Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks,
Todd
WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1
It's a basic form:
<body>
<form id="form1" name="form1" method="post" action="flextes t.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddr ess" type="text" id="emailaddres s" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>
And here is the MSSQL insert:
if( $_POST["emailaddre ss"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
$Result = mssql_query($Qu ery);
}
Jul 1 '07
12  2665 
Norman Peelman wrote:
Rami Elomaa wrote:
>Norman Peelman kirjoitti:
>>Todd Michels wrote:
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>Hi all,
>>
>I am trying to send data from a form and insert it into a MSSQL DB.
>>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant
>expression s, and
>(in some contexts) variables. Column names are not permitted.
>(severit y
>15) in "Myfile"
>>
>If I don't use the POST data and write the query explicitly, it
>works.
>>
>Any help is appreciated.
>>
>Thanks,
>Todd
>>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>>
>It's a basic form:
>>
><body>
><form id="form1" name="form1" method="post" action="flextes t.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddr ess" type="text" id="emailaddres s" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>>
>And here is the MSSQL insert:
>>
>if( $_POST["emailaddre ss"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>
> $Result = mssql_query($Qu ery);
>>
>}
>
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s \", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>
Thanks for the suggestion, and you were close. This is the command
that actually worked.
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s ", "%s")', $_POST["username"], $_POST["emailaddre ss"]);
Thanks again.
If you aren't doing anything special with sprintf (if you don't
neccessaril y need it) then the following works as expected:
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POS T[username]', '$_POST[emailaddress]')";
but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the contents.
...as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.
...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.
...to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.
If i'm ranting a bit then I apologize.
Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.
It never hurts to go a little beyond the question - especially when
security is at stake.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote:
Norman Peelman wrote:
>Rami Elomaa wrote:
>>Norman Peelman kirjoitti:
Todd Michels wrote:
daGnutt wrote:
>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>>Hi all,
>>>
>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>
>>When I submit the data I get: Warning: mssql_query()
>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>this context. Valid expressions are constants, constant
>>expressio ns, and
>>(in some contexts) variables. Column names are not permitted.
>>(severi ty
>>15) in "Myfile"
>>>
>>If I don't use the POST data and write the query explicitly, it
>>works.
>>>
>>Any help is appreciated.
>>>
>>Thanks,
>>Todd
>>>
>>WinXP SP2
>>MSSQL Express 2005
>>IIS 5.1
>>PHP 5.2.1
>>>
>>It's a basic form:
>>>
>><body>
>><form id="form1" name="form1" method="post" action="flextes t.php">
>> <label>User Name
>> <input name="username" type="text" id="username" />
>> </label>
>> <label>Email Address
>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>> </label>
>> <p>
>> <input type="submit" name="Submit" value="Submit" />
>> </p>
>></form>
>></body>
>>>
>>And here is the MSSQL insert:
>>>
>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>{
>> //add the user
>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>
>> $Result = mssql_query($Qu ery);
>>>
>>}
>>
>I personally dont know mssql, but it mySQL, the error would lie in
>that non-numerical entires must be surrounded by '"' so try
> $Query = sprintf(INSERT INTO users (username, emailaddress)
>VALUES(\"% s\", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>>
>
Thanks for the suggestion, and you were close. This is the command
that actually worked.
>
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s" , "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>
Thanks again.
If you aren't doing anything special with sprintf (if you don't
neccessari ly need it) then the following works as expected:
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_PO ST[username]', '$_POST[emailaddress]')";
but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the
contents.
...as you can read by the quote above I said that it doesn't account
for the cleansing of variables. The OP didn't ask about SQL
injections, he asked why his query was failing. What does sprintf() do
to prevent SQL injections? Nothing that I can see. I answered the
question at hand with perfectly legal PHP code.
...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do
damage to your data.
...to Rami, I appreciate your input but think you went off the deep
end just a bit. The problem here is that people get upset when a reply
is made to a question without listing all the dependencies of the
answer. I still think the PHP newsgroups need a FAQ. I know there are
alot of forums/info to be found by googling but maybe too much...
often the info seems to be intermingled with a lot of crap.
If i'm ranting a bit then I apologize.
Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.
It never hurts to go a little beyond the question - especially when
security is at stake.
Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.
Norm
Norman Peelman wrote:
Jerry Stuckle wrote:
>Norman Peelman wrote:
>>Rami Elomaa wrote:
Norman Peelman kirjoitti:
Todd Michels wrote:
>daGnutt wrote:
>>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>>>Hi all,
>>>>
>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>
>>>When I submit the data I get: Warning: mssql_query()
>>>[function.mssql-query]: message: The name "Todd" is not
>>>permitte d in
>>>this context. Valid expressions are constants, constant
>>>expressi ons, and
>>>(in some contexts) variables. Column names are not permitted.
>>>(severit y
>>>15) in "Myfile"
>>>>
>>>If I don't use the POST data and write the query explicitly, it
>>>works.
>>>>
>>>Any help is appreciated.
