MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Searching the Database for usernames
Full Version: Searching the Database for usernames
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Jitendra M

2009-05-13, 04:30 AM
hi
i was trying to search the databse for usernames and then spit out the uid

to clean up the input username im currently using

$uname = htmlspecialchars_uni($mybb->input['uname']);

where uname is passed via _POST

www.localhost/mybb/test.php?uname=Darkmew

then i simply place in the query

$query = $db->simple_select("users","uid","username='$uname'");
$uid = $db->fetch_field($query,"uid");

Question

Do i have to place db->escape_strings stuff somewhere ...

Tomm M

2009-05-13, 08:42 AM
$query = $db->simple_select("users","uid","username='".$db->escape_string($mybb->input['uname'])."'");
$uid = $db->fetch_field($query,"uid");

Probably better than htmlspecialchars_uni - I think MyBB just stores the username as an escaped string, then formats on output. Could be wrong though...

Jitendra M

2009-05-13, 10:17 AM
thanks mate ...i'll try that see if any "problems" pop up

Martin M.

2009-05-13, 08:35 PM
Btw, you got something wrong.
www.localhost/mybb/test.php?uname=Darkmew is passed with GET not POST.

Jitendra M

2009-05-14, 11:02 PM
Doh!!

yeah i was trying to pass it through POST not get

anyway it looks like that think will work

but any idea how i can test to see then no-one will try to attack the database using the input..

like what would they enter in the field

eg i have a place to enter the UId which i protected by

$uid = intval($mybb->input['uid']

so if they input a code or something theen only the numbers get processed

but what coud they enter in the text field..
*just asking for testing purposes*

Dennis Tsang

2009-05-15, 08:02 AM
Unless you have some JavaScript input filter on your text boxes, all textboxes can receive any character regardless of whether you want it to be alphabets, numerals, or symbols. (JavaScript does NOT prevent invalid form data in any way, you should always use sanitize your input from the server-side before using it anywhere).

Once it goes through intval in the PHP code, then it is guaranteed to be an integer.

Jitendra M

2009-05-15, 10:10 PM
i was referring to the place where they input the username
in that textbox you can enter text ...what could they enter there that db->escape_string
wouldn't clean
what would clean the above mentioned (if anything)

Martin M.

2009-05-18, 11:01 AM
escape_string cleans the string for all \x00, \n, \r, \, ', " and \x1a (adding a backslash infront of it) this will make it insert in the database with no problem. If you do this as a standard you shouldn't have a problem, also intval on strings that should be integer.
MyBB Community Forums > Community > General Discussion > Searching the Database for usernames