Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks,
Todd
WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1
It's a basic form:
<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query);
} 12 2635
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks,
Todd
WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1
It's a basic form:
<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query);
}
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks, Todd
WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1
It's a basic form:
<body> <form id="form1" name="form1" method="post" action="flextest.php"> <label>User Name <input name="username" type="text" id="username" /> </label> <label>Email Address <input name="emailaddress" type="text" id="emailaddress" /> </label> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"]) { //add the user $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query);
}
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Thanks for the suggestion, and you were close. This is the command that
actually worked.
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
Thanks again.
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks, Todd
WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1
It's a basic form:
<body> <form id="form1" name="form1" method="post" action="flextest.php"> <label>User Name <input name="username" type="text" id="username" /> </label> <label>Email Address <input name="emailaddress" type="text" id="emailaddress" /> </label> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"]) { //add the user $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query);
}
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Actually, using double quotes (") is a non-standard MySQL extension to
the SQL standard. It also will fail if MySQL is running in strict mode
and with most other databases.
Single quote (') is the correct delimiter for MySQL and standard SQL.
It should work with MSSQL, also.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks, Todd
WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1
It's a basic form:
<body> <form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p> </form> </body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"]) {
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query); }
You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.
--
Brendan Gillatt www.brendangillatt.co.uk
GPG: 0x6E265E61
Brendan Gillatt wrote:
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks, Todd
WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1
It's a basic form:
<body> <form id="form1" name="form1" method="post" action="flextest.php"> <label>User Name <input name="username" type="text" id="username" /> </label> <label>Email Address <input name="emailaddress" type="text" id="emailaddress" /> </label> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"]) { //add the user $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query); }
You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
That is incorrect PHP and will give a notice (if notices are turned on).
NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Todd Michels wrote:
daGnutt wrote:
>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>>Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks, Todd
WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1
It's a basic form:
<body> <form id="form1" name="form1" method="post" action="flextest.php"> <label>User Name <input name="username" type="text" id="username" /> </label> <label>Email Address <input name="emailaddress" type="text" id="emailaddress" /> </label> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"]) { //add the user $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query);
}
I personally dont know mssql, but it mySQL, the error would lie in that non-numerical entires must be surrounded by '"' so try $Query = sprintf(INSERT INTO users (username, emailaddress) VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Thanks for the suggestion, and you were close. This is the command that
actually worked.
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
Thanks again.
If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";
but that's not accounting for the cleansing of variables.
Norm
Norman Peelman kirjoitti:
Todd Michels wrote:
>daGnutt wrote:
>>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote: Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks, Todd
WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1
It's a basic form:
<body> <form id="form1" name="form1" method="post" action="flextest.php"> <label>User Name <input name="username" type="text" id="username" /> </label> <label>Email Address <input name="emailaddress" type="text" id="emailaddress" /> </label> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"]) { //add the user $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query);
}
I personally dont know mssql, but it mySQL, the error would lie in that non-numerical entires must be surrounded by '"' so try $Query = sprintf(INSERT INTO users (username, emailaddress) VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]); Thanks for the suggestion, and you were close. This is the command that actually worked.
$Query = sprintf('INSERT INTO users (username, emailaddress) VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
Thanks again.
If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";
but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.
--
Ra*********@gmail.com
"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
Brendan Gillatt kirjoitti:
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,
I am trying to send data from a form and insert it into a MSSQL DB.
When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile"
If I don't use the POST data and write the query explicitly, it works.
Any help is appreciated.
Thanks, Todd
WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1
It's a basic form:
<body> <form id="form1" name="form1" method="post" action="flextest.php"> <label>User Name <input name="username" type="text" id="username" /> </label> <label>Email Address <input name="emailaddress" type="text" id="emailaddress" /> </label> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body>
And here is the MSSQL insert:
if( $_POST["emailaddress"] AND $_POST["username"]) { //add the user $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
$Result = mssql_query($Query); }
You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
It won't make a difference 'cos that's not the issue. And like Jerry
already said, it will make it even worse.
