0

I have a website which takes price from Steam Market. It is taking price by item's name. Then my javascript bot gets the information about item and process it to MySQL (while PHP file processing it to another table).

So the problem is starting with it. Some items has string ' on names. And it causes my javascript bot to get bugged and crash. So far I have the code below.

Is there any way to save it DB and send info to javascript bot with strings? Sorry. Maybe I am lack of logic.

    <?php
$item = $_GET['item'];
$item = str_replace("\"", "", $item);
$item = str_replace("\'", "", $item);
$item = str_replace(" ", "%20", $item);
$item = str_replace("\\", "", $item);
@include_once ("set.php");
$rs = mysql_query("SELECT * FROM items WHERE name='$item'");
if(mysql_num_rows($rs) > 0) {
    $row = mysql_fetch_array($rs);
    if(time()-$row["lastupdate"] < 604800) die($row["cost"]);
}
$link = "http://steamcommunity.com/market/priceoverview/?currency=1&appid=730&market_hash_name=".$item;
$string = file_get_contents($link);
$obj = json_decode($string);
if($obj->{'success'} == "0") die("notfound");
$lowest_price = $obj->{'lowest_price'};
for($i = 5; $i < strlen($lowest_price); $i++) {
    $lowest_price[$i-5] = $lowest_price[$i];
}
$lowest_price[strlen($lowest_price)] = 0;
$lowest_price = (float)($lowest_price);
mysql_query("DELETE FROM items WHERE name='$item'");
mysql_query("INSERT INTO items (`name`,`cost`,`lastupdate`) VALUES ('$item','$lowest_price','".time()."')");
echo $lowest_price;
?>
Le Bleu
  • 19
  • 3
  • Yes typecast it to `(string)` – Daan Jul 20 '15 at 14:12
  • 4
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jul 20 '15 at 14:16
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jul 20 '15 at 14:16
  • @Daan can you explain more? Or is there any guide I could use? My English is not so good after all, unfortunately. – Le Bleu Jul 20 '15 at 14:25
  • @JayBlanchard I don't think I can right now. :( And other solutions? – Le Bleu Jul 20 '15 at 14:25
  • – Le Bleu Jul 20 '15 at 14:35
  • 1
    You have to escape the strings correctly. And at the very least, use `mysql_real_escape_string($item)` before executing the `SELECT` query. Where does what crash? Your PHP script? Some JavaScript not shown here? Perhaps these help: http://stackoverflow.com/questions/8744315/single-quote-escape-in-javascript-function-parameters, http://stackoverflow.com/questions/16134910/how-to-escape-a-single-quote-in-javascript. – stef77 Jul 20 '15 at 14:46

2 Answers2

1
$item = $_GET['item'];
$item = str_replace("\"", "", $item);
$item = str_replace("\'", "", $item);
$item = str_replace(" ", "%20", $item);
$item = str_replace("\\", "", $item);
$item = str_replace("(", "%28", $item);
$item = str_replace(")", "%29", $item);
donq
  • 11
  • 2
-1

So Is it will be like this?

    <?php
$item = $_GET['item'];
$item = str_replace("\"", "", $item);
$item = str_replace("\'", "", $item);
$item = str_replace(" ", "%20", $item);
$item = str_replace("\\", "", $item);
$item = (string)$item
Le Bleu
  • 19
  • 3
  • 1
    No, just use prepared statements and you won't need this. Read the comments on your question again. Did you understand it? Will you do it? Why, or why not? – Janus Troelsen Jul 20 '15 at 14:43
  • This is completely, hopelessly inadequate. As stef77 says, at the **absolute least** use `mysql_real_escape_string` but migrate to PDO or something better **as soon as possible**. If this code is a work in progress and isn't complete, that time is now. – tadman Jul 20 '15 at 15:49