syntax of sprintf

This is a discussion on syntax of sprintf within the PHP General forums, part of the PHP Programming Forums category; until i started using the techniques for avoiding sql injection, i have been using a normal insert and select sql ...


Go Back   Usenet Forums > PHP Programming Forums > PHP General

Reload this Page syntax of sprintf

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-20-2008
Sudhakar
 
Posts: n/a
Default syntax of sprintf
until i started using the techniques for avoiding sql injection, i
have been using a normal insert and select sql query which worked
fine.
i have a registration page where a user enters their username and if
this already exists i display a message by executing a select query
and if the username does not exist then i run an insert query.

after adopting the technique to avoid sql injection
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
$email = stripslashes($_POST["email"]);
}
else
{
$username = $_POST["username"];
$email = $_POST["email"];
}

previously my select and insert query were

INSERT INTO individuals(username, email) values('$username', '$email')
Select username from individuals where username = '$username'

presently the insert query is

$insertquery = sprintf("INSERT INTO individuals (username, email) VALUES
('%s', '%s')",
mysql_real_escape_string($username), mysql_real_escape_string($email));

This insert query is working however the select query is not doing its task
as before of checking if the username already exists or not, even if i
register with the same username again it does not alert that the username
exists.

the select query is

$selectqueryusername = sprintf("Select username from individuals where
username='%s'", mysql_real_escape_string($username));

should i change the syntax of the above select query or is there something
else in need to do to fix the select query.
also for insert query if i have a numeric value i should be writting %d
correct, i have a numeric value however before inserting that
numeric value i am appending a character "-" to combine area code and phone
number example 09-123 4567 so i am considering this as %s as there is a
character. is this correct.

please advice.

thanks.

Reply With Quote
  #2 (permalink)  
Old 05-21-2008
Chris
 
Posts: n/a
Default Re: [PHP] syntax of sprintf

> the select query is
>
> $selectqueryusername = sprintf("Select username from individuals where
> username='%s'", mysql_real_escape_string($username));

The syntax is fine.

$result = mysql_query($selectqueryusername);
if (!$result) {
echo "Error! *** " . mysql_error();
}


> also for insert query if i have a numeric value i should be writting %d
> correct, i have a numeric value however before inserting that
> numeric value i am appending a character "-" to combine area code and phone
> number example 09-123 4567 so i am considering this as %s as there is a
> character. is this correct.

Yes.

The placeholders are all documented pretty well:

http://www.php.net/sprintf

--
Postgresql & php tutorials
http://www.designmagick.com/
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:16 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0