Hello,
i have a php-script with a mysql_query ...
$insert = mysql_query("IN SERT INTO $table (textID,redakti on) VALUES
('$_POST[ID]','$row_startse iten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
thank you for help
Mark
-- www.zeitfuerwahrheit.de
*************** *************** *************** *************** ************
*
Beim großen Manual, ich habe gesprochen! *
*
*************** *************** *************** *************** ************
*
"Ich habe Dinge gesehen, die ihr Menschen niemals glauben würdet. *
Gigantische Schiffe, die brannten, draußen vor der Schulter des Orion. *
Und ich habe C-Beams gesehen, glitzernd im Dunkel, *
nahe dem Thannhäuser-Tor. *
All diese Momente werden verloren sein... in der Zeit, *
so wie ... Tränen im Regen." *
*
*************** *************** *************** *************** ************ 7 1510
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Knochen wrote:
Hello,
i have a php-script with a mysql_query ...
$insert = mysql_query("IN SERT INTO $table (textID,redakti on) VALUES
('$_POST[ID]','$row_startse iten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
thank you for help
Mark
surely you are not pasting *exactly* the above - you are replacing
$_POST[ID], for example. I'd do one thing:
echo $insert;
you could see, what actually gets sent to the mysql server. I bet the
problem's there.
besides, using bare $_POST var in a query is *not* a good idea, that's the
best way to get sql-injected. you _should_ do some checks on the value of
$_POST[ID].
cheers
mike
- --
well, whatever, nevermind
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFhdVobAD v+Yd2wmARAls7AJ 9poawMOwSzCojub J7pDRQeh3UKFwCc CoHw
2Hbc1gm6pzH0gIt PwEcu+lI=
=5b5W
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Knochen wrote:
$insert = mysql_query("IN SERT INTO $table (textID,redakti on) VALUES
('$_POST[ID]','$row_startse iten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
Because of how the variable expansion works. do an echo() of that
double-quoted string when running your script, and you'll see the error
clearly.
So, please RTFM, on the "Data types: string" chapter. And learn to use curly
braces when putting variables inside a double-quoted string.
- --
- ----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
El diablo, harto de carne, se metió fraile.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhdb4R56 dWuhgxGgRAjpyAK CRaHmgkbf7hKhVR VgAl45SMhWcSgCg lvtI
9bMd0oFLzjqsiXL XYjMW6rU=
=BfUC
-----END PGP SIGNATURE-----
Iván Sánchez Ortega wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Knochen wrote:
>$insert = mysql_query("IN SERT INTO $table (textID,redakti on) VALUES ('$_POST[ID]','$row_startse iten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the insert works. but with the php-script the insert doesn`t create a new row in the table .. but why?
Because of how the variable expansion works. do an echo() of that
double-quoted string when running your script, and you'll see the
error clearly.
So, please RTFM, on the "Data types: string" chapter. And learn to
use curly braces when putting variables inside a double-quoted string.
And always, always, always * quote array keys (unless you use a variable
offcourse).
* always = if you feel like it
always, always = most of the time
always, always, always = 99,9% of the time.
At least, that seems to be the way people percieve it.
--
Rik Wasmus
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rik wrote:
* always = if you feel like it
always, always = most of the time
always, always, always = 99,9% of the time.
At least, that seems to be the way people percieve it.
There is no avail insisting... people will keep on making mistakes like
forgetting using mysql_real_esca pe_string() to avoid SQL injections.
- --
- ----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Es tan corto el amor y tan largo el olvido.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhdrvR56 dWuhgxGgRAr3YAK C+JmvaIf9Jm7q7T gE+xCsiPe5/BQCeLBXX
JshfeU8VxDiXjNb MGmB7fEk=
=2Bw5
-----END PGP SIGNATURE-----
Mark Knochen wrote:
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
Easy way to check this kind of problem is to enable logging on the
database, and see what the actual insert statement looks like after its
parsed out by the script. Then copy/paste that into your db, and see
what error it throws at you.
/m
Iván Sánchez Ortega wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rik wrote:
>* always = if you feel like it always, always = most of the time always, always, always = 99,9% of the time.
At least, that seems to be the way people percieve it.
There is no avail insisting... people will keep on making mistakes like
forgetting using mysql_real_esca pe_string() to avoid SQL injections.
Hi Ivan,
Allow me to drop in here with a question.
I use ADODB lib ( www.phplens.com/adodb) as a databaseabstrac tionlayer.
It has a funtion named qstr() that will make a string ready to use in an
insert or update statement.
I checked the sourcecode and noticed for mySQL it branches code on
magic_quotes_gp c.
if magicquotes are on if leaves the string as is.
Otherwise it uses mysql_real_esca pe_string().
But since mysql_real_esca pe_string() escapes more than addslashes(), I
wonder if adodb is doing the right thing.
addslashes works on: ", ', \, and the NULL-byte
mysql_real_esca pe_string works on: \x00, \n, \r, \, ', " and \x1a.
So \n, \r, \x1a are NOT escaped.
Can any of these be used for SQL-injection?
Regards,
Erwin Moller
>
- --
- ----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Es tan corto el amor y tan largo el olvido.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhdrvR56 dWuhgxGgRAr3YAK C+JmvaIf9Jm7q7T gE+xCsiPe5/BQCeLBXX
JshfeU8VxDiXjNb MGmB7fEk=
=2Bw5
-----END PGP SIGNATURE-----
Erwin Moller wrote:
I use ADODB lib (www.phplens.com/adodb) as a databaseabstrac tionlayer.
