473,289 Members | 2,091 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,289 software developers and data experts.

Trouble with $_POST data

Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}
Jul 1 '07 #1
12 2630
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);

Jul 1 '07 #2
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Thanks for the suggestion, and you were close. This is the command that
actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.
Jul 1 '07 #3
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Actually, using double quotes (") is a non-standard MySQL extension to
the SQL standard. It also will fail if MySQL is running in strict mode
and with most other databases.

Single quote (') is the correct delimiter for MySQL and standard SQL.
It should work with MSSQL, also.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 1 '07 #4
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}
You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.

NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.
--
Brendan Gillatt
www.brendangillatt.co.uk
GPG: 0x6E265E61
Jul 1 '07 #5
Brendan Gillatt wrote:
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}

You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
That is incorrect PHP and will give a notice (if notices are turned on).
NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 1 '07 #6
Todd Michels wrote:
daGnutt wrote:
>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);

Thanks for the suggestion, and you were close. This is the command that
actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.
If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

Norm
Jul 1 '07 #7
Norman Peelman kirjoitti:
Todd Michels wrote:
>daGnutt wrote:
>>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions,
and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);

Thanks for the suggestion, and you were close. This is the command
that actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.

--
Ra*********@gmail.com

"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
Jul 2 '07 #8
Brendan Gillatt kirjoitti:
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}

You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
It won't make a difference 'cos that's not the issue. And like Jerry
already said, it will make it even worse.

--
Ra*********@gmail.com

"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
Jul 2 '07 #9
Rami Elomaa wrote:
Norman Peelman kirjoitti:
>Todd Michels wrote:
>>daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
Hi all,
>
I am trying to send data from a form and insert it into a MSSQL DB.
>
When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant
expressions, and
(in some contexts) variables. Column names are not permitted.
(severity
15) in "Myfile"
>
If I don't use the POST data and write the query explicitly, it works.
>
Any help is appreciated.
>
Thanks,
Todd
>
WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1
>
It's a basic form:
>
<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>
>
And here is the MSSQL insert:
>
if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>
$Result = mssql_query($Query);
>
}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Thanks for the suggestion, and you were close. This is the command
that actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.
....as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.

....to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.

....to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm
Jul 4 '07 #10
Norman Peelman wrote:
Rami Elomaa wrote:
>Norman Peelman kirjoitti:
>>Todd Michels wrote:
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,
>>
>I am trying to send data from a form and insert it into a MSSQL DB.
>>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant
>expressions, and
>(in some contexts) variables. Column names are not permitted.
>(severity
>15) in "Myfile"
>>
>If I don't use the POST data and write the query explicitly, it
>works.
>>
>Any help is appreciated.
>>
>Thanks,
>Todd
>>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>>
>It's a basic form:
>>
><body>
><form id="form1" name="form1" method="post" action="flextest.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddress" type="text" id="emailaddress" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>>
>And here is the MSSQL insert:
>>
>if( $_POST["emailaddress"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>
> $Result = mssql_query($Query);
>>
>}
>
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>

Thanks for the suggestion, and you were close. This is the command
that actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the contents.

...as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.

...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.

...to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.

It never hurts to go a little beyond the question - especially when
security is at stake.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 4 '07 #11
Jerry Stuckle wrote:
Norman Peelman wrote:
>Rami Elomaa wrote:
>>Norman Peelman kirjoitti:
Todd Michels wrote:
daGnutt wrote:
>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>>Hi all,
>>>
>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>
>>When I submit the data I get: Warning: mssql_query()
>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>this context. Valid expressions are constants, constant
>>expressions, and
>>(in some contexts) variables. Column names are not permitted.
>>(severity
>>15) in "Myfile"
>>>
>>If I don't use the POST data and write the query explicitly, it
>>works.
>>>
>>Any help is appreciated.
>>>
>>Thanks,
>>Todd
>>>
>>WinXP SP2
>>MSSQL Express 2005
>>IIS 5.1
>>PHP 5.2.1
>>>
>>It's a basic form:
>>>
>><body>
>><form id="form1" name="form1" method="post" action="flextest.php">
>> <label>User Name
>> <input name="username" type="text" id="username" />
>> </label>
>> <label>Email Address
>> <input name="emailaddress" type="text" id="emailaddress" />
>> </label>
>> <p>
>> <input type="submit" name="Submit" value="Submit" />
>> </p>
>></form>
>></body>
>>>
>>And here is the MSSQL insert:
>>>
>>if( $_POST["emailaddress"] AND $_POST["username"])
>>{
>> //add the user
>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>
>> $Result = mssql_query($Query);
>>>
>>}
>>
>I personally dont know mssql, but it mySQL, the error would lie in
>that non-numerical entires must be surrounded by '"' so try
> $Query = sprintf(INSERT INTO users (username, emailaddress)
>VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>>
>
Thanks for the suggestion, and you were close. This is the command
that actually worked.
>
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>
Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the
contents.

...as you can read by the quote above I said that it doesn't account
for the cleansing of variables. The OP didn't ask about SQL
injections, he asked why his query was failing. What does sprintf() do
to prevent SQL injections? Nothing that I can see. I answered the
question at hand with perfectly legal PHP code.

...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do
damage to your data.

...to Rami, I appreciate your input but think you went off the deep
end just a bit. The problem here is that people get upset when a reply
is made to a question without listing all the dependencies of the
answer. I still think the PHP newsgroups need a FAQ. I know there are
alot of forums/info to be found by googling but maybe too much...
often the info seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm

Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.

It never hurts to go a little beyond the question - especially when
security is at stake.
Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.

Norm
Jul 5 '07 #12
Norman Peelman wrote:
Jerry Stuckle wrote:
>Norman Peelman wrote:
>>Rami Elomaa wrote:
Norman Peelman kirjoitti:
Todd Michels wrote:
>daGnutt wrote:
>>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>>>Hi all,
>>>>
>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>
>>>When I submit the data I get: Warning: mssql_query()
>>>[function.mssql-query]: message: The name "Todd" is not
>>>permitted in
>>>this context. Valid expressions are constants, constant
>>>expressions, and
>>>(in some contexts) variables. Column names are not permitted.
>>>(severity
>>>15) in "Myfile"
>>>>
>>>If I don't use the POST data and write the query explicitly, it
>>>works.
>>>>
>>>Any help is appreciated.
>>>>
>>>Thanks,
>>>Todd
>>>>
>>>WinXP SP2
>>>MSSQL Express 2005
>>>IIS 5.1
>>>PHP 5.2.1
>>>>
>>>It's a basic form:
>>>>
>>><body>
>>><form id="form1" name="form1" method="post" action="flextest.php">
>>> <label>User Name
>>> <input name="username" type="text" id="username" />
>>> </label>
>>> <label>Email Address
>>> <input name="emailaddress" type="text" id="emailaddress" />
>>> </label>
>>> <p>
>>> <input type="submit" name="Submit" value="Submit" />
>>> </p>
>>></form>
>>></body>
>>>>
>>>And here is the MSSQL insert:
>>>>
>>>if( $_POST["emailaddress"] AND $_POST["username"])
>>>{
>>> //add the user
>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>>
>>> $Result = mssql_query($Query);
>>>>
>>>}
>>>
>>I personally dont know mssql, but it mySQL, the error would lie in
>>that non-numerical entires must be surrounded by '"' so try
>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>VALUES(\"%s\", \"%s\")', $_POST["username"],
>>$_POST["emailaddress"]);
>>>
>>
>Thanks for the suggestion, and you were close. This is the
>command that actually worked.
>>
>$Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>>
>Thanks again.
>
If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:
>
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";
>
but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the
contents.
...as you can read by the quote above I said that it doesn't account
for the cleansing of variables. The OP didn't ask about SQL
injections, he asked why his query was failing. What does sprintf()
do to prevent SQL injections? Nothing that I can see. I answered the
question at hand with perfectly legal PHP code.

...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do
damage to your data.

...to Rami, I appreciate your input but think you went off the deep
end just a bit. The problem here is that people get upset when a
reply is made to a question without listing all the dependencies of
the answer. I still think the PHP newsgroups need a FAQ. I know there
are alot of forums/info to be found by googling but maybe too much...
often the info seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm

Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.

It never hurts to go a little beyond the question - especially when
security is at stake.

Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.

Norm
Well, first of all, I wasn't replying to the op. I was just correcting
an incorrect response, which had to do with single vs. double quote syntax.

If I had been replying to the op I would have mentioned sql injection.

As for why your post was singled out - probably because your post was
the most complete and correct of the responses, and you only mentioned
cleansing variables in passing. But I don't know for sure.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 5 '07 #13

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Phil Powell | last post by:
I have a form that will be preserving form data prior to processing the form data. Upon clicking a certain submit button you will go to another PHP script that will contain the following code: ...
3
by: Oxygenearth | last post by:
Please who could help me with this... I had my structure in Win32, with Apache, PHP, and MySQL, I had a page in which I am transfering an image to the database in MySQL using PHP. But now I am...
3
by: LMachado1 | last post by:
I just started with php and I'm trying to make a simple interface as follows: - user is asked to input an integers, for example: how many students do you want to enter? - user is then shown a...
6
by: comp.lang.php | last post by:
I have no idea why this is happening and I need someone to explain this to me at the simplest level absolutely possible (pretend I'm a 10-year old and explain it that way, please!) This class...
2
by: snowweb | last post by:
Hi, This is my first flash project! It would be great if someone could help me please. I have purchased a flash template which I have made some alterations to. My biggest alteration is that of...
0
grassh0pp3r
by: grassh0pp3r | last post by:
Hello, I'm trying to make a very simple comments page on my site using PHP and am having problems somewhere. I am very new to PHP. I was able to create one that works with comments appended, but...
7
by: jwhitby3 | last post by:
Hi all, I am trying to develop what amounts to a data entry page for the company I work for, (mostly to make my job easier). I think that I am beginning to grasp php, but I am at a loss now. I...
0
by: Paul | last post by:
I want to add a binary element (AES_ENCRYPT()) to a $_POST array. I need to make it binary because it is going into a BLOB field. $results = $dbr->Execute('select * from table1 where id='.$_GET);...
9
by: raamay | last post by:
I have six checkboxes as shown below: <table> <tr> <td><input name="spec1" type="checkbox" value="0" tabindex="11" /><label id="label">Bridge Construction</label></td> </tr> <tr> <td><input...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.