Hi I have the following query:
$sql = "update zzz_users set password = "'".$encrypted."' where username = '".$email."'";
CustomQuery($sql);
And I just cannot get the concat right, could someone please show me how to do it
The correct query is:
$sql = "update zzz_users set password = '" . $encrypted . "' where username = '" . $email . "'";
There's a lot more wrong here than not getting the concatenation right.
First of all, if you're just trying to put variables into a string in PHP, consider using double quotes and putting the variables directly into the string:
$sql = "UPDATE `zzz_users` SET `password` = $encrypted WHERE `username` = $email";
There's no need for all the starting and stopping of strings in that case.
However, what you're doing here is extremely dangerous because of SQL Injection attacks. You should DEFINITELY NOT be putting variables directly into your SQL commands.
The best way to do this is to use a library that knows how to accept formatting strings and create safe SQL for you. For example, something like MeerkoDB will let you write this SQL statement like this:
DB::query("UPDATE `zzz_users` SET `password`=%s WHERE `username`=%s", $encrypted, $email);
This is actually safe, because it will ensure that the SQL is properly escaped, preventing SQL injection attacks. Of course, you can roll your own escaping, but it's almost always a better idea to use a well-established library (there are many free/open source and commercial/proprietary offering out there).
There is an " too much after password =. You should escape the strings before writing it to the database, otherwise you may get a possible SQL injection issue.
$sql = "update zzz_users set password = '" .mysql_real_escape_string($encrypted). "' where username = '" .mysql_real_escape_string($email). "'";
CustomQuery($sql);
Related
I'm currently developing a simple php/mysql website as an assignment.
I need to update a char column in a table by passing a php variable. Issue is I don't know how to pass the variable as a string.
$verify = $_POST['verification'];
"UPDATE Users SET account_status=1 WHERE verification_code= . $verify . ";
Above query is not working for me. Running the query manually on mysql does work;
UPDATE Users SET account_status=1 WHERE verification_code="XYz12"
so I think the problem is passing the variable as a string. I tried a couple of different things but couldn't manage it...
the field verification_code is a string, this must be between simple quote like:
$query = "UPDATE Users SET account_status=1 WHERE verification_code='$verify'";
"UPDATE Users SET account_status=1 WHERE verification_code='" . $verify . "'";
But of course this is very poor form. You need to ensure your variable has been properly escaped. I recommend using PDO prepared statements:
$stmt = $db->prepare("UPDATE Users SET account_status=1 WHERE verification_code=?");
$stmt->execute(array($verify));
The correct string for the query is as follows:
$query = "UPDATE Users SET account_status=1 WHERE verification_code=\"" . $verify . "\"";
With the \ char you scape the quotes char. Anyways this can be quite confusing so you can use simple quotes.
$query = "UPDATE Users SET account_status=1 WHERE verification_code='$verify'";
Note that you can make a reference to a php variable within quotes like above.
BTW. Your error is that you are using the concatenation characters inside a string. It should be used like my first example. Anyways you need to quote the value of the SQL if it is a string. You don't have to do it if the field is NOT a string.
If you are worried about SQL-Injection you can use Prepared Statements instead of plain queries. I recommend to you the PDO Class of PHP. You can give a try to MySQLi too.
i am currently working on making my site injection proof and was wondering about the validations i am making, my code goes like this:
if(!empty($_POST['city']) && !empty($_POST['street'])){
$city = htmlentities(mysql_real_escape_string($_POST['city']));
$street = htmlentities(mysql_real_escape_string($_POST['street']));
}
my question is isnt the empty check itself is a vulnerability?
i mean do i have to escape string in the !empty validation as well? or it is safe to keep it that way?
thanks.
SQL injection vulnerabilities work like this:
$username = $_GET["username"];
mysql_query("SELECT 1 FROM `users` WHERE `username` = '" . $username . "'");
Now if the value of $_GET["username"] is something like "foo' OR 1=1--"
The query:
SELECT 1 FROM `users` WHERE `username` = 'foo' OR 1=1
--'
will be run which selects all users
If you escape your input you will get the (intended) query:
SELECT 1 FROM `users` WHERE `username` = 'foo\' OR 1=1--'
PHP functions themselves aren't vulnerable.
Maybe this a good analogy: when someone says "Say your name" they want you to say "I'm John" not "your name"
For SQL injection you only need to worry when quering the database, so isset is safe.
There should be no need for htmlentities (use it as protection against XSS).
mysql_real_escape_string will protect against SQL injection if done correctly, but should not be used at all, since the mysql_ prefix / DB-handler is outdated, deprecated and should not be used at all.
The safest way is to use either mysqli_ or PDO, and use prepared statements.
Noticed a small issue in the syntax of a sql query, here's how it goes:
$email = "name_lastname#server.com";
$query = "Select * From Users Where email=".$email;
This does not work, the query has been tested and works fine, however this essentially evolves to :
Select * FROM Users WHERE email=name_lastname#server.com ;
Which yields a null result.
