Re: Data entered in PHP not appearing in mySQL

Fred van Engen Thu, 27 Mar 2003 03:31:00 -0800

Hi,

On Wed, Mar 26, 2003 at 02:51:22PM -0500, Serge Paquin wrote:
> Do a print $testField; first.  I think what might be happing is that you have 
> register globals turned off (as you should it's a security problem).
> 
> Try:
> 
> $sql = "INSERT INTO testTable values ('', '${_REQUEST['testField']}')";
>


Make that:

$sql = "INSERT INTO testTable values ('', '" . addslashes($_REQUEST['testField']) . 
"')";

Or you would just have coded your first exploitable line of code.


Regards,

Fred.


> On Wed, 26 Mar 2003 14:28:21 -0500
> "BRYANT, LANCE" <[EMAIL PROTECTED]> wrote:
> 
> > Here is a copy of the php script that I'm using.  I can create tables and query 
> > info just not add data to the database.
> > 
> > 
> > 
> > <?php
> > //open the connection
> > $conn = mysql_connect("onyx","doghead","dogleg");
> > 
> > // pick the database to use
> > mysql_select_db("mydb",$conn);
> > 
> > //create the SQL statement
> > $sql = "INSERT INTO testTable values ('', '$testField')";
> > 
> > //execute the SQL statement
> > $result = mysql_query($sql, $conn) or die(mysql_error());
> > 
> > //echo the result identifier
> > echo $result;
> > ?>
> > -----Original Message-----
> > From: Don Read [mailto:[EMAIL PROTECTED] 
> > Sent: Wednesday, March 26, 2003 2:11 PM
> > To: BRYANT, LANCE
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Data entered in PHP not appearing in mySQL
> > 
> > 
> > 
> > On 26-Mar-2003 BRYANT, LANCE wrote:
> > > When I enter data into my web page and active my PHP script.  The page 
> > > tells me that the data has been updated to my database, but when I check
> > > the database no data is entered.   A row is created but no data is
> > > entered.  Can any help?
> > 
> > I can't see yer code in my crystal ball but the Magic eight-ball sez: 'declare 
> > your globals.'
> > 
> > Regards,
> > -- 
> > Don Read                                       [EMAIL PROTECTED]
> > -- It's always darkest before the dawn. So if you are going to 
> >    steal the neighbor's newspaper, that's the time to do it.
> >                             (53kr33t w0rdz: sql table query)
> > 
> > 
> > -- 
> > MySQL General Mailing List
> > For list archives: http://lists.mysql.com/mysql
> > To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]
> > 
> 
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]
> 

-- 
Fred van Engen                              XB Networks B.V.
email: [EMAIL PROTECTED]                Televisieweg 2
tel: +31 36 5462400                         1322 AC  Almere
fax: +31 36 5462424                         The Netherlands

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]

Re: Data entered in PHP not appearing in mySQL

Reply via email to