Hello,
i have a php-script with a mysql_query ...
$insert = mysql_query("INSERT INTO $table (textID,redaktion) VALUES
('$_POST[ID]','$row_startseiten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
thank you for help
Mark
-- www.zeitfuerwahrheit.de
************************************************** **********************
*
Beim großen Manual, ich habe gesprochen! *
*
************************************************** **********************
*
"Ich habe Dinge gesehen, die ihr Menschen niemals glauben würdet. *
Gigantische Schiffe, die brannten, draußen vor der Schulter des Orion. *
Und ich habe C-Beams gesehen, glitzernd im Dunkel, *
nahe dem Thannhäuser-Tor. *
All diese Momente werden verloren sein... in der Zeit, *
so wie ... Tränen im Regen." *
*
************************************************** ********************** 7 1491
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Knochen wrote:
Hello,
i have a php-script with a mysql_query ...
$insert = mysql_query("INSERT INTO $table (textID,redaktion) VALUES
('$_POST[ID]','$row_startseiten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
thank you for help
Mark
surely you are not pasting *exactly* the above - you are replacing
$_POST[ID], for example. I'd do one thing:
echo $insert;
you could see, what actually gets sent to the mysql server. I bet the
problem's there.
besides, using bare $_POST var in a query is *not* a good idea, that's the
best way to get sql-injected. you _should_ do some checks on the value of
$_POST[ID].
cheers
mike
- --
well, whatever, nevermind
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFhdVobADv+Yd2wmARAls7AJ9poawMOwSzCojubJ7pDR Qeh3UKFwCcCoHw
2Hbc1gm6pzH0gItPwEcu+lI=
=5b5W
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Knochen wrote:
$insert = mysql_query("INSERT INTO $table (textID,redaktion) VALUES
('$_POST[ID]','$row_startseiten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
Because of how the variable expansion works. do an echo() of that
double-quoted string when running your script, and you'll see the error
clearly.
So, please RTFM, on the "Data types: string" chapter. And learn to use curly
braces when putting variables inside a double-quoted string.
- --
- ----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
El diablo, harto de carne, se metió fraile.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhdb4R56dWuhgxGgRAjpyAKCRaHmgkbf7hKhVRVgAl4 5SMhWcSgCglvtI
9bMd0oFLzjqsiXLXYjMW6rU=
=BfUC
-----END PGP SIGNATURE-----
Iván Sánchez Ortega wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Knochen wrote:
>$insert = mysql_query("INSERT INTO $table (textID,redaktion) VALUES ('$_POST[ID]','$row_startseiten[ID]')");
I get no mysql_error, if i copy the insert directly into phpmyadmin, the insert works. but with the php-script the insert doesn`t create a new row in the table .. but why?
Because of how the variable expansion works. do an echo() of that
double-quoted string when running your script, and you'll see the
error clearly.
So, please RTFM, on the "Data types: string" chapter. And learn to
use curly braces when putting variables inside a double-quoted string.
And always, always, always * quote array keys (unless you use a variable
offcourse).
* always = if you feel like it
always, always = most of the time
always, always, always = 99,9% of the time.
At least, that seems to be the way people percieve it.
--
Rik Wasmus
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rik wrote:
* always = if you feel like it
always, always = most of the time
always, always, always = 99,9% of the time.
At least, that seems to be the way people percieve it.
There is no avail insisting... people will keep on making mistakes like
forgetting using mysql_real_escape_string() to avoid SQL injections.
- --
- ----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Es tan corto el amor y tan largo el olvido.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhdrvR56dWuhgxGgRAr3YAKC+JmvaIf9Jm7q7TgE+xC siPe5/BQCeLBXX
JshfeU8VxDiXjNbMGmB7fEk=
=2Bw5
-----END PGP SIGNATURE-----
Mark Knochen wrote:
I get no mysql_error, if i copy the insert directly into phpmyadmin, the
insert works. but with the php-script the insert doesn`t create a new
row in the table .. but why?
Easy way to check this kind of problem is to enable logging on the
database, and see what the actual insert statement looks like after its
parsed out by the script. Then copy/paste that into your db, and see
what error it throws at you.
/m
Iván Sánchez Ortega wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rik wrote:
>* always = if you feel like it always, always = most of the time always, always, always = 99,9% of the time.
At least, that seems to be the way people percieve it.
There is no avail insisting... people will keep on making mistakes like
forgetting using mysql_real_escape_string() to avoid SQL injections.