To execute it the right way, I add a twist to the syntax of my $email variable, essentially as:
$email = "\"name_lastname#server.com\"";
Once I specify quotations within the string variable, that is when it executes as expected yielding the desired result.
I am not sure if this is the most aesthetic way to go about approaching my syntax for query execution, and I do think there are alternatives. Grateful to those who shed a light on this
Try this instead:
$query = "Select * From Users Where email='$email'";
Or:
$query = sprintf("Select * From Users Where email='%s'", $email);
Or:
Many many other ways....
String queries need a single quote around the search criteria. Assuming MySQL: http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html
$email = "name_lastname#server.com";
$email = "'" . mysql_real_escape_string($email) . "'";
$query = "Select * From Users Where email=".$email;
non quoted variables like that will be read as int. Always quote all strings. you don't need to escape doubles like that when singles will suffice.
$query = "SELECT * From Users WHERE email= '".mysql_real_escape_string($email)."'";
Why not do:
$email = "name_lastname#server.com";
$query = "Select * From Users Where email = '$email'";
Your solution gets at the right principle: SQL needs the email address to be enclosed in quotes because it's a string. My suggestion for making the code more elegant would simply be to put the quotes in the string containing the query, not the one containing the email address.
$email = "name_lastname#server.com";
$query = "Select * From Users Where email=\"".$email."\"";
The quote marks aren't part of the email address, they're part of the query. If you do it this way, you won't have extraneous quotes if you try to use $email for something else, and you won't have to remember to put quotes around every other email address that you pass into the same query.
Also, you might want to check out mysqli, which handles queries in a slightly different way and as a side effect, eliminates all this fooling around with escaping your strings.
PS - I agree with the folks who suggested using single quotes instead of escaped double quotes. But SQL does accept double quotes (at least on my system) so I stuck with the convention you were using.
The best way to avoid quote problems is to prepare the statement in phpMyAdmin and then generate the PHP source query:
$email = "name_lastname#server.com";
$sql = 'SELECT * FROM `Users` WHERE `email` = '.$email;
More info:
http://www.packtpub.com/article/multi-table-query-generator-using-phpmyadmin-mysql
$result = mysql_query("UPDATE categories
SET cd_title='$docuTitle' , cd_link='$linkTitle'
WHERE c_name='$catID'");
What is wrong with this update query?
There is probably something wrong with the data in your variables — but we can't see what they contain.
You should be using parameterized queries, which would deal with any odd characters in your data that might mess up the statement.
See How can I prevent SQL injection in PHP? and When are the most recommended times to use mysql_real_escape_string()
I would change the query to this, to avoid errors if input contains apostrophes:
$result = mysql_query(
"UPDATE categories SET
cd_title='" . mysql_real_escape_string($docuTitle) . "',
cd_link='" . mysql_real_escape_string($linkTitle) . "'
WHERE
c_name='" . mysql_real_escape_string($catID) . "'");
If your data is sanitized, remove the single quotes from around the php variables.
Okay I have two variables in PHP
$username;
$password;
which are initialized to the data retrieved from $_POST variable :)
I have this SQL query
$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "')";
But this doesn't works and returns me nothing :(
Can you instruct me into the right direction. Please?
The query has a closing parenthesis on the end for no reason, it won't work.
What's wrong with it?
Everything, unfortunately. In particular it's open to SQL injection attacks.
If that's a verbatim cut&paste, then the reason it's not actually working is a trailing closing bracket. Presumably you're not checking for errors when you call this?
Using the base MySQL API it should be:
$sth = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ? AND password = ?");
$sth->execute($username, $password);
list($count) = $sth->fetchrow();
$authorized = ($count > 0);
or similar (code untested, E&OE, etc...)
eeek! sql injection for one!
EDIT: What's your favorite "programmer" cartoon?
Why is there a stray ) at the end of your query? It shouldn't be there.
Oh, and thirded on SQL injection. BAD.
First of all, never, ever do it like this. Please read about SQL injection and don't write any SQL until you have understood what it says. Sorry, but this is really essential.
That said, your query contains a closing bracket. That looks like a syntax error. Do you get an error executing it?
There's an extra parenthesis on the right hand side of the query.
Also, if you do not sanitize your code properly you're going to be vulnerable to SQL injection. You should really be using parameterized queries, but in lieu of that at least use mysql_real_escape_string() on $username and $password.
Also, as a bit of ghost debugging, it's very possible that your passwords are MD5 hashed in the database, since you should never store them in plain text.
Try:
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
You seem to have an excess closing parenthesis at the end of your query string.
[Edit] - for those screaming SQL injection attacks: we don't know what the user has done with their variables before using them in the query. How about benefit of doubt? ;-)
In addition to all the other problems noted. The Password in the Users table is stored encrypted. Unless you've run the Password through the MySQL password encryptor, you will never see any data from this query as the passwords won't match.