Jump to content
MakeWebGames

Recommended Posts

Posted

Ok so i hear using sprintf is safter and more secure, correct?

But how to do it, ok so if we take a simple query..

 

$db->query("UPDATE users SET example=example+1 WHERE userid=$userid",$c);

How would we use sprintf in it?

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Posted

Re: How to use sprintf?

Well how i would use sprintf in that query would be

changing the one you posted to

$UserUpdate = sprintf("UPDATE users SET example = example + 1 WHERE (userid = %u)", $userid);

mysql_query($UserUpdate);

Posted

Re: How to use sprintf?

I like to space mine out....but its exactly the same effect.

 

$update = sprintf("UPDATE users SET example =example + 1 WHERE userid = '%u' ",
   ($userid));
       mysql_query($update);
Posted

Re: How to use sprintf?

http://www.w3schools.com/PHP/func_string_sprintf.asp

thats where I started first of all.... trust me it does help.

I do mine like this now lol Thanks Luke

 

$userupdate = sprintf
(
   "UPDATE `users` SET `example` = `example` + ('%d') WHERE `userid` = ('%u')",

1 ,
$userid
);
mysql_query($userupdate);

 

I'm not sure if it helps by doing it the way I did

`example` = `example` + ('%d')
and then placing the 1 afterwards but I keep doing it that way so that I can get used to everything.....

but definately check out that link 03laceys that is where I started at last night and I have evolved to programming a whole mod using sprintf.

Posted

Re: How to use sprintf?

Thank you shaved although i have read the w3schools a few times it still hasn't help.

Sorry i am a slow learner.

 

$userupdate = sprintf
(
   "UPDATE `users` SET `example` = `example` + ('%d') WHERE `userid` = ('%u')",

  1 ,
  $userid
);
mysql_query($userupdate);

 

why are you using ('%d')? how is the 1 called to that position?

Posted

Re: How to use sprintf?

lol actually that i'm not for certain I just know from looking at examples that the way you place them in the query is how you would place them afterwards... I will show you an example of one I just did. This is the one that Luke helped me out on....

 

$changeinfo = sprintf
(
   "UPDATE `usershops` SET `location` = ('%d'), `shopname` = ('%s'), `shopdescription` = ('%s') WHERE `userid` = ('%u')",

$_POST['sl'],
$_POST['shopname'],
$_POST['description'],
$userid
);
$db->query($changeinfo);

 

Notice how I am updating location first using ('%d') "%d = Signed decimal number" Then I am updating shopname with ('%s') and then shopdescription also with ('%s'). "%s = String". they are all in order and then ('%d') will output $_POST['sl'] and the first ('%s') would output $_POST['shopname'] and the second ('%s') would output $_POST['description'].

I don't know if that helps you any but thats about the best way I know how to explain it.

Posted

Re: How to use sprintf?

 

$userupdate = sprintf
(
   "UPDATE `users` SET `example` = `example` + ('%d') WHERE `userid` = ('%u')",

  1 ,
  $userid
);
mysql_query($userupdate);

No Need, Its Hard Coded...If you think about it...

 

why are you using ('%d')? how is the 1 called to that position?

% - a literal percent character. No argument is required.

b - the argument is treated as an integer, and presented as a binary number.

c - the argument is treated as an integer, and presented as the character with that ASCII value.

d - the argument is treated as an integer, and presented as a (signed) decimal number.

e - the argument is treated as scientific notation (e.g. 1.2e+2). The precision specifier stands for the number of digits after the decimal point since PHP 5.2.1. In earlier versions, it was taken as number of significant digits (one less).

u - the argument is treated as an integer, and presented as an unsigned decimal number.

f - the argument is treated as a float, and presented as a floating-point number (locale aware).

F - the argument is treated as a float, and presented as a floating-point number (non-locale aware). Available since PHP 4.3.10 and PHP 5.0.3.

o - the argument is treated as an integer, and presented as an octal number.

s - the argument is treated as and presented as a string.

x - the argument is treated as an integer and presented as a hexadecimal number (with lowercase letters).

X - the argument is treated as an integer and presented as a hexadecimal number (with uppercase letters).

 

But personally my answer would be...

$UserUpdate = sprintf(
"UPDATE `users` SET
    `example` = `example` + 1,
WHERE (`userid` = %u)" ,
$userid);
$db->query($UserUpdate);
Posted

Re: How to use sprintf?

 

$UserUpdate=sprintf("UPDATE users SET example=example+1, WHERE userid=%u", '$userid');
$db->query($UserUpdate);

 

^that would be my way^

it looks more organized in one straight line and why use ( ) theres no point

then for displaying

echo sprintf("you have {%d} apples", '$apples');

Posted

Re: How to use sprintf?