Hi Ivan,
Allow me to drop in here with a question.
I use ADODB lib ( www.phplens.com/adodb) as a databaseabstractionlayer.
It has a funtion named qstr() that will make a string ready to use in an
insert or update statement.
I checked the sourcecode and noticed for mySQL it branches code on
magic_quotes_gpc.
if magicquotes are on if leaves the string as is.
Otherwise it uses mysql_real_escape_string().
But since mysql_real_escape_string() escapes more than addslashes(), I
wonder if adodb is doing the right thing.
addslashes works on: ", ', \, and the NULL-byte
mysql_real_escape_string works on: \x00, \n, \r, \, ', " and \x1a.
So \n, \r, \x1a are NOT escaped.
Can any of these be used for SQL-injection?
Regards,
Erwin Moller
>
- --
- ----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Es tan corto el amor y tan largo el olvido.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhdrvR56dWuhgxGgRAr3YAKC+JmvaIf9Jm7q7TgE+xC siPe5/BQCeLBXX
JshfeU8VxDiXjNbMGmB7fEk=
=2Bw5
-----END PGP SIGNATURE-----
Erwin Moller wrote:
I use ADODB lib (www.phplens.com/adodb) as a databaseabstractionlayer.
It has a funtion named qstr() that will make a string ready to use in an
insert or update statement.
Quick reminder, guys: *ALWAYS* use these kind of functions before putting a
string into *ANY* SQL statement.
Yeah, that means that "select" statements are vulnerable to injections too.
And any other SQL statement you can think of, is too, if it includes a
user-defined string.
if magicquotes are on if leaves the string as is.
Otherwise it uses mysql_real_escape_string().
But since mysql_real_escape_string() escapes more than addslashes(), I
wonder if adodb is doing the right thing.
addslashes works on: ", ', \, and the NULL-byte
mysql_real_escape_string works on: \x00, \n, \r, \, ', " and \x1a.
So \n, \r, \x1a are NOT escaped.
Can any of these be used for SQL-injection?
[...]
For a SQL injection to be sucessful, the attacker must include a quote. If
you escape the quotes, you *should* be safe. Inserting a line break will
most likely stop the execution of the SQL statement.
But, in case of doubt, please use a vulnerability check suite: they'll try
every SQL injection system known. I can't recall the names of any right
now, so STFW to find 'em.
--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Howard Hinnant |
last post by:
I recently asked for a survey of multimap insert with hint behavior, in
support of a paper I'm writing concerning lwg issue 233. My sincere
thanks to Beman Dawes, Raoul Gough, Russell Hind, Bronek...
|
by: Mark P |
last post by:
Some time ago I posted here about inserting into a set with a hint:
...
|
by: serge |
last post by:
I have a scenario where two tables are in a One-to-Many relationship
and I need to move the data from the Many table to the One table so
that it becomes a One-to-One relationship.
I need to...
|
by: Philip Boonzaaier |
last post by:
I want to be able to generate SQL statements that will go through a list of
data, effectively row by row, enquire on the database if this exists in the
selected table- If it exists, then the colums...
|
by: Carl |
last post by:
Hi,
I hope someone can share some of their professional advice and help me out
with my embarissing problem concerning an Access INSERT query. I have never
attempted to create a table with...
|
by: Chris Kratz |
last post by:
Hello all,
We have run into what appears to be a problem with rules and subselects in
postgres 7.4.1. We have boiled it down to the following test case. If
anyone has any thoughts as to why...
|
by: Geoffrey KRETZ |
last post by:
Hello,
I'm wondering if the following behaviour is the correct one for
PostGreSQL (7.4 on UNIX).
I've a table temp_tab with 5 fields (f1,f2,f3,...),and I'm a launching
the following request :...
|
by: MP |
last post by:
Hi
Posted this several hours ago to another ng but it never showed up thought
i'd try here.
using vb6, ado, .mdb, jet4.0, no access
given table tblJob with field JobNumber text(10)
'The...
|
by: lenygold via DBMonster.com |
last post by:
Hi everybody:
What is the best way to
I have 10 tables with similar INSERT requiremnts.
INSERT INTO ACSB.VAATAFAE
WITH AA(AA_TIN, AA_FILE_SOURCE_CD, .AA_TIN_TYP) AS
( SELECT AA_TIN,...
|
by: EJO |
last post by:
with sql 2000 enterprise
Trying to build a stored procedure that will take the rows of a parent
table, insert them into another table as well as the rows from a child
table to insert into...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |