0

I have a problem with the steam authenticator for the web. As you know, steam provides a script to allow people to connect on your site through the steam database. My problem is : As soon as someone has a special chars in its name like simple quote, it just adds a blank name in my database...

This is the code from steam :

if($openid->validate()) { 
            $id = $openid->identity;
            $ptn = "/^http:\/\/steamcommunity\.com\/openid\/id\/(7[0-9]{15,25}+)$/";
            preg_match($ptn, $id, $matches);

            $_SESSION['steamid'] = $matches[1]; 
            $link = mysql_connect("localhost", "", "");
            $db_selected = mysql_select_db('', $link);
            $query = mysql_query("SELECT * FROM users WHERE steamid='".$_SESSION['steamid']."'");
            if (mysql_num_rows($query) == 0) {
                mysql_query("INSERT INTO users (steamid) VALUES ('".$_SESSION['steamid']."')") or die("MySQL ERROR: ".mysql_error());
            }
            if (isset($steamauth['loginpage'])) {
                header('Location: '.$steamauth['loginpage']);
            }
    } else {
            echo "User is not logged in.\n";
    }

I tried to move it to PDO but impossible to even connect. Anyone has an idea to add the steamname to my database without having the quotes ? or accepting them as no-mysql ?

I know there were a function in mysql, but it doesn't work anymore (mysql_real_escape_string)

Tariq Riahi
  • 48
  • 5
  • you dont select a Database/Schema - $db_selected = mysql_select_db('', $link); - $db_selected = mysql_select_db('[Schemaname]', $link); – Bernd Buffen Sep 15 '15 at 11:12
  • Please check http://stackoverflow.com/questions/11086576/php-insert-special-characters-into-myadmin-database and http://stackoverflow.com/questions/23883339/insert-values-containing-special-characters-into-mysql-database – mario.van.zadel Sep 15 '15 at 11:17
  • @BerndBuffen : Just wanted to hide my database name ^^ And thank you mapek ! So i should use mysqli with a m_r_e_s ? – Tariq Riahi Sep 15 '15 at 11:59

1 Answers1

0

Since you are still using mysql (which you should change to mySQLI or PDO)

you can use mysql_real_escape_string() to be sure that the input can be inserted into the database. (used a new variable to show how I did it).

When you change to PDO og mySQLI mysql_real_escape_string() wont work since you now dont have an active mysql connection.

It's important that mysql_real_escape_string() is after the mySQL connection

if($openid->validate()) { 
        $id = $openid->identity;
        $ptn = "/^http:\/\/steamcommunity\.com\/openid\/id\/(7[0-9]{15,25}+)$/";
        preg_match($ptn, $id, $matches);

        $_SESSION['steamid'] = $matches[1];
        $link = mysql_connect("localhost", "", "");
        $db_selected = mysql_select_db('', $link);

        $steamId = mysql_real_escape_string ($matches[1]);

        $query = mysql_query("SELECT * FROM users WHERE steamid='".$steamId."'");
        if (mysql_num_rows($query) == 0) {
            mysql_query("INSERT INTO users (steamid) VALUES ('".$steamId."')") or die("MySQL ERROR: ".mysql_error());
        }
        if (isset($steamauth['loginpage'])) {
            header('Location: '.$steamauth['loginpage']);
        }
} else {
        echo "User is not logged in.\n";
}
Kasper Sanguesa-Franz
  • 622
  • 5
  • 24