 

For each type casting within the sprintf, you need a variable.

So if we have the query of

 

UPDATE `users` SET `money` = ('%u'), `crystals` = ('%u'), `donatordays` = ('%u'), `username` = ('%s') WHERE `userid` = ('%u')

 

You will notice there are 5 type casts and area's needing variables.

You may have noticed there are 4 %u and 1 %s.

%u is an unsigned integar and %s is for a string value.

So lets us say we have these variables:

 

$money  = 1000;
$crystals = 100;
$ddays   = 10;
$uname = 'ThisName';
$uid      = 10;

 

Then you would create the sprintf like so:

 

$variable = $sprintf
(
"UPDATE `users` SET `money` = ('%u'), `crystals` = ('%u'), `donatordays` = ('%u'), `username` = ('%s') WHERE `userid` = ('%u')",
);

 

But as you see, the 5 missing parts are not entered yet and each of them need to be set in order of how they appear in the query and comma delimitted in the query, so this would become:

 

$variable = $sprintf
(
"UPDATE `users` SET `money` = ('%u'), `crystals` = ('%u'), `donatordays` = ('%u'), `username` = ('%s') WHERE `userid` = ('%u')",

$money,
$crystals,
$ddays,
$uname,
$uid
);

 

Then you run the sprintf() through mysql_query(); like so:

 

mysql_query($variable) or die (mysql_error());

 

So in the end, you will have:

 

$money    = 1000;
$crystals = 100;
$ddays    = 10;
$uname    = 'ThisName';
$uid      = 10;

$variable = $sprintf
(
"UPDATE `users` SET `money` = ('%u'), `crystals` = ('%u'), `donatordays` = ('%u'), `username` = ('%s') WHERE `userid` = ('%u')",

$money,
$crystals,
$ddays,
$uname,
$uid
);
mysql_query($variable) or die (mysql_error());

 

which in the end, equates to:

 

mysql_query("UPDATE `users` SET `money` = '1000', `crystals` = '100', `donatordays` = '10', `username` = 'ThisName' WHERE `userid` = '10'") or die (mysql_error());

 

REMEMBER!!

Make sure all the data being passed is secure, no matter what function you use!

A secure way would be like this, for the query at hand:

 

$money    = 1000;
$crystals = 100;
$ddays    = 10;
$uname    = 'ThisName';
$uid      = 10;

$variable = $sprintf
(
"UPDATE `users` SET `money` = ('%u'), `crystals` = ('%u'), `donatordays` = ('%u'), `username` = ('%s') WHERE `userid` = ('%u')",

abs(@intval($money)),
abs(@intval($crystals)),
abs(@intval($ddays)),
mysql_real_escape_string($uname),
abs(@intval($uid))
);
mysql_query($variable) or die (mysql_error());

 

Should be enough to insert into the database.

Wow great just what i was after step by step guide of how you do it and why.

so a string is text and integar is numbers?

Does sprintf not secure it alone, i see with the finished sprintf and you version of secure they were different?

Posted

Re: How to use sprintf?

yes it would be wise... especially if your game is big. or expect it to get big, you dont want to dissapoint all the players that play it, if someone hacks it and messes everything up. then theres cheaters everywhere, and they will probbally end up quitting

Posted

Re: How to use sprintf?

got a quick question....

do I still need to do this

abs(@intval($_POST['amount']))

if I have already done this

$_POST['amount']=abs((int) $_POST['amount']);

would it hurt anything to do it twice??

That is for the withdrawl function on my usershops mod I am making so i want to make sure its secure....

Posted

Re: How to use sprintf?

another quick question how would I do this

mysql_query("insert into usershops values('','$userid','1','{$_POST['location']}','{$_POST['name']}','{$_POST['description']}','0')",$c) or die(mysql_error());

in sprintf ?? I know its probably simple but I am still learning everything.... Thanks in advance

would this be correct??

 

$buyshop = sprintf
(
   "INSERT INTO `usershops` values ('' , ('%u') , '1' , ('%d'), ('%s') , ('%s'), '0' )",

abs(@intval($userid)),
abs(@intval($_POST['sl'])),
mysql_real_escape_string($_POST['shopname']),
mysql_real_escape_string($_POST['description'])

);
$db->query($buyshop);
Posted

Re: How to use sprintf?

$_POST['amount']=abs(@intval($_POST['amount']))

just do it once like that. It reads that it is in intial form, so if it's not an intial it returns false

Posted

Re: How to use sprintf?

