php sql security

I have the below query which limits users from submitting a form more than once per day. How could I write this SQL/SELECT statement in a secure way in my php code (to protect from injection, etc)?  Below includes the SQL select statement that phpMyAdmin output as php:

//one-a-day validation
$email = $data["email"];
$result = $this->_db->QuickArray(
    "SELECT count(*) AS ct\n"
    "FROM myTable\n"
    "WHERE email =\'$email\'\n"
    "AND submitdate >= curDate() \n"
    "AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
                  return false;

Do I have to include something with "mysql_real_escape_string" for security ?
What is the \n for ?

thanks..
web5dev7Asked:
Who is Participating?
 
maeltarConnect With a Mentor Commented:
I use the following function :

function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

Open in new window


which you would use in your example :

//one-a-day validation

$email = check_input($data["email"]);

$result = $this->_db->QuickArray(
    "SELECT count(*) AS ct "
    "FROM myTable "
    "WHERE email =\'$email\' "
    "AND submitdate >= curDate() "
    "AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";);

$foundSomething = $result[0];
if($foundSomething) {
                  return false;
}

Open in new window

0
 
Dave BaldwinFixer of ProblemsCommented:
"mysql_real_escape_string" is for escaping text on an INSERT or UPDATE.  It is not useful on a SELECT because a SELECT does not change any data.  \n is for the linefeed character.  It should not be there in the SQL statement and the SQL statement should be a single continuous string, not an array.  Unless you have code that puts that back together, you can't use that as a query.  At least not in any way that I know about.
0
 
dsmileCommented:
Yes, you should use mysql_real_escape_string to prevent security issue.

Just like this

$email = mysql_real_escape_string($data["email"]);

\n is for line break on linux/unix
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
dsmileCommented:
Damn slow network.
I don't mean to double post, sorry
0
 
maeltarCommented:
Line 8 is supposed to read :

Note, quoting is no longer required in your query as it is done by the function as necessary.
    "WHERE email = $email "

Open in new window

0
 
web5dev7Author Commented:
hmmm... not working (throwing generic error). When I put back my old code it works.

Here is your code as it is on my page:

//check one-a-day input
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}


//one-a-day validation

$email = check_input($data["email"]);

$result = $this->_db->QuickArray(
    "SELECT count(*) AS ct "
    "FROM myTable"
    "WHERE email = $email"
    "AND submitdate >= curDate() "
    "AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);

$foundSomething = $result[0];
      if($foundSomething) {
                        return false;
}
0
 
web5dev7Author Commented:
pretty close - eventually got it to work.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.