web5dev7
asked on
php sql security
I have the below query which limits users from submitting a form more than once per day. How could I write this SQL/SELECT statement in a secure way in my php code (to protect from injection, etc)? Below includes the SQL select statement that phpMyAdmin output as php:
//one-a-day validation
$email = $data["email"];
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct\n"
"FROM myTable\n"
"WHERE email =\'$email\'\n"
"AND submitdate >= curDate() \n"
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
Do I have to include something with "mysql_real_escape_string" for security ?
What is the \n for ?
thanks..
//one-a-day validation
$email = $data["email"];
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct\n"
"FROM myTable\n"
"WHERE email =\'$email\'\n"
"AND submitdate >= curDate() \n"
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
Do I have to include something with "mysql_real_escape_string"
What is the \n for ?
thanks..
"mysql_real_escape_string" is for escaping text on an INSERT or UPDATE. It is not useful on a SELECT because a SELECT does not change any data. \n is for the linefeed character. It should not be there in the SQL statement and the SQL statement should be a single continuous string, not an array. Unless you have code that puts that back together, you can't use that as a query. At least not in any way that I know about.
Yes, you should use mysql_real_escape_string to prevent security issue.
Just like this
$email = mysql_real_escape_string($ data["emai l"]);
\n is for line break on linux/unix
Just like this
$email = mysql_real_escape_string($
\n is for line break on linux/unix
Damn slow network.
I don't mean to double post, sorry
I don't mean to double post, sorry
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Line 8 is supposed to read :
Note, quoting is no longer required in your query as it is done by the function as necessary.
Note, quoting is no longer required in your query as it is done by the function as necessary.
"WHERE email = $email "
ASKER
hmmm... not working (throwing generic error). When I put back my old code it works.
Here is your code as it is on my page:
//check one-a-day input
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($ value) . "'";
}
return $value;
}
//one-a-day validation
$email = check_input($data["email"] );
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct "
"FROM myTable"
"WHERE email = $email"
"AND submitdate >= curDate() "
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
}
Here is your code as it is on my page:
//check one-a-day input
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($
}
return $value;
}
//one-a-day validation
$email = check_input($data["email"]
$result = $this->_db->QuickArray(
"SELECT count(*) AS ct "
"FROM myTable"
"WHERE email = $email"
"AND submitdate >= curDate() "
"AND submitdate < DATE_ADD(curDate(), INTERVAL 1 DAY)";
);
$foundSomething = $result[0];
if($foundSomething) {
return false;
}
ASKER
pretty close - eventually got it to work.