TalkPHP
Home Forums Articles Glossary Awards Register Rules Members Search Today's Posts Mark Forums Read
 
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
by awuehr on 11-10-2008 in Tips & Tricks
» Vulnerable methods and the areas they are commonly trusted in.
by Village Idiot on 11-04-2008 in Classes & Objects
» Simple way to protect a form from bot
by codefreek on 10-23-2008 in Basic
» The Basics On: How Session Stealing Works
by wiifanatic on 09-12-2008 in Security & Permissions
» How to keep your forms from double posting data
by drewbee on 07-03-2008 in Tips & Tricks
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
TalkPHP > Developer Forums > General » Securing your MySQL Queries with Sprintf
Page 2 of 2 < 1 2
Reply
Page 2 of 2 < 1 2
 
LinkBack (6) Thread Tools Search this Thread Display Modes
Old 02-24-2008, 02:16 PM   #21 (permalink)
The Contributor
 
Join Date: Nov 2007
Posts: 32
Thanks: 5
Morishani is on a distinguished road
Default
Kick ass shit :)
I wish it was faster
__________________
מטבחים (hebrew)
Send a message via ICQ to Morishani Send a message via MSN to Morishani
Morishani is offline   		Reply With Quote
Old 02-25-2008, 09:59 AM   #22 (permalink)
The Contributor
 
Devels's Avatar
 
Join Date: Nov 2007
Posts: 27
Thanks: 2
Devels is on a distinguished road
Default
What does the letter 'z' means in this string: $szSQL?
Devels is offline   		Reply With Quote
Old 02-25-2008, 12:34 PM   #23 (permalink)
Wizard
Top Contributor 
 
Village Idiot's Avatar
 
Join Date: Sep 2007
Posts: 1,216
Thanks: 17
Village Idiot is on a distinguished road
Default
I honestly find this to be overkill. And I know this is difference in our coding style, but I see it as unnecessarily long and harder to read then my method of doing it. the easiest and fastest way to prevent this is to clean your queries and put your values in ''s. That way you cannot inject false values (' is escaped).

SELECT * FROM `table` WHERE `value` = '$value'

This is what the mysql manual says to do.
Last edited by Village Idiot : 02-25-2008 at 01:53 PM.
Village Idiot is offline   		Reply With Quote
Old 03-18-2008, 11:54 AM   #24 (permalink)
The Acquainted
 
Join Date: Oct 2007
Posts: 172
Thanks: 18
maZtah is an unknown quantity at this point
Default
Quote:
Originally Posted by Devels View Post
What does the letter 'z' means in this string: $szSQL?
It just looks a bit better than $sSQL.
maZtah is offline   		Reply With Quote
Old 03-18-2008, 11:56 AM   #25 (permalink)
The Acquainted
 
Join Date: Oct 2007
Posts: 172
Thanks: 18
maZtah is an unknown quantity at this point
Default
How would you do this with sprintf:

PHP Code:
$szQuery sprintf("SELECT DATE_FORMAT(postDate, '%d/%m/%Y') AS postDate FROM table WHERE id = %d"$iId); 
This gives an error because of the %d from the DATE_FORMAT.
maZtah is offline   		Reply With Quote
Old 03-18-2008, 03:21 PM   #26 (permalink)
Moderateur
RegEx Guru PHP Guru Top Contributor Advanced Programmer 
 
Salathe's Avatar
 
Join Date: Apr 2007
Posts: 1,239
Thanks: 3
Salathe is on a distinguished road
Default
To print a literal percent symbol, use two together
printf('%d%% sale, today only!', 50); // 50% sale, today only!
__________________
salathe@php.net
Salathe is offline   		Reply With Quote
The Following 2 Users Say Thank You to Salathe For This Useful Post:
maZtah (03-19-2008), Orc (03-18-2008)
Old 03-18-2008, 06:52 PM   #27 (permalink)
Orc
The Prestige
 
Orc's Avatar
 
Join Date: Dec 2007
Posts: 1,042
Thanks: 193
Orc is on a distinguished road
Default
Quote:
Originally Posted by Village Idiot View Post
Either way, using ` is an easier way to secure your queries.
I do it all the time.
__________________
VillageIdiot can have my babbies ;d
Orc is offline   		Reply With Quote
Reply
Page 2 of 2 < 1 2

« Previous Thread | Next Thread »

LinkBacks (?)
LinkBack to this Thread: http://www.talkphp.com/general/1062-securing-your-mysql-queries-sprintf.html
Posted By For Type Date
Quick Web Source - securing your mysql queries with sprintf This thread Refback 01-14-2008 06:35 AM
ARENA TUTORIALS: 09/30/07 This thread Refback 01-06-2008 09:03 PM
PHP Securing your MySQL Queries with Sprintf Tutorial This thread Refback 01-03-2008 01:43 AM
PHP | aNieto2K This thread Refback 12-23-2007 01:05 PM
PHP Security Securing your MySQL Queries with Sprintf Tutorial This thread Refback 12-22-2007 03:45 PM
Protecting Your PHP/MySQL Queries from SQL Injection » Meta Titan This thread Refback 12-21-2007 11:09 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 09:45 AM.

 
     
Contact Us - TalkPHP - PHP Community - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design