-- Ra*********@gmail.com
"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
Rami Elomaa wrote:
Norman Peelman kirjoitti:
>Todd Michels wrote:
>>daGnutt wrote: On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote: Hi all, > I am trying to send data from a form and insert it into a MSSQL DB. > When I submit the data I get: Warning: mssql_query() [function.mssql-query]: message: The name "Todd" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted. (severity 15) in "Myfile" > If I don't use the POST data and write the query explicitly, it works. > Any help is appreciated. > Thanks, Todd > WinXP SP2 MSSQL Express 2005 IIS 5.1 PHP 5.2.1 > It's a basic form: > <body> <form id="form1" name="form1" method="post" action="flextest.php"> <label>User Name <input name="username" type="text" id="username" /> </label> <label>Email Address <input name="emailaddress" type="text" id="emailaddress" /> </label> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body> > And here is the MSSQL insert: > if( $_POST["emailaddress"] AND $_POST["username"]) { //add the user $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]); > $Result = mssql_query($Query); > }
I personally dont know mssql, but it mySQL, the error would lie in that non-numerical entires must be surrounded by '"' so try $Query = sprintf(INSERT INTO users (username, emailaddress) VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Thanks for the suggestion, and you were close. This is the command that actually worked.
$Query = sprintf('INSERT INTO users (username, emailaddress) VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
Thanks again.
If you aren't doing anything special with sprintf (if you don't neccessarily need it) then the following works as expected:
$Query = "(INSERT INTO users (username, emailaddress) VALUES('$_POST[username]', '$_POST[emailaddress]')";
but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.
....as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.
....to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.
....to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.
If i'm ranting a bit then I apologize.
Norm
Norman Peelman wrote:
Rami Elomaa wrote:
>Norman Peelman kirjoitti:
>>Todd Michels wrote: daGnutt wrote: On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote: >Hi all, >> >I am trying to send data from a form and insert it into a MSSQL DB. >> >When I submit the data I get: Warning: mssql_query() >[function.mssql-query]: message: The name "Todd" is not permitted in >this context. Valid expressions are constants, constant >expressions, and >(in some contexts) variables. Column names are not permitted. >(severity >15) in "Myfile" >> >If I don't use the POST data and write the query explicitly, it >works. >> >Any help is appreciated. >> >Thanks, >Todd >> >WinXP SP2 >MSSQL Express 2005 >IIS 5.1 >PHP 5.2.1 >> >It's a basic form: >> ><body> ><form id="form1" name="form1" method="post" action="flextest.php"> > <label>User Name > <input name="username" type="text" id="username" /> > </label> > <label>Email Address > <input name="emailaddress" type="text" id="emailaddress" /> > </label> > <p> > <input type="submit" name="Submit" value="Submit" /> > </p> ></form> ></body> >> >And here is the MSSQL insert: >> >if( $_POST["emailaddress"] AND $_POST["username"]) >{ > //add the user > $Query = sprintf('INSERT INTO users (username, emailaddress) >VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]); >> > $Result = mssql_query($Query); >> >} > I personally dont know mssql, but it mySQL, the error would lie in that non-numerical entires must be surrounded by '"' so try $Query = sprintf(INSERT INTO users (username, emailaddress) VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]); >
Thanks for the suggestion, and you were close. This is the command that actually worked.
$Query = sprintf('INSERT INTO users (username, emailaddress) VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
Thanks again.
If you aren't doing anything special with sprintf (if you don't neccessarily need it) then the following works as expected:
$Query = "(INSERT INTO users (username, emailaddress) VALUES('$_POST[username]', '$_POST[emailaddress]')";
but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't give this kind of advise even though you it works. Always keep in mind good coding practise when giving advise. Never trust user data, that means never hand it to database without checking the contents.
...as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.
...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.
...to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.
If i'm ranting a bit then I apologize.
Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.
It never hurts to go a little beyond the question - especially when
security is at stake.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jerry Stuckle wrote:
Norman Peelman wrote:
>Rami Elomaa wrote:
>>Norman Peelman kirjoitti: Todd Michels wrote: daGnutt wrote: >On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote: >>Hi all, >>> >>I am trying to send data from a form and insert it into a MSSQL DB. >>> >>When I submit the data I get: Warning: mssql_query() >>[function.mssql-query]: message: The name "Todd" is not permitted in >>this context. Valid expressions are constants, constant >>expressions, and >>(in some contexts) variables. Column names are not permitted. >>(severity >>15) in "Myfile" >>> >>If I don't use the POST data and write the query explicitly, it >>works. >>> >>Any help is appreciated. >>> >>Thanks, >>Todd >>> >>WinXP SP2 >>MSSQL Express 2005 >>IIS 5.1 >>PHP 5.2.1 >>> >>It's a basic form: >>> >><body> >><form id="form1" name="form1" method="post" action="flextest.php"> >> <label>User Name >> <input name="username" type="text" id="username" /> >> </label> >> <label>Email Address >> <input name="emailaddress" type="text" id="emailaddress" /> >> </label> >> <p> >> <input type="submit" name="Submit" value="Submit" /> >> </p> >></form> >></body> >>> >>And here is the MSSQL insert: >>> >>if( $_POST["emailaddress"] AND $_POST["username"]) >>{ >> //add the user >> $Query = sprintf('INSERT INTO users (username, emailaddress) >>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]); >>> >> $Result = mssql_query($Query); >>> >>} >> >I personally dont know mssql, but it mySQL, the error would lie in >that non-numerical entires must be surrounded by '"' so try > $Query = sprintf(INSERT INTO users (username, emailaddress) >VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]); >> > Thanks for the suggestion, and you were close. This is the command that actually worked. > $Query = sprintf('INSERT INTO users (username, emailaddress) VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]); > Thanks again.
If you aren't doing anything special with sprintf (if you don't neccessarily need it) then the following works as expected:
$Query = "(INSERT INTO users (username, emailaddress) VALUES('$_POST[username]', '$_POST[emailaddress]')";
but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't give this kind of advise even though you it works. Always keep in mind good coding practise when giving advise. Never trust user data, that means never hand it to database without checking the contents. ...as you can read by the quote above I said that it doesn't account for the cleansing of variables. The OP didn't ask about SQL injections, he asked why his query was failing. What does sprintf() do to prevent SQL injections? Nothing that I can see. I answered the question at hand with perfectly legal PHP code.
...to the OP, you should always run your $_POST/$_GET/$_REQUEST variables through a 'cleaning' function to sanitize (remove/prevent) unwanted characters. Carefully crafted input could be used to do damage to your data.
...to Rami, I appreciate your input but think you went off the deep end just a bit. The problem here is that people get upset when a reply is made to a question without listing all the dependencies of the answer. I still think the PHP newsgroups need a FAQ. I know there are alot of forums/info to be found by googling but maybe too much... often the info seems to be intermingled with a lot of crap.
If i'm ranting a bit then I apologize.
Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.
It never hurts to go a little beyond the question - especially when
security is at stake.
Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.
Norm
Norman Peelman wrote:
Jerry Stuckle wrote:
>Norman Peelman wrote:
>>Rami Elomaa wrote: Norman Peelman kirjoitti: Todd Michels wrote: >daGnutt wrote: >>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote: >>>Hi all, >>>> >>>I am trying to send data from a form and insert it into a MSSQL DB. >>>> >>>When I submit the data I get: Warning: mssql_query() >>>[function.mssql-query]: message: The name "Todd" is not >>>permitted in >>>this context. Valid expressions are constants, constant >>>expressions, and >>>(in some contexts) variables. Column names are not permitted. >>>(severity >>>15) in "Myfile" >>>> >>>If I don't use the POST data and write the query explicitly, it >>>works. >>>> >>>Any help is appreciated. >>>> >>>Thanks, >>>Todd >>>> >>>WinXP SP2 >>>MSSQL Express 2005 >>>IIS 5.1 >>>PHP 5.2.1 >>>> >>>It's a basic form: >>>> >>><body> >>><form id="form1" name="form1" method="post" action="flextest.php"> >>> <label>User Name >>> <input name="username" type="text" id="username" /> >>> </label> >>> <label>Email Address >>> <input name="emailaddress" type="text" id="emailaddress" /> >>> </label> >>> <p> >>> <input type="submit" name="Submit" value="Submit" /> >>> </p> >>></form> >>></body> >>>> >>>And here is the MSSQL insert: >>>> >>>if( $_POST["emailaddress"] AND $_POST["username"]) >>>{ >>> //add the user >>> $Query = sprintf('INSERT INTO users (username, emailaddress) >>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]); >>>> >>> $Result = mssql_query($Query); >>>> >>>} >>> >>I personally dont know mssql, but it mySQL, the error would lie in >>that non-numerical entires must be surrounded by '"' so try >> $Query = sprintf(INSERT INTO users (username, emailaddress) >>VALUES(\"%s\", \"%s\")', $_POST["username"], >>$_POST["emailaddress"]); >>> >> >Thanks for the suggestion, and you were close. This is the >command that actually worked. >> >$Query = sprintf('INSERT INTO users (username, emailaddress) >VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]); >> >Thanks again. > If you aren't doing anything special with sprintf (if you don't neccessarily need it) then the following works as expected: > $Query = "(INSERT INTO users (username, emailaddress) VALUES('$_POST[username]', '$_POST[emailaddress]')"; > but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't give this kind of advise even though you it works. Always keep in mind good coding practise when giving advise. Never trust user data, that means never hand it to database without checking the contents.
