Please don't send me a link to php.net referencing mysql_real_escape_string as the only response. I have read through the page and while I understand the general concepts, I am having some trouble based on how my INSERT statement is currently built.
Today, I am using the following:
$sql = "INSERT INTO tablename VALUES ('',
'$_SESSION['Member1FirstName'],
'$_SESSION['Member1LastName'],
'$_SESSION['Member1ID'],
'$_SESSION['Member2FirstName'],
'$_SESSION['Member2LastName'],
'$_SESSION['Member2ID'] ....)
and the list goes on for 20+ members with some other values entered. It seems most people in the examples already have all their data stored in an array.
On my site, I accept form inputs, action="" is set to self, php validation takes place and if validation passes, data is stored into SESSION variables on page 2 then redirected to the next page in the process (page 3) (approximately 8-10 pages in the whole process).
You seem to already know that you should be using mysql_real_escape_string but I guess you don't know how to use. You need to apply it for each user supplied string you insert into your SQL. The following example should clarify this:
$sql = "INSERT INTO tablename VALUES ('', '" .
mysql_real_escape_string($_SESSION['Member1FirstName']) . "', '" .
mysql_real_escape_string($_SESSION['Member1LastName']) . "', '" .
etc..
Or alternatively look into prepared statements and bind parameters for an easier (and faster) solution.
1) you're missing your closing single-quote and vars aren't replaced inside of single quotes.
2) mysql_real_escape_string is the answer, but try it with sprintf:
$sql = sprintf("INSERT INTO tablename VALUES ('', '%s', '%s', '%d' )",
mysql_real_escape_string( $_SESSION['Member1FirstName']),
mysql_real_escape_string( $_SESSION['Member1LastName']),
$_SESSION['Member1ID']); // %d forced it as a digit
http://us2.php.net/manual/en/function.sprintf.php
Why can't you use mysql_real_escape_string?
You can also use a regexp to only allow certain characters that would be expected in a name
Related
I'm having problems with a really bizarre problem when trying to insert a record into mysql via PHP and I was wondering if anyone could shed any light on it, because I'm out of ideas now.
Database table:
Field Type Null Default Comments
UserID bigint(20) No Autoincrement
UserGUID text No
ServerID int(11) No
UserName text No
Passwrd text No
Prompt text No
Answer text No
EMail text No
Verified int(11) No 0
Language text No
Gender int(1) Yes NULL
DateOfBirth int(11) Yes NULL
Country int(11) Yes NULL
PostCode text Yes NULL
State text Yes NULL
Town text Yes NULL
Snippit of relevant PHP code...
public function signupUser($uid, $pwd, $prompt, $answer, $email, $lang, ... &$result)
{
$guid = $this->getGUID();
$serverID = 1;
$result = mysql_query("INSERT INTO User(UserGUID, ServerID, UserName, Passwrd, EMail) " +
"VALUES ('$guid', $serverID, '$uid', '$pwd', '$email')");
Before anyone tells me I should be using mysqli, parameterising my queries and the like, please be aware that this PHP/MySQL is a local test harness only, on a private network and only for development purposes until the real web service (dotNet/Oracle) comes available.
So if I call the function above with suitable parameters, $result comes back with...
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' at line 1"
but if I reduce the query to just...
$result = mysql_query("INSERT INTO User(UserGUID, ServerID, UserName, Passwrd) " +
"VALUES ('$guid', $serverID, '$uid', '$pwd')");
it works! Happily inserts the record (despite there being nulls in not null fields!?!) Just to add further complications, if I run the (original) query with suitable values e.g.
INSERT INTO User(UserGUID, ServerID, UserName, Passwrd, EMail) VALUES ('guid', serverID, 'uid', 'pwd', 'email')
directly against the database via phpMyAdmin, it also works!!
This is driving me nuts. I've tried changing field names, nullability, order, which fields I use in the query (after the first four which work), values - none of it makes a difference. It almost seems as if it doesn't want more than four fields.
Please... anyone...? I really am at a loss to understand why it won't accept the fifth field, it makes no sense that I can see. Unfortunately the error returned is of no help at all, too vague and seems to be the equivalent of the oh-so-useful "errors occurred" from MS.
