syntax of sprintf

Discussion in 'PHP' started by sudhakararaog, May 20, 2008.

0
  1. #1
    until i started using the techniques for avoiding sql injection, i have been using a normal insert and select sql query which worked fine.

    i have a registration page where a user enters their username and if this already exists i display a message by executing a select query and if the username does not exist then i run an insert query.

    after adopting the technique to avoid sql injection

    if(get_magic_quotes_gpc())
    {
    $username = stripslashes($_POST["username"]);
    $email = stripslashes($_POST["email"]);
    }

    else
    {
    $username = $_POST["username"];
    $email = $_POST["email"];
    }
    previously my select and insert query were

    INSERT INTO individuals(username, email) values('$username', '$email')
    Select username from individuals where username = '$username'

    presently the insert query is

    $insertquery = sprintf("INSERT INTO individuals (username, email) VALUES ('%s', '%s')",
    mysql_real_escape_string($username), mysql_real_escape_string($email));

    This insert query is working however the select query is not doing its task as before of checking if the username already exists or not, even if i register with the same username again it does not alert that the username exists.

    the select query is

    $selectqueryusername = sprintf("Select username from individuals where username='%s'", mysql_real_escape_string($username));

    should i change the syntax of the above select query or is there something else in need to do to fix the select query.

    also for insert query if i have a numeric value i should be writting %d correct, i have a numeric value however before inserting that numeric value i am appending a character "-" to combine area code and phone number example 09-123 4567 so i am considering this as %s as there is a character. is this correct.

    please advice.

    thanks.
     
    sudhakararaog, May 20, 2008 IP
  2. xrvel

    xrvel Notable Member

    Messages:
    918
    Likes Received:
    30
    Best Answers:
    2
    Trophy Points:
    225
    #2
    Basically, sprintf can be used for many things, not only in mysql

    

$name = 'John';

$message = 'Hello, my name is %s. I live here';
$message = sprintf($message, $name);

$age = 15;

$message = 'Hello, i am %s years old. I live here';
$message = sprintf($message, $age);
    PHP:
     
    xrvel, May 20, 2008 IP
  3. goldensea80

    goldensea80 Well-Known Member

    Messages:
    422
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    128
    #3
    maybe there are some error in the previous step,you can print out $selectqueryusername to see what is the real query and see what happened.


    You are correct, "09-123 4567" is a string,
     
    goldensea80, May 21, 2008 IP