I have simple form for editting site content:
- a text input for title
- a textarea for content
When adding content, there is no problem, allthings add normally:
$chead = mysql_real_escape_string(stripslashes($_POST['chead']));
$ctext = mysql_real_escape_string(stripslashes($_POST['ctext']));
But when edittig the article that containig the
$chead = 'sdsfsf' "sdgsdgs"ggdsfsdg
The $chead = 'sdsfsf'
and the "sdgsdgs"ggdsfsdg will be lost!!!
What is the problem with mysql_real_escpae_string?
Thanks
You need to track down where the information is getting lost, which isn't likely to be mysql_real_escape_string.
Check the $chead value that's being generated (before you accuse a particular function of having damaged your data, make sure it is). Then check SQL command you're generating and make sure it's working. Check the database after you insert/update the record and the values returned from the database when you ask for the article back.
In my experience it's much more likely to be a programmer error in the database interaction, or HTML generation that's causing trouble than PHP. If you really do track the problem down to mysql_real_escape_string, you'll probably need to reinstall PHP and MySQL.
Related
I validate and sanitize all my data before inserting it into the database. Would it be considered a good or a redundant pactice to validate it when pulling it form the database before displaying it?
This boils down to how much to trust your own code. On one extreme, I could forgo the validation completely if I knew that onlyI would use the client-side interface and would never make a mistake. On the other, I could validate data in every class in case I'm working with others and they forgot to properly do their job. But what's a generally good practice in this particular case?
Input validation should be a yes/no proposition. You should not modify input and save it.
You should use Htmlentities after pulling from the DB and before showing. This is because it's better to clean data just before using it at the point of failure. This is why prepared statements work so well, because there is no external code you rely on.
Say you forget to sanitize 1 field in 1 form, then when you ouput that data to other users you have no way to see that mistake from the code that does the output (assuming its not in the same file).
The less code between the sanitizing and the end result is better.
Now that is not to say save everything and validate it later. Take an email for example, you should validate that for the proper format before saving.
But for other things you don't want to modify user input. Take a file upload. Some people will change the filename to sanitize it, replace spaces etc. This is good but I prefer to create my own filename, and then show them the origainal file name, while the one I use on the server is a hash of their username and the name of the file. They never know this, and I get clean filenames.
You start modifying user data, and it becomes a chore to maintain it. You may have to un-modify it so they can make edits to it... etc. Which means you are then doing way more work then if you just clean it when outputting it.
Take for example the simple act of replacing a users \n line returns with a <br> tag. User inputs into a text field then you change it to html and save it. (besides security reasons not to do this) when user wants to edit the data, you would have to take the <br> and replace them with \n so they can edit it. Security reasons being now you have decided that raw HTML in that field is ok and will just output the raw field, allowing someone a possibility to add their own HTML. So by modifying user data we have created more work for yourself, and we have made assumptions that the data is clean before inserting it when we output it. And we cannot see how it was cleaned when we output it.
So the answer is it depends on the data and what sanitation you are doing.
Hope that makes sense.
I guess there is not need of validating or sanitizing the data from the db as you are doing it before inserting
A attacker always plays with the data which he is sending to the server and just analyis the data coming as a response . They plays with input not with the output.So just secure your data before sending it to server or db .
I'm trying to realize a dynamic website for exercise. All contents are stored in the database:
I included html code(FORMS) as DB content with no ploblem, but when i try to insert php code as DB content nothing happens. The field type for Content is TEXT.
I tryed various ways :
INSERT INTO TableContent(Name_Content, Content, ID_Menu) values ("Amministration Area", "<?php include('LogIn.php')", 5);
INSERT INTO TableContent(Name_Content, Content, ID_Menu) values ("Amministration Area", "<?php include(\"LogIn.php\")", 5);
In the website page i see Amministrazion Area, but not what Login.php does.
I thought i made a mistake in Login.php page code so i changed it in a simply echo ("Hi"); but nothing appears anyway. I see only the text Amministration Area.
How can i solve it ?
It's just text! Text in a database. Nothing happens when you just insert text into a database and read from it. You have to actually get something to execute that text as PHP code. That doesn't happen automatically, thankfully! In PHP, the way to execute arbitrary strings as code is by using eval. But this is overall a very bad idea; storing all PHP code in a database is not making anything easier, on the contrary it makes everything more difficult to work with and more prone to exploits if you execute arbitrary code. I'd advice you to stop doing that and go back to PHP code in .php files, not databases.
PHP see <?php include("LogIn.php");? as a string, when you look in the source code of your file, you'll probably see it. It doesn't show up on screen because it starts with a <.
To execute the code instead of handling it as a string, you can use the eval() function.
You however don't want every row of your database be seen as PHP code, so you'll probably need to add a extra column that defines what the row is, i.e. a string, php code. Or you make an extra table where you store your includes.
I have an HTML table with contents, I would like to have an feature of Edit/Delete to that table. How do I do it with PHP?
I actually think that this sounds more like a job for JavaScript, which can edit/remove rows on-the-fly and with much less code. (Implement some AJAX too, and you can edit/remove rows in database too).
But if you insist on using PHP, you might just want to add some GET parameters to the Edit/Delete links that would delete or edit those rows.
Well, there is a pure PHP way to do it, and then there is a combination of Javascript and PHP. You must use PHP one way or another if you want your changes to the database to be permanent as that is your gateway to communicating with the database (as far as I know you cannot do that with Javascript as that is client-based and runs entirely in your web browser).
If using just PHP, you must generate HTML documents for each change. E.g., you click on one cell in the table and that gets you to a new HTML page where the field is editable through an input element; or you can list all fields at once for that row and edit them all at the same time. The fields are then posted in a form to a PHP page which will take the new values and update the database (or insert new values or however you wish it to behave). Here's a tutorial for how to do this:
http://www.freewebmasterhelp.com/tutorials/phpmysql/1
You can also mix in some Javascript which allows a more interactive interface to modifying the values in a cell. However, this obviously requires more code and may be overkill for what you're trying to do. Nonetheless, here is a link which demonstrates just that and also shows the code:
http://www.java2s.com/Code/JavaScript/GUI-Components/Editabletablecell.htm
Hope this is what you're looking for.
EDIT:
Forgot that you also wished to delete content in the table. That is also explained in the first link.
If you intend to work with databases, and it seems like you have little understanding of how they work, pick up a good book like: SQL - The Complete Reference. When you have enough knowledge of SQL, look at PHP's PDO extension: http://php.net/manual/en/book.pdo.php
i have some php source it can send form data info to other page under mysql 4.x version.
but after upgraded to mysql 5.x version, this php source can't send form data info to other page.
i was searched many info, but don't have idea what's wrong with my php source.
i just can guess this is related with mysql upgrade and i have to edit my php source,
but lack of knowledge it very tough for me.
if anyone help me or give some hint it really appreciate!
my php source is consist of 3 part.
form sender page ( http://pastebin.com/3Sg7SyWV )
-> submited form data info checking page ( http://pastebin.com/WEx5tEn2 )
-> insert form data to DB ( http://pastebin.com/918iZkgw )
for several day i was search and search but lack of my knowledge about php and mysql
it very hard to resolve.
Thanks in advance
You're not checking if your insert query succeeds. I can't tell which MySQL library you're using, but generally they all return FALSE if a query fails, so you could change your query line to something like:
$DB->ExecSql($InsertQuery) or die($DB->whatever_returns_error_information());
If something's wrong with the query, then this would abort the script and output any error information produced.
As well, it doesn't look like you're escaping your query data anywhere. That leaves you wide open to SQL injection. And as well, any of the form data which contains even a single quote (') will "break" the query by introducing syntax errors. If you had proper error checking in there, you'd have gotten a syntax error report.
For that matter, where are you extracting the submitted data and building all those variables you paste into the query? There's only one place in your three scripts where $_POST is referred to, and it seems to be in an error output function which simply dumps out each key/value as hidden form fields (and in there you're also not escaping/quoting the data, so your form itself is vulnerable to XSS attacks).
I am working on building a small php/mysql script that will act something like a wordpress blog but will just be a small site for my eyes only to store PHP code snippets. So I will have categories and then pages with sample code that I write with a javascript syntax highlighter. Instead of storing my php code snippets in the file I am wanting to save them to mysql DB. So what is the best way to save PHP into mysql and to get it out of mysql to show on the page?
My end result will be something like this
alt text http://img2.pict.com/c1/c4/69/2516419/0/800/screenshot2b193.png
Update:
I just wasn't sure if I needed to do something special to the code before sending it to mysql since it has all different kinds of characters in it
Just store in a text field, as is. Not much more beyond that.
If you're not using some kind of database abstraction layer, just call mysql_real_escape_string on the text.
Do you want to be able to search the php code? If so, I recommend using the MyISAM table type as it supports full text indexes (InnoDB does not). Your choices for column type when it comes to a fulltext index are char, varchar and text. I would go with text as your code snippets might get too long for the other types.
Another point worth mentioning, is make sure you properly escape all php code (or any value for that matter) before you insert it. The best way to do this is by using parameterized queries.
Unless I'm missing part of the problem, you should be safe storing it as a TEXT field in a MySQL database. Just make absolutely sure you sanitize the code snippets, as PHP code in particular is quite likely to contain the characters that will escape out of an SQL string. (If you're already using an SQL framework, odds are the framework is doing this for you.)
Store as text (varchar) in the database.
Use cascading style sheet (css) to format code.
http://qbnz.com/highlighter/
Try this:
mysql select ...
eval('?>' . $row['phpcode'] . '<?php ');