If I have to change over to mysqli I will but I'd prefer not to have to re-craft the test harness if I can avoid it.
edited after a revelation: take a look in the comments that concatenation operator in php is absolutely a . not a + i would put money that is your problem right there... didnt even see it on my first look.
in the past ive run into odd troubles somewhat similar to this - and was able to solve it by encapsulating my table and column names in backticks columnX, columnY - i would also try adding a space between the table name 'User' and the parenthesis containing your column names in the SQL syntax
mysql_query("INSERT INTO User(UserGUID, ServerID, UserName, Passwrd, EMail) " +
"VALUES ('$guid', $serverID, '$uid', '$pwd', '$email')");
take a look at this question? very similar to yours with successful results
hope i could be of some assistance
If your example is literal, I doubt either works. The string concatenation operator is "." not "+" in php. Additionally, php will not interpret variables inside single quotes. Try re-writing the query like this:
$result = mysql_query("INSERT INTO User SET UserGUID = '" . $guid . "', ServerID = " . $serverID . ", UserName = '" . $uid . "', Passwrd = '" . $pwd . "'";
I always create SQL inside a string, and, if there is a problem, I insert an echo $sql or error_log($sql) statement.
Sometimes there's something very subtle. When you copy and paste the query from debug output into phpMyAdmin, you will see a more meaningful error message.
One thing is possible that the variable $email contains something that breaks out of the string. Make sure you use mysql_real_escape_string on your PBP variables before including them inside an SQL query..
This is pretty simple but I can't seem to find the answer i'm looking for.
This works perfectly :
mysql_query("INSERT INTO Courses (CourseName) values ('MyValue')");
But this does not work :
mysql_query("INSERT INTO Courses (CourseName) values ('" + $_POST['course'] + "')");
I tested and I know that $_POST['course'] contains MyValue.
Am I even allowed to use this syntax in php ?
Sql Injection is not a concern in my case.
PHP uses . to concatenate strings
mysql_query("INSERT INTO Courses (CourseName) values ('".mysql_real_escape_string($_POST['course'])."')");
Also use mysql_real_escape_string to prevent any errors, like o'neil having a single quote in it.
mysql_query("INSERT INTO Courses (CourseName) values ('" + $_POST['course'] + "')");
The method of string concatenation you are using is not supported in PHP. It is supported in other languages. There are multiple options to building your string.
Option 1: replace + with .
mysql_query("INSERT INTO Courses (CourseName) values ('".$_POST['course']."')");
Option 2: no break
mysql_query("INSERT INTO Courses (CourseName) values ('{$_POST['course']}')");
You should read up on the basics when going between languages, especially in this case a search for "PHP String Concatenation" will give you what you need.
Also: Do not use MySQL_* for it has been deprecated as of PHP 5.5. Use MySQLi_* or PDO
1) Use mysqli, not mysql , because it is deprecated.
2) Always escape the variables coming from your site, with mysql_real_escape string, if you STILL use mysql...
3) debug your code. The fastest in your example simply use:
mysql_query("... your sql string ") or die(mysql_error())
Than you see the error. (but when your script go live, comment out all "or die(mysql_error())+ code, so the others could not see the errors , and hack your site (so easy) )
4) . is the concatenation of the strings in php, not +
Use . instead of +
mysql_query("INSERT INTO Courses (CourseName) values ('" . mysql_real_escape_string($_POST['course']) . "')");
i was going to have a menu consisting of images which differed depending on if a new record was added since the users last visit.
However I decided to move away from that idea and I am now going for comparing last timestamp on clicked link with timestamp on new record.
I tried to find a solution but I am stuck at this line right now, maybe you can see what's wrong with it (clicks is my table where I want to store the clicks):
$sql = "insert into clicks (username, link_url, click_timestamp) values ($_SESSION[$username], "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", now())";
$result=mysql_query($sql);
So, anybody have any good ideas? :)
You have an error in your SQL syntax, try this:
$sql = 'INSERT INTO clicks (username, link_url, click_timestamp) VALUES
("' . $_SESSION[$username] . '",
"http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '",
NOW()
)';
Check that string. As ar as I know, PHP can solve plain variables inside a string, but cannot solve an array, so $_SESSION in this case should go outside the string. Also, if you want to put quotes inside a string, use a backslash before it, like \", so it's gonna be interpreted as a quote character instead of an end of string.
So , am creating a password change table
When some 1 changes pass , i insert his username, newpass and the confirmation code in PassChange table, (so i send him a confirmation e-mail after) the idea is simple and here's the code i use
$insertResult=mysql_query("INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('$UserName', '$newPass', '$code')") or die (mysql_error());
though i get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'username'', '4da59df8d4007807e7230e0881fbf774', '16585482')' at line 1
NOTE: All the columns format in the table is set to varchar.
The connection to mysql database is fine, the table name is currect.
This problem is driving me crazy , i just can't figure out where the problem is, if anyone here can help me will be very thankful :)
and thanks in advance.
EDIT:
I actually got it solved, and just for people who visit this post by searching for solutions, if you got similar problem with your sql command, try echo it, and see how exactly the string is moved to the database :-) , happy coding everyone.
And sorry if I wasted any of your time :) am just very new to php & mysql :D
Remove the single quotes around your variables. PHP is interpreting them as strings.
