POG1 Posted January 1, 2009 Posted January 1, 2009 Re: How to use sprintf? And i see no need to use sprintf. $username = htmlentities(mysql_real_escape_string(trim($_REQUEST['username']))); $userid = abs(@intval($_REQUEST['userid'])); mysql_query("UPDATE users SET username='".$username."', userid=".$userid." WHERE userid=".$ir['userid']); See there. $username is secured & $userid and less space. What do you mean "less space". Instead of running 1 extra function you are declaring and assigning 2 additional variables.. Quote
Haunted Dawg Posted January 2, 2009 Posted January 2, 2009 Re: How to use sprintf? And i see no need to use sprintf. $username = htmlentities(mysql_real_escape_string(trim($_REQUEST['username']))); $userid = abs(@intval($_REQUEST['userid'])); mysql_query("UPDATE users SET username='".$username."', userid=".$userid." WHERE userid=".$ir['userid']); See there. $username is secured & $userid and less space. What do you mean "less space". Instead of running 1 extra function you are declaring and assigning 2 additional variables.. Being less space in your file. Why clutter up with sprintf. Ok i know alot of you reduce it. But i have seen some that go like this for example: $row = sprintf("SELECT itmid, invid, blah, sa, gaa, vaa, see, tree, whats, the, use FROM blah WHERE blah=%u", $variable); $db->query($row); Now you can reduce that to: mysql_query("SELECT itmid,invid,blah,sa,gaa,vaa,see,tree,whats,the,use FROM blah WHERE blah=".abs(@intval($variable))); Quote
Floydian Posted January 2, 2009 Posted January 2, 2009 Re: How to use sprintf? Making code readable is generally thought of as more desirable than squeezing every bit of code you can into the smallest space possible. The way code is formatted just doesn't have much impact on performance. Cases where this does not hold true is in html, js, and css that is sent to a user's computer. Since php code is executed locally, that "over the wire" penalty isn't incurred. Summing up: readability over squashability! Quote
Haunted Dawg Posted January 2, 2009 Posted January 2, 2009 Re: How to use sprintf? Floy, i am one that got zero-affect and other's to start using tab spacing. If you go look at our arguement's he alway's looked at my coding and said "why space it out if it's uselss" but go look at his coding now. It's all spaced out. But ok. What i am trying to say here is for a simple sql query. No need. Quote
Karlos Posted January 2, 2009 Posted January 2, 2009 Re: How to use sprintf? I space all my code out...queries and everything, i just find it a hell lot easier to read and find errors personally. Quote
Haunted Dawg Posted January 2, 2009 Posted January 2, 2009 Re: How to use sprintf? But karlos. Just remmember who recommended spaced out coding. Quote
Karlos Posted January 2, 2009 Posted January 2, 2009 Re: How to use sprintf? I know, you did and i thank you for that..i was just pointing out i space it all out now as i find it easier to read. Quote
POG1 Posted January 2, 2009 Posted January 2, 2009 Re: How to use sprintf? But karlos. Just remmember who recommended spaced out coding. It's just good practice to space coding. But there are some people who have some wild spacing in their mods, sometimes less is more... Quote
Haunted Dawg Posted January 4, 2009 Posted January 4, 2009 Re: How to use sprintf? Like i said luke. Go look at mine & zero's arguement's on how he used to say "Spacing is useless" but is it useless to him now? NO! Quote
POG1 Posted January 4, 2009 Posted January 4, 2009 Re: How to use sprintf? spacing some things is useless.. Quote
Karlos Posted January 5, 2009 Posted January 5, 2009 Re: How to use sprintf? spacing some things is useless.. Maybe it is but my personal preference now is spacing it all as it's much easier to read and fix errors Quote
chaoswar4u Posted January 12, 2009 Posted January 12, 2009 Re: How to use sprintf? Hi. Im just trying to work this out and just looking to see if ive done following ok. Query is - $q=$db->query("SELECT * FROM cities WHERE cityid != {$ir['location']} AND cityminlevel <= {$ir['level']}"); What ive come up with. $cities = sprintf ( "SELECT * FROM `cities` WHERE `cityid` != ('%u') AND cityminlevel <= ('%u')", $ir['location'], $ir['level'] ); $q=$db->query($cities); Just after it will show - while($r=$db->fetch_row($q)) Now on my attempt to use sprintf at the end I put $q=$db->query($cities);. Is this correct?? Quote
