syntax of sprintf

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Sudhakar
    #1

    syntax of sprintf


    until i started using the techniques for avoiding sql injection, i
    have been using a normal insert and select sql query which worked
    fine.

    i have a registration page where a user enters their username and if
    this already exists i display a message by executing a select query
    and if the username does not exist then i run an insert query.

    after adopting the technique to avoid sql injection

    if(get_magic_qu otes_gpc())
    {
    $username = stripslashes($_ POST["username"]);
    $email = stripslashes($_ POST["email"]);
    }

    else
    {
    $username = $_POST["username"];
    $email = $_POST["email"];
    }
    previously my select and insert query were

    INSERT INTO individuals(use rname, email) values('$userna me', '$email')
    Select username from individuals where username = '$username'

    presently the insert query is

    $insertquery = sprintf("INSERT INTO individuals (username, email)
    VALUES ('%s', '%s')",
    mysql_real_esca pe_string($user name),
    mysql_real_esca pe_string($emai l));

    This insert query is working however the select query is not doing its
    task as before of checking if the username already exists or not, even
    if i register with the same username again it does not alert that the
    username exists.

    the select query is

    $selectqueryuse rname = sprintf("Select username from individuals where
    username='%s'", mysql_real_esca pe_string($user name));

    should i change the syntax of the above select query or is there
    something else in need to do to fix the select query.

    also for insert query if i have a numeric value i should be writting
    %d correct, i have a numeric value however before inserting that
    numeric value i am appending a character "-" to combine area code and
    phone number example 09-123 4567 so i am considering this as %s as
    there is a character. is this correct.

    please advice.

    thanks.
    Tags: None
    • Michael Fesser
      #2
      Re: syntax of sprintf

      ..oO(Sudhakar)
      >until i started using the techniques for avoiding sql injection, i
      >have been using a normal insert and select sql query which worked
      >fine.
      >
      >i have a registration page where a user enters their username and if
      >this already exists i display a message by executing a select query
      >and if the username does not exist then i run an insert query.
      >
      >after adopting the technique to avoid sql injection
      >
      >if(get_magic_q uotes_gpc())
      >{
      >$username = stripslashes($_ POST["username"]);
      >$email = stripslashes($_ POST["email"]);
      >}
      >
      >else
      >{
      >$username = $_POST["username"];
      >$email = $_POST["email"];
      >}
      >previously my select and insert query were
      >
      >INSERT INTO individuals(use rname, email) values('$userna me', '$email')
      >Select username from individuals where username = '$username'
      >
      >presently the insert query is
      >
      >$insertquery = sprintf("INSERT INTO individuals (username, email)
      >VALUES ('%s', '%s')",
      >mysql_real_esc ape_string($use rname),
      >mysql_real_esc ape_string($ema il));
      >
      >This insert query is working however the select query is not doing its
      >task as before of checking if the username already exists or not, even
      >if i register with the same username again it does not alert that the
      >username exists.
      What does "not doing its task" mean? Do you get any error messages? Do
      you have any error checking at all? Does MySQL complain about something?
      >the select query is
      >
      >$selectqueryus ername = sprintf("Select username from individuals where
      >username='%s'" , mysql_real_esca pe_string($user name));
      Looks OK.
      >should i change the syntax of the above select query or is there
      >something else in need to do to fix the select query.
      The posted code is not enough to say where the problem might be.
      >also for insert query if i have a numeric value i should be writting
      >%d correct
      Correct, if it's an integer.
      >i have a numeric value however before inserting that
      >numeric value i am appending a character "-" to combine area code and
      >phone number example 09-123 4567 so i am considering this as %s as
      >there is a character. is this correct.
      Correct. This is not a number anymore, but a string.

      Micha

        Comment

        • C. (http://symcbean.blogspot.com/)
          #3
          Re: syntax of sprintf

          On May 21, 5:24 am, Michael Fesser <neti...@gmx.de wrote:
          .oO(Sudhakar)
          >
          >
          >
          until i started using the techniques for avoiding sql injection, i
          have been using a normal insert and select sql query which worked
          fine.
          >
          i have a registration page where a user enters their username and if
          this already exists i display a message by executing a select query
          and if the username does not exist then i run an insert query.
          >
          after adopting the technique to avoid sql injection
          >
          if(get_magic_qu otes_gpc())
          {
          $username = stripslashes($_ POST["username"]);
          $email = stripslashes($_ POST["email"]);
          }
          >
          else
          {
          $username = $_POST["username"];
          $email = $_POST["email"];
          }
          previously my select and insert query were
          >
          INSERT INTO individuals(use rname, email) values('$userna me', '$email')
          Select username from individuals where username = '$username'
          >
          presently the insert query is
          >
          $insertquery = sprintf("INSERT INTO individuals (username, email)
          VALUES ('%s', '%s')",
          mysql_real_esca pe_string($user name),
          mysql_real_esca pe_string($emai l));
          >
          This insert query is working however the select query is not doing its
          task as before of checking if the username already exists or not, even
          if i register with the same username again it does not alert that the
          username exists.
          >
          What does "not doing its task" mean? Do you get any error messages? Do
          you have any error checking at all? Does MySQL complain about something?
          >
          the select query is
          >
          $selectqueryuse rname = sprintf("Select username from individuals where
          username='%s'", mysql_real_esca pe_string($user name));
          >
          Looks OK.
          >
          should i change the syntax of the above select query or is there
          something else in need to do to fix the select query.
          >
          The posted code is not enough to say where the problem might be.
          >
          also for insert query if i have a numeric value i should be writting
          %d correct
          >
          Correct, if it's an integer.
          >
          i have a numeric value however before inserting that
          numeric value i am appending a character "-" to combine area code and
          phone number example 09-123 4567 so i am considering this as %s as
          there is a character. is this correct.
          >
          Correct. This is not a number anymore, but a string.
          >
          Micha
          Agreed - the posted code should do what is intended - the bug lies
          elsewhere.

          C.

            Comment

            Previous template Next
            Working...