...as you can read by the quote above I said that it doesn't account for the cleansing of variables. The OP didn't ask about SQL injections, he asked why his query was failing. What does sprintf() do to prevent SQL injections? Nothing that I can see. I answered the question at hand with perfectly legal PHP code.
...to the OP, you should always run your $_POST/$_GET/$_REQUEST variables through a 'cleaning' function to sanitize (remove/prevent) unwanted characters. Carefully crafted input could be used to do damage to your data.
...to Rami, I appreciate your input but think you went off the deep end just a bit. The problem here is that people get upset when a reply is made to a question without listing all the dependencies of the answer. I still think the PHP newsgroups need a FAQ. I know there are alot of forums/info to be found by googling but maybe too much... often the info seems to be intermingled with a lot of crap.
If i'm ranting a bit then I apologize.
Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go far enough. Obviously from his question the op was not aware of the possibilities of SQL injection. It would be a favor to him (and everyone else who reads this thread) to mention it.
It never hurts to go a little beyond the question - especially when security is at stake.
Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.
Norm
Well, first of all, I wasn't replying to the op. I was just correcting
an incorrect response, which had to do with single vs. double quote syntax.
If I had been replying to the op I would have mentioned sql injection.
As for why your post was singled out - probably because your post was
the most complete and correct of the responses, and you only mentioned
cleansing variables in passing. But I don't know for sure.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Phil Powell |
last post by:
I have a form that will be preserving form data prior to processing
the form data. Upon clicking a certain submit button you will go to
another PHP script that will contain the following code:
...
|
by: Oxygenearth |
last post by:
Please who could help me with this...
I had my structure in Win32, with Apache, PHP, and MySQL, I had a page
in which I am transfering an image to the database in MySQL using PHP.
But now I am...
|
by: LMachado1 |
last post by:
I just started with php and I'm trying to make a simple interface as
follows:
- user is asked to input an integers, for example: how many students do
you want to enter?
- user is then shown a...
|
by: comp.lang.php |
last post by:
I have no idea why this is happening and I need someone to explain this
to me at the simplest level absolutely possible (pretend I'm a 10-year
old and explain it that way, please!)
This class...
|
by: snowweb |
last post by:
Hi,
This is my first flash project! It would be great if someone could help me please.
I have purchased a flash template which I have made some alterations to. My biggest alteration is that of...
|
by: grassh0pp3r |
last post by:
Hello,
I'm trying to make a very simple comments page on my site using PHP and am having problems somewhere. I am very new to PHP. I was able to create one that works with comments appended, but...
|
by: jwhitby3 |
last post by:
Hi all, I am trying to develop what amounts to a data entry page for the company I work for, (mostly to make my job easier). I think that I am beginning to grasp php, but I am at a loss now. I...
|
by: Paul |
last post by:
I want to add a binary element (AES_ENCRYPT()) to a $_POST array. I need to
make it binary because it is going into a BLOB field.
$results = $dbr->Execute('select * from table1 where id='.$_GET);...
|
by: raamay |
last post by:
I have six checkboxes as shown below:
<table>
<tr>
<td><input name="spec1" type="checkbox" value="0" tabindex="11" /><label id="label">Bridge Construction</label></td>
</tr>
<tr>
<td><input...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |