I have a simple form with a textarea that when submitted updates rows in my database! I want my user to be able to enter single quotes into it but for some reason is not getting parsed!
This is what I have as my parsing file..
<?php
$sql = "SELECT * FROM testimonials WHERE id='$pid'";
$pid = $_POST['pid'];
$testtitle = htmlentities($_POST['ts_tt']);
$testbody = htmlentities($_POST['ts_tb']);
$compowner = htmlentities($_POST['ts_co']);
$ownertitle = htmlentities($_POST['ts_ot']);
$compname = htmlentities($_POST['ts_cn']);
$compwebsite = htmlentities($_POST['ts_cw']);
include_once "../php_includes/db_conx.php";
$sql = "UPDATE testimonials SET testtitle='$testtitle', testbody='$testbody', compowner='$compowner', ownertitle='$ownertitle', compname='$compname', compwebsite='$compwebsite' WHERE id='$pid'";
if (!mysql_query($sql, $connection)){
die('Error: ' . mysql_error());
}
echo 'Testimonial has been Edited successfully. <br /><br />Click Here';
exit();
?>
Any Ideas all!
Many thanks
- Phillip
Use
addslashes
available in php. This escapes special characters.
use mysql_real_escape_string($textareadata) in query... it will work...
First off if your environment allows it you should divorce yourself from mysql_ functions. They are deprecated and will not be available in the next release of PHP. You should switch to either PDO or mysqli.
Here is more information on why you shouldn't use mysql_* function.
Secondly, you are accepting user input and not escaping it to safely be inserted into the database. In this case it just caused your query to fail but if someone where to have a little technical know how they could have done any number of things to erase or change data in your database. This is called an SQL Injection and is one of the more common ways that websites get hacked.
There is two main points where your script can use a little more guarded treatment. The first is this one.
$sql = "SELECT * FROM testimonials WHERE id='$pid'";
It should be
$sql = "SELECT * FROM testimonials WHERE id='".mysql_real_escape_string($pid)."'";
The second is
$sql = "UPDATE testimonials SET testtitle='$testtitle', testbody='$testbody', compowner='$compowner', ownertitle='$ownertitle', compname='$compname', compwebsite='$compwebsite' WHERE id='$pid'";
Which should be
$sql = "UPDATE testimonials SET testtitle='".mysql_real_escape_string($testtitle)."', testbody='".mysql_real_escape_string($testbody)."', compowner='".mysql_real_escape_string($compowner)."', ownertitle='".mysql_real_escape_string($ownertitle)."', compname='".mysql_real_escape_string($compname)."', compwebsite='".mysql_real_escape_string($compwebsite)."' WHERE id='".mysql_real_escape_string($pid)."'";
Note you may also find that you have to move the database connection include up before your first call to mysql_real_escape_string.
To describe more on how this exploit can happen lets take your first query as assume you are getting pid from a text field.
$sql = "SELECT * FROM testimonials WHERE id='$pid'";
Me being an evil hacker can simply type in
0'; update testimonials set testbody = '<script>window.location.href="http://www.compeditors-website.com";</script>';
And what will get sent to your database is.
SELECT * FROM testimonials WHERE id='0'; update testimonials set testbody = '<script>window.location.href="http://www.competitors-website.com";</script>';
And now when anyone goes to your testimonials page they will be redirected to your competitors website.
Related
im trying to display a tracking number for a product on opencart.
so once the order has been placed. i then add a tracking number to it. from which i wish the customer to be able to see on the order history.
// get tracking details
$sql = 'SELECT * FROM '.DB_PREFIX.'order_history'.`tracking_number`;
$query = $this->db->query($sql);
$rates = array();
foreach($query->rows as $result){
$rates[] = $result;
}
$this->data['tracking'] = $tracking;
this would also go in order.php
this is what ive written but it dont work, im not expert at php, i dabble in it. hopefully someone can point me in the right direction,
so this code would go into controller/account/order.php
then on the template i assume i can just insert
<?php echo $tracking; ?> to display tracking deteails.
thanks in advance.
Off hand, I can see that this code will result in error, because your quotes/backticks are out of place:
$sql = 'SELECT * FROM '.DB_PREFIX.'order_history'.`tracking_number`;
Should be more along these lines:
$sql = "SELECT `tracking_number` FROM `".DB_PREFIX."order_history`";
And, assuming you're going to want to pull an order-specific tracking #:
$sql = "SELECT `tracking_number`
FROM `".DB_PREFIX."order_history`
WHERE `order_id` = 'MUFFINS'";
Do yourself a favor and use the double quotes when preparing a MySQL query. It's easier to wrap your stuff in single quotes without having to escape.
As for the remainder of the code, these are not rates but tracking numbers. Assumedly, there would be one tracking number to return per order, which you could wrap up into a single line of code like so:
$my_tracking_number = $this->db->query("
SELECT `tracking_number`
FROM `".DB_PREFIX."order_history`
WHERE `order_id` = 'MUFFINS'
")->row['tracking_number'];
if ( !empty($my_tracking_number) {
$this->data['tracking_number'] = $my_tracking_number;
}
However, if you're going to associate more than one tracking number with an order you can either insert a BLOB column in your order_history table and insert/query serialized data, or create a separate table entirely where multiple rows can be associated with a single order ID.
