This question already has answers here:
Why shouldn't I use mysql_* functions in PHP?
(14 answers)
Closed 5 years ago.
I'm working on a login form and am using some code from a tutorial.
Now I don't remember what the mysql_prep was for and whether it's deprecated, since it's not mysqli... I couldn't really make sense of what I googled.
Is it ok to use this or should I use something else or not use it all together?
It looks like this (variables used to update SQL table):
$username = mysql_prep($_POST["username"]);
$password = mysql_prep($_POST["password"]);
$hashed_password = password_hash($_POST["password"], PASSWORD_DEFAULT);
mysql_prep must be some user defined function. It does not exist in the php docs.
http://php.net/manual-lookup.php?pattern=mysql_prep&scope=quickref
Look inside this function in your own code and if it has any references to mysql_ functions then consider it deprecated. All mysql_ functions are deprecated as of PHP 5.5 and are removed in PHP 7.
Use mysqli_ functions or PDO instead.
Related
This question already has answers here:
PHP 7.2 Function create_function() is deprecated
(6 answers)
Closed 3 years ago.
I just updated my server to the latest version of php 7.2 and now I have some depreciation warnings. What should I do?
This function has been DEPRECATED as of PHP 7.2.0. Relying on this function is highly discouraged.
Here is my code:
if(!array_key_exists('callable', $this->translation_plural)) {
$this->translation_plural['callable'] = create_function('$n', $this->translation_plural['function']);
}
The documentation recommends using anonymous functions. Given that $this->translation_plural['function'] looks like it is a string, you should consider a rewrite.
If you want to get rid of the warning, you can use the following:
$this->translation_plural['callable'] = function($n) { return eval($this->translation_plural['function']); };
This doesn't help your code at all, you are still using eval() which is bad practise. The documentation warns against using it.
The only difference is, create_function() used it internally, now it is very explicit.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
As the title says. If a user tries u upload a file with ' in title it throws error(it won't connect to server). Should I replace that sign during upload or something else. It just simple connecting to database
$b = "select * from doc";
$rez1 = mysql_query($b) or die("<span>error</span>");
I'd recommend using escaping methods instead of manipulating the input.
This ist the safest way to prevent SQL Injections. (And never tell the user, the technical details why something doesn't work, except you want some of them to exploit these exceptions)
Also, don't ever use the old and deprecated mysql* functions; learn PDO or mysqli instead.
If you were using mysql, then switch to mysqli and use this: mysqli_real_escape_string()
Otherwise, you could use a regex that repaces ' with \' -
preg_quote()
$string = "Something with 'quotes' ";
$res = preg_quote($string, "'");
echo $res;
will return:
Something with \'quotes\'
Which will cause no problem during the insertion.
This question already has answers here:
How do you use bcrypt for hashing passwords in PHP? [duplicate]
(11 answers)
Closed 8 years ago.
Hi I am try to use the password_hash() function like so
echo password_hash("mySecretPassword", PASSWORD_DEFAULT);
But I am gettig this error which I can figure out
Fatal error: Call to undefined function password_hash()
My current PHP version is 5.3.19 32 bit
What is the cause of this issue?
From the PHP docs.
password_hash()
(PHP 5 >= 5.5.0)
This means that only version after 5.5.0 has this method implemented. Running 5.3.0 will not work. There is however a fallback option posted in this answer.
You could also use the password_hash() compatibility pack.
This question already has answers here:
How can I convert ereg expressions to preg in PHP?
(4 answers)
Closed 9 years ago.
My id is a5efa5.
Code below replacing deprecated[?] [^a-z0-9] is not working. a5efa5 in an id in my database table.
//Connect to the database through our include
include_once "database.php";
// Get the member id from the URL variable
$id = $_REQUEST['id'];
$id = ereg_replace("[^a-z0-9]", "", $id); // filter everything but numbers for security
if (!$id) {
echo "Missing Data to Run";
exit();
}
Help me friends, where did I make a mistake...
It could be because ereg_replace is deprecated. Below is what is stated on the php.net website
This function has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.
If you are using a version or PHP greater than 5.3.0 then it will not work.
Use preg_replace
$id = preg_replace('#[^a-z0-9]+#', '', $id);
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Why shouldn’t I use mysql_* functions in PHP?
hye, Can i use a code in php like this:
$s_username = addslashes(strip_tags($_POST['username']));
$s_password = addslashes(strip_tags($_POST['password']));
before this is use this
$email = mysql_real_escape_string(strip_tags($_POST['email']));
$username = mysql_real_escape_string(strip_tags($_POST['username']));
...because many said that mysql_real_escape_string is dangerous to use?
It's depreciated which means it's not being maintained, so if a security flaw is discovered, PHP developers aren't going to fix it. It's not dangerous though, it just escapes all bad characters that could be used for sql injection.
Use mysqli_* functions or PDO instead. Those actually are being maintained and are way more secure.