PHP help

Unity Engine
1

Hello! I am having a problem with inserting variables into a mysql database, thank you in advance for reading this!

So my problem isn’t inserting into the database that works fine. Its getting a variabel into the database!

this code works fine for me

$sql = 'INSERT INTO `scores` ( `id` , `name` , `password` )'
        . ' VALUES ('
        . ' NULL , \'123456\', MD5( \'123456\' )'
        . ' );';

and it properly inserts the value. name = 123456 password = the MD5 hash for 123456

but i want to replace 123456 with a variable and everytime i try example:

$user = 123456
$pass = 123456
$sql = 'INSERT INTO `scores` ( `id` , `name` , `password` )'
        . ' VALUES ('
        . ' NULL , \'$user\', MD5( \'$pass\' )'
        . ' );';

it inserts the value user = $user pass = $pass
instead of the actual variable so naturally i attempted removing the quotes around the variables but then i get a database error claiming that there is an ‘unexpected T_variable’

2

try this:

$user = '123456';
$pass = '123456';

$sql = "INSERT INTO scores (id, name, password) VALUES (NULL, $user, MD5($pass))";

You have a few problmes with the above:

  1. You have a bunch of un-needed apostrophies.
  2. you have $user and $pass set to integer valies. mysql only interperates strings.
  3. You forgot the semi-colons at the end of the variable declarations.
  4. VALUES ( NULL, ‘$user’, MD5(‘$pass’)); is inserting the STRING $user and the hash of the STRING $pass. you want the data of the variables themselves, so you have to leave out the apostrophies on the variables.

Hope this helps.

3

Very Vulnerable Code, don’t use that.
Read about: Sql Injections

Also your Database Layout is pretty bad:
Read about: Database Normalization

Just constructive critic, no personal attack.

4

Okay im going to try that out now! thank you all for replying.

And thanks for the criticm, in the actualy statement im actaully using addslashes command to prevent injection is this helpful or is there some additional security measures i should take?

5

Yea, I aware that this code is very vulnerable, however he didn’t ask about that (Although it is probably a good thing to point out). I simply answered his questions.

6

Thank you for your reply Antitheory! (and you just deleted you post why?)

Here is the code i cannot get to work, unity is passing the username and password for registration to php but php is refusing to pass my variables to SQL here is my exact php passing code, just the snippet that wont work.

nick1 = _POST[“myform_nick”];
pass1 = _POST[“myform_pass”];

$sql = “INSERT INTO scores (id, name, password) VALUES (NULL, $nick, MD5($pass))”;
$result_id = @mysql_query($sql) or die(“DATABASE ERROR!”);

this return DATABASE ERROR everytime

7

A couple things:

  1. I am not sure how you go about connecting to your database as it’s not shown here, but make sure you are successfully connecting. That’s the first step. Also, make sure your database is setup to match your SQL statement.

  2. @mysql_query is not correct SQL (to my knoweldge) remove the @ in front of it.

What is the URL to your PHP script? I am going to test it manually in the browser to make sure it isn’t something on the client-side.

8

Okay i will try removing the @ symbol.

The url is LINK REMOVED
but for you it should return database error no matter what as you need to have to unity code to pass the variables in the first place

9

mysql_real_escape_string()

and for further reading…

The Unexpected SQL Injection
(When Escaping Is Not Enough)

In most cases mysql_real_escape_string will save you. Most cases but not all cases, especially if you are using integer fields like that for $user and $password… My guess is that you aren’t, and this was a mistaken assumption by jonbonazza… How many sites have integer passwords?

10

also this is my connection code

$host = “HIDDEN_FROM_FORUM”; //put your host here
$user = “HIDDEN_FROM_FORUM”; //in general is root
$password = “HIDDEN_FROM_FORUM”; //use your password here
$dbname = “HIDDEN_FROM_FORUM”; //your database
mysql_connect($host, $user, $password) or die(“Cant connect into database”);
mysql_select_db($dbname)or die(“Cant connect into database”);

11

The @ symbol suppresses warning messages. Good idea to remove it while debugging but useful in production code.

12

I wasn’t assuming he was using integer fields… In fact I was assuming the opposite, but the code he gave was.

13

Ah I see, that was my mistake then. I wasn’t aware you could suppress warning messages in PHP.

14

It’s casuing an error as you’re not quoting the strings. It should work like this

$sql = “INSERT INTO scores (id, name, password) VALUES (NULL, ‘$nick’, MD5(‘$pass’))”;
$result_id = @mysql_query($sql) or die(“DATABASE ERROR!”);

That corrected I would highly recommend to not use that code. It’s an SQL injection waiting to happen.
I recommend not using the old mysql extension but switch to Mysqli or PDO and use prepared statements.

Also when developing/testing you should not use @ in front of a command as it supresses the errormessage which would’ve been a lot more helpful then the “DATABASE ERROR”.

15

Mmkay, well it definitely is in the PHP script. Also, I have a question. In the SQL statement, you have an id feild, but always set it to NULL.

If this is your primary key, then you need to have it. Furthermore, since you are always setting it to null, I am curious if you even have it in your database?

What fields do you include in your database?

16

The NULL field is for the id, the id is auto incremented by mysql database and works fine. i am using the fields: id, name, passwrd

Thank you SRH that worked perfect anyone have any reccomendations on making SRH’s code more secure?

17

Sorry I deleted my post because I think I misconstrued what jonbonazza was saying and I wanted to reread the thread.

$sql = “INSERT INTO scores (id, name, password) VALUES (NULL, $nick, MD5($pass))”;

is problematic…

It should be

$sql = “INSERT INTO scores (id, name, password) VALUES (NULL, ‘$nick’, MD5(‘$pass’));”;

Note that I added single-quotation marks around $nick and $pass… Without them it wont work unless $nick and $pass are integers. I haven’t used the SQL MD5 function before but I can only assume it is expecting a string.Your database needs to have the fields name and password as type varchar (or some other text-based field type like “text” or something. I would use varchar with short things like usernames and passwords);

if you find that this works but it’s literally putting in the word “$nick” into the database then it’s possible your version of PHP is strange and not parsing the variable name. In that case you will need to do this:

$sql = “INSERT INTO scores (id, name, password) VALUES (NULL, '”.$nick.“‘, MD5(’”.$pass.“'));”;

Also you should note you used the variable name

$nick1 and $pass1 instead of $nick and $pass

18

Thanks Antitheory, and yes i noticed that after i commented that but uploaded the new script with the correction immidiately afterwards! thanks for all of your help!

19

Also I would highly recommend you remove the post with the link to your php script until you have implemented proper escaping of the variables. Some unscrupulous person could cause some damage right now if the code you posted is all you have.

20

I see, well what if $nick was asssigned a string already… wouldn’t that mean that using $nick without the apostrophies would be correct? I am just trying to figure out why $nick and $pass would be assigned integers to begin with… that’s what I was trying to get at…