I'm trying to write a search function and am using multiple drop-down lists for search criteria.
i have a sql statement like
SELECT * FROM TABLE WHERE OFFICE='$office', NAME='$name', DEPARTMENT='$department';
Sometime I want to search with specific 'name' but without talking about 'department' and 'office'. But when I pass Blank '' to '$office' and '$department' it only return the person with no office and department. Is there anyway around to overcome it?
I tried to use '%' instead of blank but it didn't work as well.
I'm coding with php and MSSQL.
Thanks in Advance
If you want to work with wildcards, you dont need =, but LIKE. Unsure if this query works, but try it:
SELECT * FROM TABLE WHERE OFFICE LIKE '$office', NAME LIKE '$name', DEPARTMENT LIKE '$department';
Now you just have to check if the field is blank, if yes, replace it with a %. As i said, im unsure. I dont have a database availible at the moment for testing this.
for achieving this you have to write some php code like
$sql = "SELECT * FROM TABLE WHERE";
if(isset($office)){
$sql .= "OFFICE='$office',";
}
if(isset($name)){
$sql .= " NAME='$name',";
}
if(isset($department)){
$sql .= " DEPARTMENT='$department'";
}
You can easily do this as follow:
if(isset($office) && isset($department)){
$sql = "SELECT * FROM TABLE WHERE OFFICE='$office', NAME='$name', DEPARTMENT='$department'";
}
else{
$sql = "SELECT * FROM TABLE WHERE NAME LIKE '$name'";
}
mysql_query($connection, $sql);
Good Day
I have a link that does the following
Find Client
It then runs the required page. I need when the link is used for it to subtract one value from a SQL database I have.
The database has the following Rows
id date credit
$sql = "UPDATE items SET credit = credit - 1";
I have tried entering the above string into the code as such:
Find Client
But can't seem to get it to work.
Please assist all I need is one credit to be deducted when the link is used. but the link must still preform the href as well
EDITED:
$sql = "insert into avis_lbs_log set lng = '".$long."', lat = '".$lat."', distance =
'".$distance."', msisdn = '".$msisdn."', date_time = '".$today."'";
$sql = "UPDATE avis_credit SET cred = cred - 1'";
You have to fire this query in lbs_map.php to decrement the value
//lbs_map.php
<?php
//mysql connection
$sql = "UPDATE items SET credit = credit - 1";
//execute the sql query
//your rest of code
What you need to do is set up code that doesn't contain your statement. This is to prevent SQL injection. A better way of doing it is:
Find Client
Then in your PHP, you can check if $_GET['do'] == 'update' and perform the update.
I am trying to get some information from my table, but the query returns empty when I call it this way:
$varchar_string = mysqli_real_escape_string($link, $_GET['code']); //the code is b5KlL4znM in this scenario
mysqli_query($link, "SELECT * FROM table WHERE code = $varchar_string");
The string is alphanumeric, and is submitted by users, so I've escaped it before doing the query.
Now if I do this query
mysqli_query($link, "SELECT * FROM table WHERE code = 'b5KlL4znM'");
It works fine, but that's not very dynamic.
I didn't get many results when I searched for this issue, and I didn't manage to find the answer amongst those that seem relevant.
Do you perhaps need to put quotes around your string?
mysqli_query($link, "SELECT * FROM table WHERE code = '$varchar_string'");
You'll need to include the variable in quotations.
mysqli_query($link, "SELECT * FROM table WHERE code = '$varchar_string'");
When is the correct time to use mysql_real_escape_string?
Should I be using it when I use isset(mysql_escape_string($_GET['param'])),
Should I be using it when I use $foo = mysql_real_escape_string($_GET['bar']);
Thanks
You need to call this function when building SQL queries with string literals.
You should not call it anywhere else.
The point of calling this function is to prevent you from executing SQL like SELECT * FROM Students WHERE Name = 'Robert'); DROP TABLE Students;--'.
mysql_real_escape_string will escape the ' character so that the evil string is treated entirely as a string.
You should use it whenever you don't trust the data you are inserting in a mysql query to prevent sql injections. For example all user forms data.
In your first example: no.
Second example: yes, if you are going to use the $foo variable in a query.
You should use it whenever you are inserting data into a database query (POST/GET data), but not if you just need to check the data.
You use mysql_real_escape_string whenever you have input from a user that you want to use in a query.
Here's how to use it:
$user = mysql_real_escape_string('$_GET['user']);
$password = MD5($user.$_GET['password']);
$query = "SELECT * FROM users WHERE user = '$user' AND password = '$password' ";
//the quotes are vital !! ^ ^ or you will not be safe!
Here's example code that doesn't work:
Broken code
$user = mysql_real_escape_string('$_GET['user']);
$password = MD5($user.$_GET['password']);
$query = "SELECT * FROM users WHERE user = $user AND password = '$password' ";
In the example I can login into your system by entering any password whatsoever and
user or (1=1) --. This will make the query to read:
SELECT * FROM users WHERE user = user or (1=1) -- AND password = '$password
And will approve all logins because the password never gets checked.
When using mysql_query, you can only ever execute one SQL-statement at a time, so:
$query = "SELECT * FROM a; DELETE FROM a WHERE (1=1)"
mysql_query($query);
Will result in an error, because cannot be a part after the ;.
This code however will work:
Danger
$query = "SELECT * FROM a; DELETE FROM a WHERE (1=1)"
mysqli_query($query);
Because the improved mysqli_query does allow two or more statements to be executed in one go.