POG1 Posted January 12, 2009 Posted January 12, 2009 Re: How to use sprintf? Hi. Im just trying to work this out and just looking to see if ive done following ok. Query is - $q=$db->query("SELECT * FROM cities WHERE cityid != {$ir['location']} AND cityminlevel <= {$ir['level']}"); What ive come up with. $cities = sprintf ( "SELECT * FROM `cities` WHERE `cityid` != ('%u') AND cityminlevel <= ('%u')", $ir['location'], $ir['level'] ); $q=$db->query($cities); Just after it will show - while($r=$db->fetch_row($q)) Now on my attempt to use sprintf at the end I put $q=$db->query($cities);. Is this correct?? $cities = $db->query(sprintf ("SELECT * FROM `cities` WHERE `cityid` != ('%u') AND cityminlevel <= ('%u')",abs(@intval($ir['location'])),abs(@intval($ir['level'])))); Quote
Magictallguy Posted April 20, 2009 Posted April 20, 2009 Re: How to use sprintf? $cities = $db->query(sprintf ("SELECT * FROM `cities` WHERE `cityid` != ('%u') AND cityminlevel <= ('%u')",abs(@intval($ir['location'])),abs(@intval($ir['level'])))); Please tell me why you're securing numbers coming from the database that can only be a numerical value (due to fieldset being int) $sql = sprintf("SELECT * FROM cities WHERE ((cityid != %u) AND (cityminlevel <= %u))", $ir['location'], $ir['level']); $q = $db->query($sql); would work just fine ;) Quote
Isomerizer Posted April 20, 2009 Posted April 20, 2009 Re: How to use sprintf? $cities = $db->query(sprintf ("SELECT * FROM `cities` WHERE `cityid` != ('%u') AND cityminlevel <= ('%u')",abs(@intval($ir['location'])),abs(@intval($ir['level'])))); Please tell me why you're securing numbers coming from the database that can only be a numerical value (due to fieldset being int) $sql = sprintf("SELECT * FROM cities WHERE ((cityid != %u) AND (cityminlevel <= %u))", $ir['location'], $ir['level']); $q = $db->query($sql); would work just fine ;) I think its just habbit... everyone has their own way of programming... It's like saying why use the extra parenthesis in the sql query, when proving by the manual / floydian it's slightly less effiecient. Most of this topic is about everyone programs differently using different methods, there isn't a right or wrong way... It's just personal preference. Quote
shrek1609 Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? ok i've just spent a hour or so reading up on security in different topics on here... does using the sprintf on every database call whether its an update or a select help prevent against sql injections ? what i'm trying to say is if i go through every file and secure the database queries does it give a high level against sql injections etc Quote
Floydian Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? The definitive answer to that is _no_ There is _no_ one function, one if block, one code sample, or one *anything else* that can simply be applied _willy_nilly_ and expected to be secure programming technique. Do I use sprintf in code that is secure? You bet. Can code with sprintf be insecure? You bet. Is sprintf helpful for securing code? Double edge sword there... I could be helpful in making it less secure. Why is sprintf helpful in making code more secure? Because it formats strings. Hope that helps... Quote
shrek1609 Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? that helped a bit i think but as an example i have picked a file i coded which is as follows... <?php include "globals.php"; $_POST['color']=abs((int) $_POST['color']); if( !$_POST['color'] ) { print"<h3><font color='red'>[b][i]?Here you can Purchase a Different Colored Name?[/b][/i]</font></h3>"; print"<table width=95% cellspacing=1 class='table'><tr style='background:gray'><th><font color='orange'>Color</font></th><th><font color='orange'>Cost in Crystals</font></th><th><font color='orange'>Delivery</font></th></tr> <tr><td>[b]<font color='#ffffff'>White</font></td><td>1,000 Crystals</td><td>INSTANT --- Select Below[/b]</td></tr> <td>[b]<font color='#aaaaaa'>Grey</font></td><td>1,500 Crystals</td><td>INSTANT --- Select Below</td></tr> <td>[b]<font color='#ffff00'>Yellow</font></td><td>2,000 Crystals</td><td>INSTANT --- Select Below[/b]</td></tr> <td>[b]<font color='#00ffff'>Cyan</font></td><td>2,500 Crystals</td><td>INSTANT --- Select Below[/b]</td></tr> <td>[b]<font color='#99ff00'>Lime</font></td><td>2,500 Crystals</td><td>INSTANT --- Select Below[/b]</td></tr> <td>[b]<font color='#9966ff'>Lilac</font></td><td>2,500 Crystals</td><td>INSTANT --- Select Below[/b]</td></tr> <td>[b]<font color='#00ff00'>Other Color's</font></td><td>3,500 Crystals</td><td>Message The Shrekinator[/b]</td></tr> <td>[b]<FONT color=#ff0000>G</FONT><FONT color=#ff1111>r</FONT><FONT color=#ff2222>a</FONT><FONT color=#ff3333>d</FONT><FONT color=#ff4444>i</FONT><FONT color=#ff5555>e</FONT><FONT color=#ff6666>n</FONT><FONT color=#ff7777>t</FONT> <FONT color=#ff9999>C</FONT><FONT color=#ffaaaa>o</FONT><FONT color=#ffbbbb>l</FONT><FONT color=#ffcccc>o</FONT><FONT color=#ffdddd>r</FONT><FONT color=#ffeeee>s</FONT> </td><td>10,000 Crystals</td><td>Message The Shrekinator[/b]</td></tr> </table> "; print"<form action='color.php' method='post'> Please Select a color: <select class=textbox name='color'> <option value='0'>Please Select a color</option> <option value='1'>White --- Cost: 1,000 Crystals</option> <option value='2'>Grey --- Cost: 1,500 Crystals</option> <option value='3'>Yellow --- Cost: 2,000 Crystals</option> <option value='4'>Cyan --- Cost: 2,500 Crystals</option> <option value='5'>Lime --- Cost: 2,500 Crystals</option> <option value='6'>Lilac --- Cost: 2,500 Crystals</option> </select> <input class=textbox type='submit' value='Purchase color'> </form>"; } else { $color=$_POST['color']; if ($color == 1) { if($ir['crystals'] < 1000) { print"<font color='red'>[b]Sorry you do not have enough Crystals to make this purchase[/b]</font>"; } else { $color = '#ffffff'; $crystals = 1000; $update = sprintf("UPDATE users SET usercolor=('%s'), crystals=crystals - ('%u') WHERE userid=('%u')", mysql_real_escape_string($color), abs(@intval($crystals)), abs(@intval($userid)) ); $db->query($update); print"<font color='red'>Congratulations, You successfully puchased your colored name...</font> [url='index.php']>Back[/url]"; } } if ($color == 2) { if($ir['crystals'] < 1500) { print"<font color='red'>[b]Sorry you do not have enough Crystals to make this purchase[/b]</font>"; } else { $db->query("UPDATE users SET usercolor='#AAAAAA' WHERE userid=$userid"); $db->query("UPDATE users SET crystals=crystals-1500 WHERE userid=$userid"); print"<font color='red'>Congratulations, You successfully puchased your colored name...</font> [url='index.php']>Back[/url]"; } } if ($color == 3) { if($ir['crystals'] < 2000) { print"<font color='red'>[b]Sorry you do not have enough Crystals to make this purchase[/b]</font>"; } else { $db->query("UPDATE users SET usercolor='#FFFF00' WHERE userid=$userid"); $db->query("UPDATE users SET crystals=crystals-2000 WHERE userid=$userid"); print"<font color='red'>Congratulations, You successfully puchased your colored name...</font> [url='index.php']>Back[/url]"; } } if ($color == 4) { if($ir['crystals'] < 2500) { print"<font color='red'>[b]Sorry you do not have enough Crystals to make this purchase[/b]</font>"; } else { $db->query("UPDATE users SET usercolor='#00FFFF' WHERE userid=$userid"); $db->query("UPDATE users SET crystals=crystals-2500 WHERE userid=$userid"); print"<font color='red'>Congratulations, You successfully puchased your colored name...</font> [url='index.php']>Back[/url]"; } } if ($color == 5) { if($ir['crystals'] < 2500) { print"<font color='red'>[b]Sorry you do not have enough Crystals to make this purchase[/b]</font>"; } else { $db->query("UPDATE users SET usercolor='#99FF00' WHERE userid=$userid"); $db->query("UPDATE users SET crystals=crystals-2500 WHERE userid=$userid"); print"<font color='red'>Congratulations, You successfully puchased your colored name...</font> [url='index.php']>Back[/url]"; } } if ($color == 6) { if($ir['crystals'] < 2500) { print"<font color='red'>[b]Sorry you do not have enough Crystals to make this purchase[/b]</font>"; } else { $db->query("UPDATE users SET usercolor='#9966FF' WHERE userid=$userid"); $db->query("UPDATE users SET crystals=crystals-2500 WHERE userid=$userid"); print"<font color='red'>Congratulations, You successfully puchased your colored name...