• 0

Stats problem in php code.


Question

I'm having a little problem with a little piece of code. I have a stats system in place of the header to record information about my visitors.

Now this might look fine and that there is nothing wrong with it but for some reason and only in Internet Explorer browsers it die's and does not record the information.

I would like to improve my code in any way possible so that this doesn't happen again.

Here is my code that I have at the moment.

// Record stats log
$requestURL = $_SERVER['REQUEST_URI'];
$requestURL = str_replace("'", "'", $requestURL);
if($session->logged_in){ $q = "INSERT INTO ".TBL_STATS." (stats_id, ip_guest, ip_user, language, agent, referer, url, username, last_login, last_visit) VALUES ('".mysql_insert_id()."', '', '".$_SERVER[REMOTE_ADDR]."', '".$_SERVER['HTTP_ACCEPT_LANGUAGE']."', '".$_SERVER['HTTP_USER_AGENT']."', '".$_SERVER['HTTP_REFERER']."', '".$requestURL."', '{$session->username}', '".date("Y-m-d H:i:s")."', '')"; }
else{ $q = "INSERT INTO ".TBL_STATS." (stats_id, ip_guest, language, agent, referer, url, username, last_visit) VALUES ('".mysql_insert_id()."', '".$_SERVER[REMOTE_ADDR]."', '".$_SERVER['HTTP_ACCEPT_LANGUAGE']."', '".$_SERVER['HTTP_USER_AGENT']."', '".$_SERVER['HTTP_REFERER']."', '".$requestURL."', 'guest', '".date("Y-m-d H:i:s")."')"; }
mysql_query($q) or die("ERROR: ".mysql_error());

Any help would be most appreciated.

Thank you.

Link to comment
Share on other sites

4 answers to this question

Recommended Posts

  • 0

The result of mysql_error would have been helpful, but my guess would be that you are not escaping the $_SERVER values. Perhaps one has a quote in it that is messing up your query.

Some other points:

- The str_replace seems pretty redundant

- $_SERVER[REMOTE_ADDR] should be $_SERVER['REMOTE_ADDR']

Link to comment
Share on other sites

  • 0

You really ought to be sanitizing your inputs... Right now someone could easily fake the User-Agent header to contain an SQL query and possibly screw you over.

You need to escape your inputs when using it in a MySQL query with mysql_real_escape_string.

Link to comment
Share on other sites

  • 0

To add whats been said, there are some things that might require some tweaking.

$requestURL = str_replace("'", "'", $requestURL);

You are replacing the char with same char. If you are trying to fix security issues with manually replacing one char -- just don't. Instead you should use mysql_real_escape_string() as Mr aldo and Lant said. Also remember to escape every other dynamic string too.

VALUES ('".mysql_insert_id()."'

You probably should use autoincrement to insert the IDs. As far as inserting the values go, they are values, not strings.

'".date("Y-m-d H:i:s")."'

Depending on the setup, you could use now() instead. Also, remember to use datetime field type for dates.

username

To minimize the space required to store the data, you probably should use ID instead string to specify user.

last_login, last_visit

Are you sure you want to store that in every log row? And not in the user's profile? With 50,000,000 rows thats a lot. After all it's a log.

What is your database structure (field type etc)?

Hope it helps :)

Link to comment
Share on other sites

  • 0

Here is my updated code.

$requestURL = mysql_real_escape_string($_SERVER['REQUEST_URI']);
if($session->logged_in){ $q = "INSERT INTO ".TBL_STATS." (stats_id, ip_guest, ip_user, language, agent, referer, url, username, last_login, last_visit) VALUES ('".mysql_insert_id()."', '', '".mysql_real_escape_string($_SERVER["REMOTE_ADDR"])."', '".mysql_real_escape_string($_SERVER['HTTP_ACCEPT_LANGUAGE'])."', '".mysql_real_escape_string($_SERVER['HTTP_USER_AGENT'])."', '".mysql_real_escape_string($_SERVER['HTTP_REFERER'])."', '".$requestURL."', '{$session->username}', '".date("Y-m-d H:i:s")."', '')"; }
else{ $q = "INSERT INTO ".TBL_STATS." (stats_id, ip_guest, language, agent, referer, url, username, last_visit) VALUES ('".mysql_insert_id()."', '".mysql_real_escape_string($_SERVER["REMOTE_ADDR"])."', '".mysql_real_escape_string($_SERVER['HTTP_ACCEPT_LANGUAGE'])."', '".mysql_real_escape_string($_SERVER['HTTP_USER_AGENT'])."', '".mysql_real_escape_string($_SERVER['HTTP_REFERER'])."', '".$requestURL."', 'guest', '".date("Y-m-d H:i:s")."')"; }
mysql_query($q) or die("ERROR: ".mysql_error());

Have I done it right.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.