php-windows Digest 23 Apr 2010 05:34:21 -0000 Issue 3795

Topics (messages 30042 through 30043):

Re: Trouble running a select query against a database, when I know the 
connection is working, and the data is there
        30042 by: Jacob Kruger

Problem with php and MySQL: inserting strings into database
        30043 by: Alexander Schunk

Administrivia:

To subscribe to the digest, e-mail:
        php-windows-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-windows-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-wind...@lists.php.net


----------------------------------------------------------------------
--- Begin Message --- I know - used to deal with/handle SQL injection prevention quite a bit in old days - and think have already got one or two code samples for counteracting it in PHP/MySQL, and they would generally be kept in functions in a general include file, to be included in all database accessing pages, and I would also generally not make too much use of querystring/get data passing in that sense either, but anyway...

One of the workarounds looked into in the past was where it would also just look like a standard <a /> link on a page, but where it would actually do a form of hidden form submission where hidden fields would be set with certain values, either dynamically hard coded, or set using javascript etc., which could also be worked around by submitting a form from another source, but it really also depended on the target production environment since while I know there are automated robotic SQLInjection implementations out there, they would still also be more likely to target websites that generate more traffic as such, etc. etc.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'

----- Original Message ----- From: "James Crow" <ja...@ultratans.com>
To: <php-wind...@lists.php.net>
Sent: Thursday, April 22, 2010 5:27 PM
Subject: Re: [PHP-WIN] Trouble running a select query against a database, when I know the connection is working, and the data is there


On 04/14/2010 08:48 PM, Jacob Kruger wrote:
Thanks.

Will be honest, and while have played around with PHP etc., have never really done much with it in terms of going into production as such anyway, so, yes, will need to learn/figure out how to do things the best way, etc.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'
And while you are trying to learn good habits look at SQL Injection attacks. Using something like $_REQUEST['id'] in a query is just asking for it. Many of the PHP and MySQL tutorials I have seen barely mention this problem, if at all.

Consider if someone had sent your script a URL like this:
scipt.php?id='';DELETE FROM table tblLinks;
If the user running the mysql_query() function had the rights to delete rows on the tblLinks table, the tblLinks table would be empty.

Cheers,
James

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


__________ Information from ESET NOD32 Antivirus, version of virus signature database 5051 (20100422) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com





__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 5051 (20100422) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




--- End Message ---
--- Begin Message ---
Hello,

i have a problem with php and mysql when inserting strings into a database.

I have the following syntax:

$sqlinsert = "INSERT INTO werte ('benutzername', 'passwort', 'name',
'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
VALUES('$_POST['benutzername']', '$_POST['passwort']',
'$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
'$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
'$_POST['email']')";

I want to read entries from an HTML form into a database.

When to use backticks in MySQL and what is this syntax: " '

I am getting an unexpected T_STRING ....  error.

I am using php, mysql with xampp on windows xp.

In php.ini i have turned register_globals = on.

thank you.

yours sincerly
Alexander

--- End Message ---

Reply via email to