 

another quick question how would I do this

mysql_query("insert into usershops values('','$userid','1','{$_POST['location']}','{$_POST['name']}','{$_POST['description']}','0')",$c) or die(mysql_error());

in sprintf ?? I know its probably simple but I am still learning everything.... Thanks in advance

would this be correct??

 

$buyshop = sprintf
(
   "INSERT INTO `usershops` values ('' , ('%u') , '1' , ('%d'), ('%s') , ('%s'), '0' )",

abs(@intval($userid)),
abs(@intval($_POST['sl'])),
mysql_real_escape_string($_POST['shopname']),
mysql_real_escape_string($_POST['description'])

);
$db->query($buyshop);

 

apparently that was correct because it worked lol.... if there is a better way to do it just tell me but that worked which is great.....

Posted

Re: How to use sprintf?

you could add a function for the mysql_real_escape_string so you dont have to type that long para all the time.

so it would look something like this $mres($_POST['shopname'])

instead of mysql_real_escape_string($_POST['shopname'])

you could also add more to the function if you like...

preg_replace...etc..

Posted

Re: How to use sprintf?

 

another quick question how would I do this

mysql_query("insert into usershops values('','$userid','1','{$_POST['location']}','{$_POST['name']}','{$_POST['description']}','0')",$c) or die(mysql_error());

in sprintf ?? I know its probably simple but I am still learning everything.... Thanks in advance

would this be correct??

 

$buyshop = sprintf
(
   "INSERT INTO `usershops` values ('' , ('%u') , '1' , ('%d'), ('%s') , ('%s'), '0' )",

abs(@intval($userid)),
abs(@intval($_POST['sl'])),
mysql_real_escape_string($_POST['shopname']),
mysql_real_escape_string($_POST['description'])

);
$db->query($buyshop);

 

I would do it like this.

 


$_POST['shopname'] = htmlentities(mysql_real_escape_string(trim($_POST['shopname'])));
$_POST['description'] = htmlentities(mysql_real_escape_string(trim($_POST['description'])));
$_POST['sl'] = abs(@intval($_POST['sl']));

$buyshop = sprintf
(
   "INSERT INTO `usershops`
(all field names your inserting into here like this, usID,usUSER etc)
 values 
('' , ('%u') , '1' , ('%d'), ('%s') , ('%s'), '0' )",

$userid,
$_POST['sl'],
$_POST['shopname'],
$_POST['description']

);
$db->query($buyshop);
Posted

Re: How to use sprintf?

Maybe Try This..

Add to global_func.php:

function escape($escape)
{
$escape = htmlentities(mysql_real_escape_string(trim($escape)));
return $escape;
}

 

Put this where query is.

<?php

$BuyShop = sprintf(
"INSERT INTO `usershops` (all field names your inserting into here like this, `usID`, `usUSER` etc) " .
	"VALUES ('' , ('%u') , '1' , ('%d'), ('%s') , ('%s'), '0' )" ,
$userid,
abs(@intval($_POST['sl'])),
escape($_POST['shopname']),
escape($_POST['description'])
);
$db->query($BuyShop);

?>
Posted

Re: How to use sprintf?

why does everyone do crazy spacing on something as simple as formatting a string. Wont it will take longer to process? why not just on 1 line?

$db->query(sprintf("SELECT userid FROM users WHERE (userid = '%u')",abs(@intval($id))):

 

Also, at karlos' insert string example you are entering a value into an auto incremental field, it should be left out.

Posted

Re: How to use sprintf?

so this would work?

 

Maybe Try This..

Add to global_func.php:

function escape($escape)
{
$escape = htmlentities(mysql_real_escape_string(trim($escape)));
return $escape;
}

 

Put this where query is.

<?php

$BuyShop = sprintf(
"INSERT INTO `usershops` (all field names your inserting into here like this, `usID`, `usUSER` etc) " .
	"VALUES ('' , ('%u') , '1' , ('%d'), ('%s') , ('%s'), '0' )" ,
$userid,
abs(@intval($_POST['sl'])),
escape($_POST['shopname']),
escape($_POST['description'])
);
$db->query($BuyShop);

?>

 

Posted

Re: How to use sprintf?

And i see no need to use sprintf.

 

$username = htmlentities(mysql_real_escape_string(trim($_REQUEST['username'])));
$userid      = abs(@intval($_REQUEST['userid']));
mysql_query("UPDATE users SET username='".$username."', userid=".$userid." WHERE userid=".$ir['userid']);

 

See there. $username is secured & $userid and less space.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...