until i started using the techniques for avoiding sql injection, i
have been using a normal insert and select sql query which worked
fine.
i have a registration page where a user enters their username and if
this already exists i display a message by executing a select query
and if the username does not exist then i run an insert query.
after adopting the technique to avoid sql injection
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
$email = stripslashes($_POST["email"]);
}
else
{
$username = $_POST["username"];
$email = $_POST["email"];
}
previously my select and insert query were
INSERT INTO individuals(username, email) values('$username', '$email')
Select username from individuals where username = '$username'
presently the insert query is
$insertquery = sprintf("INSERT INTO individuals (username, email) VALUES
('%s', '%s')",
mysql_real_escape_string($username), mysql_real_escape_string($email));
This insert query is working however the select query is not doing its task
as before of checking if the username already exists or not, even if i
register with the same username again it does not alert that the username
exists.
the select query is
$selectqueryusername = sprintf("Select username from individuals where
username='%s'", mysql_real_escape_string($username));
should i change the syntax of the above select query or is there something
else in need to do to fix the select query.
also for insert query if i have a numeric value i should be writting %d
correct, i have a numeric value however before inserting that
numeric value i am appending a character "-" to combine area code and phone
number example 09-123 4567 so i am considering this as %s as there is a
character. is this correct.
please advice.
thanks.
