...

View Full Version : Real Escape string question



PRodgers4284
03-14-2008, 04:00 PM
I am trying to make my code my secure and prevent sql injection attacks, i have the following code that add records to a sql database and im wondering if am going about this in the correct way:


<?php


if (isset($_POST['submit'])) {

$error_stat = 0;
$jobtitle_message = '';
$jobcatergory_message = '';
$joblocation_message = '';
$employmenttype_message = '';
$salary_message = '';
$date_message = '';
$educationallevel_message = '';
$description_message = '';
$filesize_message = '';
$filetype_message = '';



$jobtitle = $_POST['jobtitle'];
$jobcatergory = $_POST['jobcatergory'];
$joblocation = $_POST['joblocation'];
$employmenttype= ($_POST['employmenttype']);
$salary = $_POST['salary'];
$date = $_POST['date'];
$educationallevel = $_POST['educationallevel'];
$description = $_POST['description'];
$name = $_POST['name'];
$type = $_POST['type'];
$size = $_POST['size'];
$path = $_POST['path'];


//Error checking



// Job Title check)
if (!$jobtitle) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$jobtitle_message = '*Please enter a job title*';
}

else if (ctype_digit($jobtitle)) {
$error_stat = 1;
$jobtitle_message .= '*Invalid Job Title*';
}

else if ( preg_match( '/\W/', $jobtitle)){
$error_stat = 1;
$jobtitle_message = '*Invalid jobtitle, letters only, no spaces*';

}

$jobtitle = $_POST['jobtitle'];
$jobtitle = trim($jobtitle);

if (strlen($jobtitle) > 30){
$error_stat = 1;
$jobtitle_message = '*Job Title must be 20 characters or less*';
}






// Job Catergory Check)
if ($jobcatergory == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$jobcatergory_message = '*Please select a Job Catergory*';
}





// Job Location Check)
if ($joblocation == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$joblocation_message = '*Please select a Job location*';
}


// Employment Type Check)
if ($employmenttype == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$employmenttype_message = '*Please select Employment type*';
}





// Salary check)
if (!$salary) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$salary_message = '*Please enter job salary*';
}

else if (!ctype_digit($salary)) {
$error_stat = 1;
$salary_message .= '*Invalid salary*';
}




//Date check)
if (empty($date)) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a dob
$date_message = '*Please enter job closing date*';
}

//Check the format and explode into $parts
elseif (!ereg("^([0-9]{2})/([0-9]{2})/([0-9]{4})$",
$date, $parts)){
$error_stat = 1;

//Set the message to tell the user the date is invalid
$date_message = '*Invalid date, must be DD/MM/YYYY format*';
}

elseif (!checkdate($parts[2],$parts[1],$parts[3]))
{
$error_stat = 1;

//Set the message to tell the date is invalid for the month entered
$date_message = '*Invalid date, month must be between 1-12*';
}


// Job Description check)
if (!$description) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$description_message = '*Please enter a job description*';
}



// Educational Level Check)
if ($educationallevel == 'Please Select'){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$educationallevel_message = '*Please select Educational level required*';
}


if( $_FILES['userfile']['size'] > 2000000 ){
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;
$filesize_message = '*Filesize too large *';

}

$fileTypes = array("application/pdf", "application/msword");

if( !in_array("{$_FILES['userfile']['type']}", $fileTypes) ){
$error_stat = 1;
$filetype_message = '*Filetype not allowed *';

}




$uploadDir = 'applicationforms/';

if (isset($_POST['submit']) && $error_stat == 0) {


$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];

// the files will be saved in filePath
$filePath = $uploadDir . $fileName;

// move the files to the specified directory
// if the upload directory is not writable or
// something else went wrong $result will be false
$result = move_uploaded_file($tmpName, $filePath);


include("database.php");

if(!get_magic_quotes_gpc())
{
$fileName = addslashes($fileName);
$filePath = addslashes($filePath);
}
}



$account = mysql_fetch_array(mysql_query("SELECT * FROM employers WHERE username='" . $_SESSION["username"] . "'"));

$username = $account["username"];

}
$count_sql = "select * FROM job WHERE username='" . $_SESSION["username"] . "'";
$count_result = mysql_query($count_sql);
$count = mysql_num_rows($count_result);


if ($count >= 4) {
echo "<h4>Error, You cannot add .</h4>";
echo "<h4>There are already 4 existing jobs in the database, to add another job please deleting an existing one.</h4>";
}



//Then, only run the query if there were no errors (if $error_stat still equals 0)
else if (isset($_POST['submit']) && $error_stat == 0) {
mysql_query("INSERT INTO job (username, jobtitle, jobcatergory, joblocation, employmenttype, salary, date, educationallevel, description, name, type, size, path) VALUES ('$username', '$jobtitle', '$jobcatergory', '$joblocation', '$employmenttype', '$salary', '$date', '$educationallevel', '$description', '$fileName', '$fileType', '$fileSize', '$filePath')");

echo "<h3>Job has been successfully added to the database!</h3>";
echo "<p>Thankyou, <b>$username</b></p>";
echo "<p>Back to main page.</p>";
echo "<a href=\"index2.php\">Login</a>";


}




//Then, for the form, only show it if 1) the form hasn't been submitted yet OR 2) there is an error
elseif (!isset($_POST['submit']) || $error_stat == 1) {



?>


Would it be sufficient to use: "$jobtitle = (mysql_real_escape_string($_POST['jobtitle']));" at the begining of the code for the values being added to the database?

Inigoesdr
03-14-2008, 08:36 PM
You don't need those outer parenthesis, and you need to have a mysql connection before you use it so the function can use the proper charset for the database, but that should work.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum