web5dev7
asked on
php sql security
I have the below query which limits users from submitting a form more than once per day. How could I write this SQL/SELECT statement in a secure way in my php code (to protect from injection, etc)? Below includes the SQL select statement that phpMyAdmin output as php:
//one-a-day validation
$email = $data["email"];
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct\n"
"FROM myTable\n"
"WHERE email =\'$email\'\n"
"AND submitdate >= curDate() \n"
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
Do I have to include something with "mysql_real_escape_string"
What is the \n for ?
thanks..
//one-a-day validation
$email = $data["email"];
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct\n"
"FROM myTable\n"
"WHERE email =\'$email\'\n"
"AND submitdate >= curDate() \n"
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
Do I have to include something with "mysql_real_escape_string"
What is the \n for ?
thanks..
Dave Baldwin
"mysql_real_escape_string"
Yes, you should use mysql_real_escape_string to prevent security issue.
Just like this
$email = mysql_real_escape_string($
\n is for line break on linux/unix
Just like this
$email = mysql_real_escape_string($
\n is for line break on linux/unix
Damn slow network.
I don't mean to double post, sorry
I don't mean to double post, sorry
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Line 8 is supposed to read :
Note, quoting is no longer required in your query as it is done by the function as necessary.
Note, quoting is no longer required in your query as it is done by the function as necessary.
"WHERE email = $email "ASKER
hmmm... not working (throwing generic error). When I put back my old code it works.
Here is your code as it is on my page:
//check one-a-day input
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($
}
return $value;
}
//one-a-day validation
$email = check_input($data["email"]
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct "
"FROM myTable"
"WHERE email = $email"
"AND submitdate >= curDate() "
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
}
Here is your code as it is on my page:
//check one-a-day input
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($
}
return $value;
}
//one-a-day validation
$email = check_input($data["email"]
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct "
"FROM myTable"
"WHERE email = $email"
"AND submitdate >= curDate() "
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
}
ASKER
pretty close - eventually got it to work.