It has a funtion named qstr() that will make a string ready to use in an
insert or update statement.
Quick reminder, guys: *ALWAYS* use these kind of functions before putting a
string into *ANY* SQL statement.
Yeah, that means that "select" statements are vulnerable to injections too.
And any other SQL statement you can think of, is too, if it includes a
user-defined string.
if magicquotes are on if leaves the string as is.
Otherwise it uses mysql_real_esca pe_string().
But since mysql_real_esca pe_string() escapes more than addslashes(), I
wonder if adodb is doing the right thing.
addslashes works on: ", ', \, and the NULL-byte
mysql_real_esca pe_string works on: \x00, \n, \r, \, ', " and \x1a.
So \n, \r, \x1a are NOT escaped.
Can any of these be used for SQL-injection?
[...]
For a SQL injection to be sucessful, the attacker must include a quote. If
you escape the quotes, you *should* be safe. Inserting a line break will
most likely stop the execution of the SQL statement.
But, in case of doubt, please use a vulnerability check suite: they'll try
every SQL injection system known. I can't recall the names of any right
now, so STFW to find 'em.
--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Howard Hinnant |
last post by:
I recently asked for a survey of multimap insert with hint behavior, in
support of a paper I'm writing concerning lwg issue 233. My sincere
thanks to Beman Dawes, Raoul Gough, Russell Hind, Bronek Kozicki, Nicola
Musatti, John Potter and Maxim Yegorushkin for helping with that survey.
Since I started work on this paper at least two people I respect very
much have expressed interest in nailing down the "insert without hint"
function a...
|
by: Mark P |
last post by:
Some time ago I posted here about inserting into a set with a hint:
http://groups-beta.google.com/group/alt.comp.lang.learn.c-c++/browse_thread/thread/fb75b00f73e979db/018b8d0eadb38dbf?q=%22STL+insert+with+hint%22+%22Mark+P%22&rnum=1&hl=en#018b8d0eadb38dbf
I quoted the SGI STL docs describing a.insert(p, t), where p is the hint
iterator and t is the inserted object:
"Insert with hint is logarithmic in general, but it is amortized...
|
by: serge |
last post by:
I have a scenario where two tables are in a One-to-Many relationship
and I need to move the data from the Many table to the One table so
that it becomes a One-to-One relationship.
I need to salvage the records from the many table and without going
into detail, one of the reasons I can't do the opposite as
there are records in the ONE table that I need to keep even if they
don't have any child records in the MANY table.
Below I created...
|
by: Philip Boonzaaier |
last post by:
I want to be able to generate SQL statements that will go through a list of
data, effectively row by row, enquire on the database if this exists in the
selected table- If it exists, then the colums must be UPDATED, if not, they
must be INSERTED.
Logically then, I would like to SELECT * FROM <TABLE>
WHERE ....<Values entered here>, and then IF FOUND
UPDATE <TABLE> SET .... <Values entered here> ELSE
INSERT INTO <TABLE> VALUES <Values...
|
by: Carl |
last post by:
Hi,
I hope someone can share some of their professional advice and help me out
with my embarissing problem concerning an Access INSERT query. I have never
attempted to create a table with one-to-one relationship but on this
occasion
I must keep username/password details within a seperate table.
Here's the basic specs and database schema:
-------------------------------------------
| |
by: Chris Kratz |
last post by:
Hello all,
We have run into what appears to be a problem with rules and subselects in
postgres 7.4.1. We have boiled it down to the following test case. If
anyone has any thoughts as to why this would be happening, we would
appreciate feedback.
We have tested on 7.3.4, 7.3.6 and 7.4.1 and all exhibit the same behavior.
Test case one tries to populate table2 from table1 with records that are not
in table2 already. Table2 gets...
|
by: Geoffrey KRETZ |
last post by:
Hello,
I'm wondering if the following behaviour is the correct one for
PostGreSQL (7.4 on UNIX).
I've a table temp_tab with 5 fields (f1,f2,f3,...),and I'm a launching
the following request :
INSERT INTO temp_tab VALUES (1,2,3)
|
by: MP |
last post by:
Hi
Posted this several hours ago to another ng but it never showed up thought
i'd try here.
using vb6, ado, .mdb, jet4.0, no access
given table tblJob with field JobNumber text(10)
'The example I had to go by
'INSERT INTO tblCustomers (CustomerID, , )
|
by: lenygold via DBMonster.com |
last post by:
Hi everybody:
What is the best way to
I have 10 tables with similar INSERT requiremnts.
INSERT INTO ACSB.VAATAFAE
WITH AA(AA_TIN, AA_FILE_SOURCE_CD, .AA_TIN_TYP) AS
( SELECT AA_TIN, AA_FILE_SOURCE_CD, .AA_TIN_TYP
FROM VAATAFAA
WHERE AB_TP_ACNT_STAT_CD <0),
|
by: EJO |
last post by:
with sql 2000 enterprise
Trying to build a stored procedure that will take the rows of a parent
table, insert them into another table as well as the rows from a child
table to insert into another table and be able to maintain the
relationships between the parent/child rows of the new records.
Something like
old_id
new_id
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |