https://www.webmaster-forums.net/crss/node/1040304 en https://www.webmaster-forums.net/web-database-development/correct-syntax-mysql-query#comment-1227119 <p>Good point calculator, you can also cast the value as an int: </p> <p><div class="codeblock"><code><span style="color: #000000"><span style="color: #0000BB">&lt;?php<br />$number1 </span><span style="color: #007700">= (int) </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'number1'</span><span style="color: #007700">]; <br /></span><span style="color: #0000BB">$number2 </span><span style="color: #007700">= (int) </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'number2'</span><span style="color: #007700">]; <br /><br /></span><span style="color: #FF8000">/* then run the query */ <br /></span><span style="color: #0000BB">$sql </span><span style="color: #007700">= \</span><span style="color: #DD0000">"UPDATE goods SET stock = </span><span style="color: #0000BB">$number1</span><span style="color: #DD0000">, WHERE item = </span><span style="color: #0000BB">$number2</span><span style="color: #DD0000">; <br />?&gt;</span></span></code></div></p> <p>That'll make sure they're numerics. Both methods will work. <img src="https://www.webmaster-forums.net/misc/smileys/smile.png" title="Smiling" alt="Smiling" class="smiley-content" /></p> Sat, 08 Dec 2007 05:10:49 +0000 JeevesBond comment 1227119 at https://www.webmaster-forums.net https://www.webmaster-forums.net/web-database-development/correct-syntax-mysql-query#comment-1227057 <p>if the posted values can only be number I would add an extra layer of security by checking if the $_post are numeric using the built-in php is_numeric() function.</p> <p><div class="codeblock"><code>if(is_numeric($_POST[&#039;number1&#039;]) &amp;&amp; is_numeric($_POST[&#039;number2&#039;])){<br />$number1 = mysql_real_escape_string($_POST[&#039;number1&#039;]);<br />$number2 = mysql_real_escape_string($_POST[&#039;number2&#039;]);<br />}<br /><br />/* then run the query */<br /><br />$sql = &quot;UPDATE goods SET stock = $number1, WHERE item = $number2;</code></div>'</p> <p>I know it's not necessary, but I think it then becomes a coding practice.</p> <p>As an additional comment, if you know what calues can be chosen, ie values from a drop down menu, use the switch/case to make sure that the value entered is valid.</p> <p>And as a final comment - after that I shut up <img src="https://www.webmaster-forums.net/misc/smileys/wink.png" title="Wink" alt="Wink" class="smiley-content" /> - read Chris Shiflett excellent <a href="http://phpsecurity.org/" class="bb-url">Essential PHP Security</a> book.</p> Thu, 06 Dec 2007 13:44:14 +0000 calculator comment 1227057 at https://www.webmaster-forums.net https://www.webmaster-forums.net/web-database-development/correct-syntax-mysql-query#comment-1227047 <p>pr0gramm3r writes wise words. Take heed. PHP can be rather insecure if used improperly.</p> <p><img src="https://www.webmaster-forums.net/misc/smileys/smile.png" title="Smiling" alt="Smiling" class="smiley-content" /></p> Thu, 06 Dec 2007 07:49:18 +0000 JeevesBond comment 1227047 at https://www.webmaster-forums.net https://www.webmaster-forums.net/web-database-development/correct-syntax-mysql-query#comment-1227034 <p>The syntax is technically correct, but you should never use $_GET or $_POST variables directly in queries.</p> <p>If I was a malicious user, I could send whatever I want to that script. I could make $_POST['number2'] equal...<br /> <code>2; DROP TABLE goods;</code>'<br /> ...which would drop that table. Simple yet devastating. There are plenty of other malicious strings that could be injected into a query.</p> <p>Simple way to fix it: run all values you take from a user through the mysql_real_escape_string() function.<br /> <div class="codeblock"><code><span style="color: #000000"><span style="color: #0000BB">&lt;?php<br />$number1 </span><span style="color: #007700">= </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'number1'</span><span style="color: #007700">];<br /></span><span style="color: #0000BB">$number2 </span><span style="color: #007700">= </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'number2'</span><span style="color: #007700">];<br /><br /></span><span style="color: #FF8000">/* then run the query */<br /></span><span style="color: #0000BB">$sql </span><span style="color: #007700">= \</span><span style="color: #DD0000">"UPDATE goods SET stock = </span><span style="color: #0000BB">$number1</span><span style="color: #DD0000">, WHERE item = </span><span style="color: #0000BB">$number2</span><span style="color: #DD0000">;<br />?&gt;</span></span></code></div></p> Thu, 06 Dec 2007 03:40:10 +0000 pr0gr4mm3r comment 1227034 at https://www.webmaster-forums.net