-2

How can i use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? This is my code at this moment. Hope that someone can help me.

Thanks :-)

<input value='<?php echo $_SESSION['reg']['data']['password1']; ?>'
devpro
  • 16,184
  • 3
  • 27
  • 38
Yonas
  • 33
  • 1
  • 9
  • 2
    **Stop** using `mysql_*` API. It is deprecated. Use `mysqli_*`or PDO. – Jens Jan 25 '16 at 08:15
  • @Jens I like MySQL so im gonna use it. That is not a answer for my question, however thanks anyway for the weird answer lol. – Yonas Jan 25 '16 at 08:17
  • 1
    Stop using the **deprecated and as of PHP7 removed** mysql_* functions. Migrate to PDO and start using Prepared Statements, it really isn't hard. – Charlotte Dunois Jan 25 '16 at 08:19
  • 2
    @Yonas Nobody ever said 'stop using MySQL'.. see http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php , http://stackoverflow.com/q/12859942/2864740 – user2864740 Jan 25 '16 at 08:19
  • @CharlotteDunois If its not hard, why you don't gonna come help me on teamviewer? I have many many classes on my website its not just basic switch over to mysqli. ;) – Yonas Jan 25 '16 at 08:20
  • well depends on your requirement, if session value comes from database than no need to escape it, if u are saving it from user input than u must need o prevent it. – devpro Jan 25 '16 at 08:21
  • @devpro What an .. odd statement. Always use placeholders. If you don't have placeholders, always escape. (Where 'always' means, until there is a *justified* reason to do otherwise.) Coming from the database is still subject to second-order injection. There is no reason to make 'exceptions'. – user2864740 Jan 25 '16 at 08:21
  • @user2864740: can u explain what dump... :p – devpro Jan 25 '16 at 08:22
  • @devpro Yea, its coming from the user input. Can you fix it on my code? I have searched tried everything, but can't escape this. – Yonas Jan 25 '16 at 08:23
  • 4
    When passwords get stored in sessions and echoed out to inputs, all kinds of alarm-bells start ringing... – jeroen Jan 25 '16 at 08:26
  • No one can fix my code? @user2864740 – Yonas Jan 25 '16 at 08:30

1 Answers1

0

See the manual, something like:

<?php

$user     = $_SESSION['reg']['data']['user'];
$password = $_SESSION['reg']['data']['password'];

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
Progrock
  • 7,373
  • 1
  • 19
  • 25
  • Thanks man! I changed it a litle bit and now it works perfect. No SQL injection possible anymore. =) – Yonas Jan 25 '16 at 08:43