subject:"\[PHP\] Narorwed down my problem to one statement\:"

Re: [PHP] Narorwed down my problem to one statement:

2006-05-18 Thread Richard Lynch

On Tue, May 16, 2006 11:38 pm, John Meyer wrote:
 $sql = INSERT INTO
 BOOKS(CopyrightYear,CoverType,DatePurchased,EditionNumber,ISBNNumber,Notes,Pages,Publisher,LOCNumber)
 VALUES(\ . $_POST[copyrightyear] . \,\ . $_POST[covertype] .
 \,\ . $_POST[datepurchased] . \, . $_POST[editionnumber] .
 ,\ . $_POST[isbn] . \,\ . addslashes($_POST[notes]) . \,
 .
 (isset($_POST[numberofpages])?$_POST[numberofpages]:0) . ,\ .
 $_POST[publisher] . \,\ . $_POST[locnumber] . \);


 Okay,  when $_POST[notes] contains quotes, it seems to break the
 series, ie returns an error at that point of the SQL statement, even
 with addslashes(), am I doing something wrong there?

addslashes should be changed to http://php.net/mysql_real_escape_string

but that won't solve your problem.

Could you PLEASE tell us exactly what is in $_POST[notes] other than
something with a quote?

Could you PLEASE use mysql_error() to give us the exact error message?

And, just for fun, print out the EXACT query after all that mess of
quotes is done?

For that matter, you're making life really difficult with the
double-quote thing...

$query = INSERT INTO Books(...) VALUES('$CLEAN[copyrightyear]',
'$CLEAN[covertype]', ...);

This presumes that you have scrubbed $_POST data into $CLEAN like you
should also be doing.

You could use $_POST in place of $CLEAN if you don't care about SQL
injection attacks...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Narorwed down my problem to one statement:

2006-05-17 Thread Paul Novitski


At 09:38 PM 5/16/2006, John Meyer wrote:

$sql = INSERT INTO 
BOOKS(CopyrightYear,CoverType,DatePurchased,EditionNumber,ISBNNumber,Notes,Pages,Publisher,LOCNumber) 
VALUES(\ . $_POST[copyrightyear] . \,\ . $_POST[covertype] 
. \,\ . $_POST[datepurchased] . \, . 
$_POST[editionnumber] . ,\ . $_POST[isbn] . \,\ . 
addslashes($_POST[notes]) . \, . 
(isset($_POST[numberofpages])?$_POST[numberofpages]:0) . ,\ . 
$_POST[publisher] . \,\ . $_POST[locnumber] . \);



Okay,  when $_POST[notes] contains quotes, it seems to break the 
series, ie returns an error at that point of the SQL statement, even 
with addslashes(), am I doing something wrong there?



John,

I wasn't able to get your statement to break regardless of the 
content of $_POST[notes], so I'm inclined to think the problem 
doesn't lie with embedded quotes alone.  Try displaying the value of 
$sql when it fails in MySQL.  Without that evidence, your problem 
seems impossible to solve.


I'm suspicious of this conditional expression:

(isset($_POST[numberofpages])?$_POST[numberofpages]:0)

If $_POST[numberofpages] is set but contains non-numeric content, 
the query will fail.


Here are two other points tangential to your question:

By feeding user input directly into an SQL query, you're creating an 
unnecessary vulnerability in your code.  See SQL Injection at 
http://php.net/manual/en/security.database.sql-injection.php


I find the concatenation with escaped quotes messy and difficult to 
proofread and modify.  My example below is somewhat exaggerated for 
effect, but consider using heredoc syntax for ease of reading and a 
couple of custom functions to make strings  numbers SQL-safe:

___

$copyrightyear = prepString($_POST[copyrightyear]);
$covertype = prepString($_POST[covertype]);
$datepurchased = prepString($_POST[datepurchased]);
$editionnumber = prepNumber($_POST[editionnumber]);
$notes = prepString($_POST[notes]);
$numberofpages = prepNumber($_POST[numberofpages]);
$publisher = prepString($_POST[publisher]);
$locnumber = prepString($_POST[locnumber]);


$sql =  heredocSQL
INSERT INTO BOOKS (
CopyrightYear,
CoverType,
DatePurchased,
EditionNumber,
ISBNNumber,
Notes,
Pages,
Publisher,
LOCNumber
) VALUES (
$copyrightyear,
$covertype,
$datepurchased,
$editionnumber,
$notes,
$numberofpages,
$publisher,
$locnumber
);
heredocSQL;
___

Paul 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Narorwed down my problem to one statement:

2006-05-16 Thread John Meyer




$sql = INSERT INTO 
BOOKS(CopyrightYear,CoverType,DatePurchased,EditionNumber,ISBNNumber,Notes,Pages,Publisher,LOCNumber) 
VALUES(\ . $_POST[copyrightyear] . \,\ . $_POST[covertype] . 
\,\ . $_POST[datepurchased] . \, . $_POST[editionnumber] . 
,\ . $_POST[isbn] . \,\ . addslashes($_POST[notes]) . \, . 
(isset($_POST[numberofpages])?$_POST[numberofpages]:0) . ,\ . 
$_POST[publisher] . \,\ . $_POST[locnumber] . \);



Okay,  when $_POST[notes] contains quotes, it seems to break the 
series, ie returns an error at that point of the SQL statement, even 
with addslashes(), am I doing something wrong there?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Narorwed down my problem to one statement:

Re: [PHP] Narorwed down my problem to one statement:

[PHP] Narorwed down my problem to one statement:

3 matches

Site Navigation

Mail list logo

Footer information