SHAD Posted May 14, 2010 Posted May 14, 2010 I have read in quiet places that sprinf is a slow function, so what would be an alternative of sprinf but still secures the query. say for example i have this query mysql_query("UPDATE users SET testing=testing-10 WHERE userid=$userid",$c); how would i secure it without using sprinf. Quote
iSOS Posted May 14, 2010 Posted May 14, 2010 mysql_query("UPDATE users SET testing=testing-10 WHERE userid=$userid",$c); That's how I'd secure it without using sprintf(), wait I haven't changed anything! "sprintf()" doesn't secure a query! Quote
Djkanna Posted May 14, 2010 Posted May 14, 2010 mysql_query("UPDATE `users` SET `testing`=`testing` -10 WHERE (`userid` = ".$userid.")", $c); ^Just preference :P Quote
SHAD Posted May 14, 2010 Author Posted May 14, 2010 so it only formats it? And would that query be secure? if yes then why the need to format the string anyway? @Djkanna , I see you placed the querys in littile comas or so, may i ask what do they do to the query? as i see quite afew people using them. Quote
iSOS Posted May 14, 2010 Posted May 14, 2010 That's how I would have done it but then I couldn't pull the "I haven't changed anything" line xD @SHAD The query would be secure becuase you're not using any data that could be currupted, if you're using variables with un-validated data then that would be insecure and you'd need to 'secure' them using the correct functions. People tend to use sprintf() as preference, yes it formats and does not secure as so many people here think, but it can come in handy. Quote
CrazyT Posted May 14, 2010 Posted May 14, 2010 People tend to use sprintf() as preference, yes it formats and does not secure as so many people here think, but it can come in handy. Yes it formats it, but this can help on "numbers" Quote
Djkanna Posted May 14, 2010 Posted May 14, 2010 And to see how, check the parameters section of PHP's manual on sprintf http://uk.php.net/sprintf Quote
jon182 Posted May 15, 2010 Posted May 15, 2010 The only queries that you actually need to secure are ones with player input, and i suggest securing all usernames when they are created as they are sometimes used in queries automaticly. Quote
a_bertrand Posted May 15, 2010 Posted May 15, 2010 You just need to make sure mysql will understand the things as you want and not that some smart guy will try to put yet more commands into your query. So you have multiple solutions (as always): For numbers: mysql_query("UPDATE users SET testing=testing-10 WHERE userid=".($userid+0),$c); For strings: mysql_query("UPDATE users SET testing=testing-10 WHERE userid='".mysql_real_escape_string($userid,$c)."'",$c); Now the funny part is that basically you could ALWAYS pass things with mysql_real_escape_string and it would work as MySQL will try to convert it for you to the right type. Another solution is to use mysqli_stmt::bind_param (with the mysqli functions) and therefore NEVER pass values directly and instead bind them. The advantage is that you make sure your data will be only data and cannot contain other MySQL commands. Honestly that would be the way to go, even if most people programming in PHP don't do that (me neither). Quote
Djkanna Posted May 15, 2010 Posted May 15, 2010 I like to use MySQL Improved when I can :P but in some instances it just doesn't fit especially when working with pre-existing scripts Quote
Haunted Dawg Posted May 15, 2010 Posted May 15, 2010 I like to use MySQL Improved when I can :P but in some instances it just doesn't fit especially when working with pre-existing scripts Using MySQLi on a pre-existing script is a biash :P Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.