$insertResult=mysql_query("INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('" . $UserName. "', '" . $newPass. "', '" . $code . "')") or die (mysql_error());
Additionally, you might want to do something like this:
$sql = "INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('" . $UserName. "', '" . $newPass. "', '" . $code . "')";
echo $sql;
Take that echo, and try to manually run it.
Looks something like sql inyection. I'm quite sure your $username is $username = "username'". Look at the single quote. So the query became:
$insertResult=mysql_query("INSERT INTO TempChangePass (UserName, NewPass, ConfirmationCode) VALUES ('username*''*, '4da59df8d4007807e7230e0881fbf774', '16585482')") or die (mysql_error());
Did you try to do the Query one column by one ?
i mean :
INSERT INTO TempChangePass (UserName) values ( '$UserName' );
then add it up ?
Works for me mostly when I get errors ;)
Just an idea.
It looks like you have single quotes in your actual username -- you're actually passing in 'username' instead of just username. Try removing those, see if it will work after that.
The recommended way to deal with this issue (and prevent SQL injection) is to use prepared statements, however if you really want to, you could probably do this inline using mysql_real_escape_string($UserName) (reference)
Try this:
$insertResult=mysql_query("INSERT INTO TempChangePass(UserName, NewPass, ConfirmationCode) VALUES('$UserName', '$newPass', '$code')") or die (mysql_error());
You have some extra spaces in your SQL.
try using a sanitizing script before you make the query.
use
mysql_real_escape_string()
EDIT
You should now use the MySQLi version
mysqli_real_escape_string()
or OOP method
mysqli::real_escape_string()
Why use MySQLi instead of MySQL?
In accessing my database, I have the user fill out a form, and in the target page, the posted values are used in the resulting MySQL query.
$query = mysql_query("SELECT pass FROM database WHERE user='$_POST[user]'");
However, for some reason or another, MySQL doesn't like my using a $_POST variable in the command, and it only works if I define (for example) $user = $_POST['user'];, and then put $user directly in the SQL command.
On the other hand, I can use $_POST values in INSERT statements where specific column names are not required:
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', '$_POST[user]'");
If I try an INSERT statement where attributes are defined (e.g. user='foo'), then the same problem appears.
What am I doing wrong in my SQL query that causes the command to error out when run, but works with the specific method of formatting an INSERT command?
Hopefully, it's not "tough luck, looks like you have to assign all of your posted values". Heh.
First of, watch out for SQL Injections!
Now, to answer your question try doing this instead:
$query = mysql_query("SELECT `pass` FROM `database` WHERE `user` LIKE '" . mysql_escape_string($_POST['user']) . "';");
You were doing a couple of things wrong:
using the = operator instead of LIKE operator
not enclosing the value in the SQL query with '
not enclosing the user index in the $_POST array with '
PS: You should use mysql_real_escape_string() instead of mysql_escape_string()!
You're simply inserting a variable into a string, so it shouldn't matter which command you're putting it into.
There are a few issues to point out.
One, you might want to use the {} format for array variables. You don't use quotes around the arrray key names in this format.
$query = mysql_query("SELECT pass FROM database WHERE user='{$_POST[user]}'")
Two, you'd never want to make a query like that because you are open to sql injection holes. Consider, what if $_POST['user'] was "cow';drop table database;--"?
You must either run mysql_real_escape_string on the POST input before putting it into your query, or check out using PHP PDO with prepared statements.
One way to do format your string which provides a bit of structure is to use sprintf.
$query=mysql_query(sprintf("SELECT pass FROM database WHERE user='%s'",mysql_real_escape_string($_POST['user'])));
Use PDO - it provides much better API to communicate with DB.
If you're using mysql_*() functions always remember to filter (mysql_real_escape_string()) any data that comes from untrusted source (like user)
Pay more attention to how your code looks like. Just compare the following listings:
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ")");
$query = sprinf('INSERT INTO database VALUES ("foo", "bar", "%s", "%s", "%s")',
mysql_real_escape(...), ...);
Do I have to explain which one is better to read, modify or understand?
Why not check and see what mysql_error() has to say about it? If your query is invalid, mysql_error() will return a nice blob of text telling you exactly what went wrong.
As for MySQL not liking the POST var if you insert it directly for some runs, but not others, then you should make sure you're using consistent data and setups for each test. If some test are done using a GET, then your POST vars will be empty. If you're using different user names for each test, then see if what's consistent between the ones that fail.
And as mentioned above, read up about SQL injection and how your query is just begging to be subverted by a malicious user.
Try
$query = mysql_query("SELECT pass FROM database WHERE user=" . mysql_real_escape_string($_POST['user']));
and
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', " . mysql_real_escape_string($_POST['user']) . ")");
Its always a good idea to sanitize anything received through $_GET or $_POST