>>>>
>>>Thanks ,
>>>Todd
>>>>
>>>WinXP SP2
>>>MSSQL Express 2005
>>>IIS 5.1
>>>PHP 5.2.1
>>>>
>>>It's a basic form:
>>>>
>>><body>
>>><form id="form1" name="form1" method="post" action="flextes t.php">
>>> <label>User Name
>>> <input name="username" type="text" id="username" />
>>> </label>
>>> <label>Email Address
>>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>>> </label>
>>> <p>
>>> <input type="submit" name="Submit" value="Submit" />
>>> </p>
>>></form>
>>></body>
>>>>
>>>And here is the MSSQL insert:
>>>>
>>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>>{
>>> //add the user
>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>>
>>> $Result = mssql_query($Qu ery);
>>>>
>>>}
>>>
>>I personally dont know mssql, but it mySQL, the error would lie in
>>that non-numerical entires must be surrounded by '"' so try
>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>VALUES(\" %s\", \"%s\")', $_POST["username"],
>>$_POST["emailaddre ss"]);
>>>
>>
>Thanks for the suggestion, and you were close. This is the
>command that actually worked.
>>
>$Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES("%s ", "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>>
>Thanks again.
>
If you aren't doing anything special with sprintf (if you don't
neccessaril y need it) then the following works as expected:
>
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_P OST[username]', '$_POST[emailaddress]')";
>
but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the
contents.
...as you can read by the quote above I said that it doesn't account
for the cleansing of variables. The OP didn't ask about SQL
injections, he asked why his query was failing. What does sprintf()
do to prevent SQL injections? Nothing that I can see. I answered the
question at hand with perfectly legal PHP code.
...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do
damage to your data.
...to Rami, I appreciate your input but think you went off the deep
end just a bit. The problem here is that people get upset when a
reply is made to a question without listing all the dependencies of
the answer. I still think the PHP newsgroups need a FAQ. I know there
are alot of forums/info to be found by googling but maybe too much...
often the info seems to be intermingled with a lot of crap.
If i'm ranting a bit then I apologize.
Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilitie s of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.
It never hurts to go a little beyond the question - especially when
security is at stake.
Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.
Norm
Well, first of all, I wasn't replying to the op. I was just correcting
an incorrect response, which had to do with single vs. double quote syntax.
If I had been replying to the op I would have mentioned sql injection.
As for why your post was singled out - probably because your post was
the most complete and correct of the responses, and you only mentioned
cleansing variables in passing. But I don't know for sure.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== === This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Phil Powell |
last post by:
I have a form that will be preserving form data prior to processing
the form data. Upon clicking a certain submit button you will go to
another PHP script that will contain the following code:
if (strcmp(strtolower($_POST), 'apply') != 0) { // GO BACK
TO grad_application with $_SESSION
session_start();
if (sizeof($_POST) > 0) $_SESSION = $_POST;
if (sizeof($_GET) > 0) $_SESSION = $_GET;
header("Location:...
|
by: Oxygenearth |
last post by:
Please who could help me with this...
I had my structure in Win32, with Apache, PHP, and MySQL, I had a page
in which I am transfering an image to the database in MySQL using PHP.
But now I am in Apache/Linux/MySQL(FreeBSD) with the same files.
My problem is.. when I try to submit the variables to the php file,
this does not get the binFile, in other words, the
file($_POST) does not pass throug the SUBMIT html
statemenT, so it is not...
|
by: LMachado1 |
last post by:
I just started with php and I'm trying to make a simple interface as
follows:
- user is asked to input an integers, for example: how many students do
you want to enter?
- user is then shown a page with number of text boxes = number he gave
at the previous page
- user fills out the test boxes with names of students and clicks
submit
- the user is sent to another page where the above names are output to
|
by: comp.lang.php |
last post by:
I have no idea why this is happening and I need someone to explain this
to me at the simplest level absolutely possible (pretend I'm a 10-year
old and explain it that way, please!)
This class method:
PHP Code:
/**
* Perform an array scan
*
|
by: snowweb |
last post by:
Hi,
This is my first flash project! It would be great if someone could help me please.
I have purchased a flash template which I have made some alterations to. My biggest alteration is that of adding a contact form to it.
I am comfortable with PHP, so have done the server side code in PHP. but I can't seem to get the button on my form to trigger my code. I've studied many tutorials about this, but none of them are close enough to my own...
| | |
by: grassh0pp3r |
last post by:
Hello,
I'm trying to make a very simple comments page on my site using PHP and am having problems somewhere. I am very new to PHP. I was able to create one that works with comments appended, but I want the latest comment to be on top, and that's where I'm running into trouble. Since I know very little about PHP, I thought I was clever in what I came up with. I think it can work if I get the coding right. Let me know if my logic is wrong. I'm...
|
by: jwhitby3 |
last post by:
Hi all, I am trying to develop what amounts to a data entry page for the company I work for, (mostly to make my job easier). I think that I am beginning to grasp php, but I am at a loss now. I understand how to use HTML_Table to add a table to a page, and that portion of my project is coming along nicely. The problem is at this point, that I can't figure out how to increment the row that gets written to. Row 0 just keeps getting...
|
by: Paul |
last post by:
I want to add a binary element (AES_ENCRYPT()) to a $_POST array. I need to
make it binary because it is going into a BLOB field.
$results = $dbr->Execute('select * from table1 where id='.$_GET);
....
// validation take place and now is processed
$_POST = $dbr->GetOne('select
AES_ENCRYPT('.trim($_POST).', \'salt*&)#\')');
// there are other $_POST fields that are in cluded in the next line
// GetInsertSQL is a function that eventually...
|
by: raamay |
last post by:
I have six checkboxes as shown below:
<table>
<tr>
<td><input name="spec1" type="checkbox" value="0" tabindex="11" /><label id="label">Bridge Construction</label></td>
</tr>
<tr>
<td><input name="spec2" type="checkbox" value="1" tabindex="12" /><label id="label">Building Construction</label></td>
</tr>
<tr>
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
