syntax of sprintf
This is a discussion on syntax of sprintf within the PHP Language forums, part of the PHP Programming Forums category; until i started using the techniques for avoiding sql injection, i have been using a normal insert and select sql ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-20-2008
|
|||
|
|||
syntax of sprintf
until i started using the techniques for avoiding sql injection, i have been using a normal insert and select sql query which worked fine. i have a registration page where a user enters their username and if this already exists i display a message by executing a select query and if the username does not exist then i run an insert query. after adopting the technique to avoid sql injection if(get_magic_quotes_gpc()) { $username = stripslashes($_POST["username"]); $email = stripslashes($_POST["email"]); } else { $username = $_POST["username"]; $email = $_POST["email"]; } previously my select and insert query were INSERT INTO individuals(username, email) values('$username', '$email') Select username from individuals where username = '$username' presently the insert query is $insertquery = sprintf("INSERT INTO individuals (username, email) VALUES ('%s', '%s')", mysql_real_escape_string($username), mysql_real_escape_string($email)); This insert query is working however the select query is not doing its task as before of checking if the username already exists or not, even if i register with the same username again it does not alert that the username exists. the select query is $selectqueryusername = sprintf("Select username from individuals where username='%s'", mysql_real_escape_string($username)); should i change the syntax of the above select query or is there something else in need to do to fix the select query. also for insert query if i have a numeric value i should be writting %d correct, i have a numeric value however before inserting that numeric value i am appending a character "-" to combine area code and phone number example 09-123 4567 so i am considering this as %s as there is a character. is this correct. please advice. thanks. 
|
|
05-21-2008
|
|||
|
|||
|
Re: syntax of sprintf
..oO(Sudhakar)
>until i started using the techniques for avoiding sql injection, i >have been using a normal insert and select sql query which worked >fine. > >i have a registration page where a user enters their username and if >this already exists i display a message by executing a select query >and if the username does not exist then i run an insert query. > >after adopting the technique to avoid sql injection > >if(get_magic_quotes_gpc()) >{ >$username = stripslashes($_POST["username"]); >$email = stripslashes($_POST["email"]); >} > >else >{ >$username = $_POST["username"]; >$email = $_POST["email"]; >} >previously my select and insert query were > >INSERT INTO individuals(username, email) values('$username', '$email') >Select username from individuals where username = '$username' > >presently the insert query is > >$insertquery = sprintf("INSERT INTO individuals (username, email) >VALUES ('%s', '%s')", >mysql_real_escape_string($username), >mysql_real_escape_string($email)); > >This insert query is working however the select query is not doing its >task as before of checking if the username already exists or not, even >if i register with the same username again it does not alert that the >username exists. What does "not doing its task" mean? Do you get any error messages? Do you have any error checking at all? Does MySQL complain about something? >the select query is > >$selectqueryusername = sprintf("Select username from individuals where >username='%s'", mysql_real_escape_string($username)); Looks OK. >should i change the syntax of the above select query or is there >something else in need to do to fix the select query. The posted code is not enough to say where the problem might be. >also for insert query if i have a numeric value i should be writting >%d correct Correct, if it's an integer. >i have a numeric value however before inserting that >numeric value i am appending a character "-" to combine area code and >phone number example 09-123 4567 so i am considering this as %s as >there is a character. is this correct. Correct. This is not a number anymore, but a string. Micha
|
|
05-21-2008
|
|||
|
|||
|
Re: syntax of sprintf
On May 21, 5:24 am, Michael Fesser <neti...@gmx.de> wrote:
> .oO(Sudhakar) > > > > >until i started using the techniques for avoiding sql injection, i > >have been using a normal insert and select sql query which worked > >fine. > > >i have a registration page where a user enters their username and if > >this already exists i display a message by executing a select query > >and if the username does not exist then i run an insert query. > > >after adopting the technique to avoid sql injection > > >if(get_magic_quotes_gpc()) > >{ > >$username = stripslashes($_POST["username"]); > >$email = stripslashes($_POST["email"]); > >} > > >else > >{ > >$username = $_POST["username"]; > >$email = $_POST["email"]; > >} > >previously my select and insert query were > > >INSERT INTO individuals(username, email) values('$username', '$email') > >Select username from individuals where username = '$username' > > >presently the insert query is > > >$insertquery = sprintf("INSERT INTO individuals (username, email) > >VALUES ('%s', '%s')", > >mysql_real_escape_string($username), > >mysql_real_escape_string($email)); > > >This insert query is working however the select query is not doing its > >task as before of checking if the username already exists or not, even > >if i register with the same username again it does not alert that the > >username exists. > > What does "not doing its task" mean? Do you get any error messages? Do > you have any error checking at all? Does MySQL complain about something? > > >the select query is > > >$selectqueryusername = sprintf("Select username from individuals where > >username='%s'", mysql_real_escape_string($username)); > > Looks OK. > > >should i change the syntax of the above select query or is there > >something else in need to do to fix the select query. > > The posted code is not enough to say where the problem might be. > > >also for insert query if i have a numeric value i should be writting > >%d correct > > Correct, if it's an integer. > > >i have a numeric value however before inserting that > >numeric value i am appending a character "-" to combine area code and > >phone number example 09-123 4567 so i am considering this as %s as > >there is a character. is this correct. > > Correct. This is not a number anymore, but a string. > > Micha Agreed - the posted code should do what is intended - the bug lies elsewhere. C.
|
Linear Mode
