value='Go Back' onclick='history.back(-1)'>";
  83.     echo "</form>";
  84.     echo "</td></tr></table>";
  85.     echo "</body>";
  86.     exit;
  87. }
  88. }
  89. }
  90. else
  91. {
  92. ?>
  93. <body>
  94. <div class="mainimage" style="text-align:left">
  95. <img src="../images/ferraricompmain_web.jpg">
  96. </div>
  97. <div class="clearfix"></div>
  98. <form id="form1" name="form1" method="post" action="competition_ferrari.php">
  99. <div class="attribute">*Name: </div><div class="txfields"><input name="name" type="text" size="50" maxlength="255" id="name" />
  100. </div>
  101. <div class="clearfix"></div>
  102. <div class="attribute"> *Address: </div>
  103. <div class="txfields">
  104. <textarea name="address" cols="50" rows="4" id="address"></textarea>
  105. </div>
  106. <div class="clearfix"></div>
  107. <div class="attribute">*Post Code: </div>
  108. <div class="txfields"><input name="pcode" type="text" size="20" maxlength="255" id="pcode" />
  109. </div>
  110. <div class="clearfix"></div>
  111. <div class="attribute">*Email Address: </div><div class="txfields"><input name="email" type="text" size="50" maxlength="255" id="email"/></div>
  112. <div class="clearfix"></div>
  113. <div class="attribute" style="height: 220px">&nbsp; </div><div class="txfields">
  114. <p>Terms &amp; Conditions<br/>
  115. 1. No purchase necessary - this is a free prize draw. <br/>
  116. 2. Closing date for entry into the Ferrari free prize draw is 05/12/08.<br/>
  117. 3. Winner will be picked at random from all entries received on 07/12/08. <br/>
  118. 4. Winner will be notified within 21 days of closing date by either e/mail or phone that they have won the bike. <br/>
  119. 5. If the prize is not claimed within 21 days of notification, another prize winner will be drawn and the original prize winner forfeits the prize. <br/>
  120. 6. The prize fund consists of 1 x Ferrari CX 20 Cycle, suitable for children aged 6 - 8 years.<br/>
  121. 7. In the event the prize becomes unavailable, it may be replaced by one of equal or greater value. <br/>
  122. 8. One entry per household.<br/>
  123. 9. The prize is non-transferable and non-refundable. There is no cash alternative.<br/>
  124. 10. Offer is open to residents of UK mainland only. <br/>
  125. 11. Promoter's decision is final and in the event of a dispute, no correspondence will be entered into. <br/>
  126. 12. Prize draw is not open to employees or families of Hamleys.<br/>
  127. 13. Promoter: Hamleys of London.<br/>
  128. 14. The winner's name will be made available if you write to: Hamleys, 6th Floor 2 Fouberts Place, London, W1F 7PA. <br/></p></div>
  129. <div class="clearfix"></div>
  130. <div class="chkbx"><input name="terms" type="checkbox" value="yes" id="terms"/>
  131. </div>
  132. <div class="chkbxtxt">*I have read and agreed to the terms and conditions</div>
  133. <div class="clearfix"></div>
  134. <div class="chkbx"><input name="specialoffers" type="checkbox" id="specialoffers" value="yes" checked/>
  135. </div>
  136. <div class="chkbxtxt">*YES, I would like to recieve special offers</div>
  137. <div class="clearfix"></div>
  138. <div class="chkbx">
  139. <input name="newsletter" type="checkbox" id="newsletter" value="yes" checked/>
  140. </div>
  141. <div class="chkbxtxt">*YES, I want to recieve the Hamleys.com email newsletter full of orders, exclusive products and competitons.
  142. </div>
  143. <div class="clearfix"></div>
  144. <div class="submitbutton"><input name="Submit" type="submit" value="Enter" />
  145. </div>
  146. <div class="clearfix"></div>
  147. <div class="chkbxtxt">*please fill in all fields.
  148. </div>
  149. </form>
  150. </body><?php
  151. }
  152. ?>
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • buzzby
  • Novice
  • Novice
  • buzzby
  • Posts: 25