</font> [url='index.php']>Back[/url]"; } } } $h->endpage(); ?> The First database query i have tried to secure, if ($color == 1) { if($ir['crystals'] < 1000) { print"<font color='red'>[b]Sorry you do not have enough Crystals to make this purchase[/b]</font>"; } else { $color = '#ffffff'; $crystals = 1000; $update = sprintf("UPDATE users SET usercolor=('%s'), crystals=crystals - ('%u') WHERE userid=('%u')", mysql_real_escape_string($color), abs(@intval($crystals)), abs(@intval($userid)) ); $db->query($update); print"<font color='red'>Congratulations, You successfully puchased your colored name...</font> [url='index.php']>Back[/url]"; } } would this "HELP" against hacking attempts, sql injections etc... I realise coding is pretty much impossible to totally secure, but am i wasting my time going through the script and using sprintf and mysql_real _escape_string on all the queries ? like i have done on this above one ? Quote
Karlos Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? // With sprintf(); if ($color == 1) { if($ir['crystals'] < 1000) { echo '<span style="color: #FF0000; font-wieght: 800;">Error! Sorry you do not have enough Crystals to make this purchase</span>'; } else { $db->query(sprintf("UPDATE `users` SET `usercolor`='#ffffff', `crystals`=`crystals`-'1000' WHERE userid=%d", $userid)); echo '<span style="color: #FF0000;">Congratulations, You successfully puchased your colored name...</span> > [url="index.php"]Back[/url]'; } } // Without sprintf(); if ($color == 1) { if($ir['crystals'] < 1000) { echo '<span style="color: #FF0000; font-wieght: 800;">Error! Sorry you do not have enough Crystals to make this purchase</span>'; } else { $db->query("UPDATE `users` SET `usercolor`='#ffffff', `crystals`=`crystals`-'1000' WHERE userid=".$userid); echo '<span style="color: #FF0000;">Congratulations, You successfully puchased your colored name...</span> > [url="index.php"]Back[/url]'; } } :wink: Quote
shrek1609 Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? now i'm confused... doesn't mysql_real_escape_string($color), abs(@intval($crystals)), abs(@intval($userid)) make the sql query more secure as i have secured all the variables in the query ? Quote
shrek1609 Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? would this not be a better way... create a function in global_function.php function check_input($value) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } then for say the userid... $userid = check_input($userid); then just run the sql query as normal ? Quote
Karlos Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? Well the query you had was basically 'hard coded' as I say.. As for the function.... Why use it on a number? Secondly... Magic Quotes will be deprecated in PHP 5.3.0 and removed in PHP 6 Quote
shrek1609 Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? thanks Karlos i really appreciate this... i think what i am getting at is if i secured every variable whether like you say it was hard coded or a member inputed variable and got into the habit of doing this on all my coding... surely i would be much more secure from sql injections and hacking attempts... Quote
Magictallguy Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? <?php function check_number($num) { if(!ctype_digit($num)) { echo "Invalid submission"; exit; } $num = abs(@intval($num)); } function check_alpha($let) { if(!ctype_alpha($let)) { echo "Invalid Submission"; exit; } $let = mysql_real_escape_string(htmlspecialchars($let)); } function check_string($str) { if(!ctype_alnum($str)) { echo "Invalid submission"; exit; } $str = mysql_real_escape_string(htmlspecialchars($str)) } All of those are designed for database usage (bar the numerical check). If you're not using a database, remove the mres() as there will be no need for it. The numerical check can be used with and without a database. Make sure you CHECK what's going INPUT, then CLEAN the INPUT! Quote
Faz` Posted May 2, 2009 Posted May 2, 2009 Re: How to use sprintf? I know this is a bit of a stupid question, but is a string a-z with the symbols? And Integers are 0-9 of course. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.