PDA

View Full Version : Real Escape string question



PRodgers4284
03-14-2008, 03:00 PM
I am trying to make my code my secure and prevent sql injection attacks, i have the following code that add records to a sql database and im wondering if am going about this in the correct way:


<?php


if (isset($_POST['submit'])) {

$error_stat = 0;
$jobtitle_message = '';
$jobcatergory_message = '';
$joblocation_message = '';
$employmenttype_message = '';
$salary_message = '';
$date_message = '';
$educationallevel_message = '';
$description_message = '';
$filesize_message = '';
$filetype_message = '';



$jobtitle = $_POST['jobtitle'];
$jobcatergory = $_POST['jobcatergory'];
$joblocation = $_POST['joblocation'];
$employmenttype= ($_POST['employmenttype']);
$salary = $_POST['salary'];
$date = $_POST['date'];
$educationallevel = $_POST['educationallevel'];
$description = $_POST['description'];
$name = $_POST['name'];
$type = $_POST['type'];
$size = $_POST['size'];
$path = $_POST['path'];


//Error checking



// Job Title check)
if (!$jobtitle) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$jobtitle_message = '*Please enter a job title*';
}

else if (ctype_digit($jobtitle)) {
$error_stat = 1;
$jobtitle_message .= '*Invalid Job Title*';
}

else if ( preg_match( '/\W/', $jobtitle)){
$error_stat = 1;
$jobtitle_message = '*Invalid jobtitle, letters only, no spaces*';

}

$jobtitle = $_POST['jobtitle'];
$jobtitle = trim($jobtitle);

if (strlen($jobtitle) > 30){
$error_stat = 1;
$jobtitle_message = '*Job Title must be 20 characters or less*';
}






// Job Catergory Check)
if ($jobcatergory == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$jobcatergory_message = '*Please select a Job Catergory*';
}





// Job Location Check)
if ($joblocation == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$joblocation_message = '*Please select a Job location*';
}


// Employment Type Check)
if ($employmenttype == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$employmenttype_message = '*Please select Employment type*';
}





// Salary check)
if (!$salary) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$salary_message = '*Please enter job salary*';
}

else if (!ctype_digit($salary)) {
$error_stat = 1;
$salary_message .= '*Invalid salary*';
}




//Date check)
if (empty($date)) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a dob
$date_message = '*Please enter job closing date*';
}

//Check the format and explode into $parts
elseif (!ereg("^([0-9]{2})/([0-9]{2})/([0-9]{4})$",
$date, $parts)){
$error_stat = 1;

//Set the message to tell the user the date is invalid
$date_message = '*Invalid date, must be DD/MM/YYYY format*';
}

elseif (!checkdate($parts[2],$parts[1],$parts[3]))
{
$error_stat = 1;

//Set the message to tell the date is invalid for the month entered
$date_message = '*Invalid date, month must be between 1-12*';
}


// Job Description check)
if (!$description) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$description_message = '*Please enter a job description*';
}



// Educational Level Check)
if ($educationallevel == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$educationallevel_message = '*Please select Educational level required*';
}


if( $_FILES['userfile']['size'] > 2000000 ){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$filesize_message = '*Filesize too large *';

}

$fileTypes = array("application/pdf", "application/msword");

if( !in_array("{$_FILES['userfile']['type']}", $fileTypes) ){
$error_stat = 1;
$filetype_message = '*Filetype not allowed *';

}




$uploadDir = 'applicationforms/';

if (isset($_POST['submit']) && $error_stat == 0) {


$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];

// the files will be saved in filePath
$filePath = $uploadDir . $fileName;

// move the files to the specified directory
// if the upload directory is not writable or
// something else went wrong $result will be false
$result = move_uploaded_file($tmpName, $filePath);


include("database.php");

if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
$filePath = addslashes($filePath);
}
}



$account = mysql_fetch_array(mysql_query("SELECT * FROM employers WHERE username='" . $_SESSION["username"] . "'"));

$username = $account["username"];

}
$count_sql = "select * FROM job WHERE username='" . $_SESSION["username"] . "'";
$count_result = mysql_query($count_sql);
$count = mysql_num_rows($count_result);


if ($count >= 4) {
echo "<h4>Error, You cannot add .</h4>";
echo "<h4>There are already 4 existing jobs in the database, to add another job please deleting an existing one.</h4>";
}



//Then, only run the query if there were no errors (if $error_stat still equals 0)
else if (isset($_POST['submit']) && $error_stat == 0) {
mysql_query("INSERT INTO job (username, jobtitle, jobcatergory, joblocation, employmenttype, salary, date, educationallevel, description, name, type, size, path) VALUES ('$username', '$jobtitle', '$jobcatergory', '$joblocation', '$employmenttype', '$salary', '$date', '$educationallevel', '$description', '$fileName', '$fileType', '$fileSize', '$filePath')");

echo "<h3>Job has been successfully added to the database!</h3>";
echo "<p>Thankyou, <b>$username</b></p>";
echo "<p>Back to main page.</p>";
echo "<a href=\"index2.php\">Login</a>";


}




//Then, for the form, only show it if 1) the form hasn't been submitted yet OR 2) there is an error
elseif (!isset($_POST['submit']) || $error_stat == 1) {



?>


Would it be sufficient to use: "$jobtitle = (mysql_real_escape_string($_POST['jobtitle']));" at the begining of the code for the values being added to the database?

Inigoesdr
03-14-2008, 07:36 PM
You don't need those outer parenthesis, and you need to have a mysql connection before you use it so the function can use the proper charset for the database, but that should work.