Post 3+ Months Ago

do i just need to do this instead?

are you saying that all i need to do is this?
PHP Code: [ Select ]
if(!get_magic_quotes_gpc()) {
   $name=addslashes($_POST['name']);
   $address=addslashes($_POST['address']);
   $pcode=addslashes($_POST['pcode']);
   $email=addslashes($_POST['email']);
   $terms=addslashes($_POST['terms']);
   $specialoffers=addslashes($_POST['specialoffers']);
   $newsletter=addslashes($_POST['newsletter']);
}else {
   $name = $_POST['name'];
   $address = $_POST['address'];
   $pcode = $_POST['pcode'];
   $email = $_POST['email'];
   $terms = $_POST['terms'];
   $specialoffers = $_POST['specialoffers'];
   $newsletter = $_POST['newsletter'];
}
$query = "INSERT INTO competition_ferrari (name, address, pcode, email, terms, specialoffers, newsletter) VALUES ('$name', '$address', '$pcode', '$email', '$terms', '$specialoffers', '$newsletter')";
mysql_query($query) or die(mysql_error());
  1. if(!get_magic_quotes_gpc()) {
  2.    $name=addslashes($_POST['name']);
  3.    $address=addslashes($_POST['address']);
  4.    $pcode=addslashes($_POST['pcode']);
  5.    $email=addslashes($_POST['email']);
  6.    $terms=addslashes($_POST['terms']);
  7.    $specialoffers=addslashes($_POST['specialoffers']);
  8.    $newsletter=addslashes($_POST['newsletter']);
  9. }else {
  10.    $name = $_POST['name'];
  11.    $address = $_POST['address'];
  12.    $pcode = $_POST['pcode'];
  13.    $email = $_POST['email'];
  14.    $terms = $_POST['terms'];
  15.    $specialoffers = $_POST['specialoffers'];
  16.    $newsletter = $_POST['newsletter'];
  17. }
  18. $query = "INSERT INTO competition_ferrari (name, address, pcode, email, terms, specialoffers, newsletter) VALUES ('$name', '$address', '$pcode', '$email', '$terms', '$specialoffers', '$newsletter')";
  19. mysql_query($query) or die(mysql_error());
  • buzzby
  • Novice
  • Novice
  • buzzby
  • Posts: 25

Post 3+ Months Ago

this function seems to do the same as my prev code. which is better to use?

PHP Code: [ Select ]
function clean($str, $encode_ent = false) {
   $str = @trim($str);
   if($encode_ent) {
      $str = htmlentities($str);
   }
   if(version_compare(phpversion(),'4.3.0') >= 0) {
      if(get_magic_quotes_gpc()) {
         $str = stripslashes($str);
      }
      if(@mysql_ping()) {
         $str = mysql_real_escape_string($str);
      }
      else {
         $str = addslashes($str);
      }
   }
   else {
      if(!get_magic_quotes_gpc()) {
         $str = addslashes($str);
      }
   }
   return $str;
}
  1. function clean($str, $encode_ent = false) {
  2.    $str = @trim($str);
  3.    if($encode_ent) {
  4.       $str = htmlentities($str);
  5.    }
  6.    if(version_compare(phpversion(),'4.3.0') >= 0) {
  7.       if(get_magic_quotes_gpc()) {
  8.          $str = stripslashes($str);
  9.       }
  10.       if(@mysql_ping()) {
  11.          $str = mysql_real_escape_string($str);
  12.       }
  13.       else {
  14.          $str = addslashes($str);
  15.       }
  16.    }
  17.    else {
  18.       if(!get_magic_quotes_gpc()) {
  19.          $str = addslashes($str);
  20.       }
  21.    }
  22.    return $str;
  23. }
  • ScienceOfSpock
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1893
  • Loc: Las Vegas

Post 3+ Months Ago

well, the clean() function you listed will use mysql_real_escape_string if a connection to the database is already present, so I would use that one.

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 70 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.