By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,831 Members | 1,031 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,831 IT Pros & Developers. It's quick & easy.

Trouble with $_POST data

P: n/a
Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}
Jul 1 '07 #1
Share this Question
Share on Google+
12 Replies


P: n/a
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);

Jul 1 '07 #2

P: n/a
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Thanks for the suggestion, and you were close. This is the command that
actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.
Jul 1 '07 #3

P: n/a
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Actually, using double quotes (") is a non-standard MySQL extension to
the SQL standard. It also will fail if MySQL is running in strict mode
and with most other databases.

Single quote (') is the correct delimiter for MySQL and standard SQL.
It should work with MSSQL, also.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 1 '07 #4

P: n/a
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}
You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.

NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.
--
Brendan Gillatt
www.brendangillatt.co.uk
GPG: 0x6E265E61
Jul 1 '07 #5

P: n/a
Brendan Gillatt wrote:
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}

You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
That is incorrect PHP and will give a notice (if notices are turned on).
NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 1 '07 #6

P: n/a
Todd Michels wrote:
daGnutt wrote:
>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);

Thanks for the suggestion, and you were close. This is the command that
actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.
If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

Norm
Jul 1 '07 #7

P: n/a
Norman Peelman kirjoitti:
Todd Michels wrote:
>daGnutt wrote:
>>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions,
and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);

}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);

Thanks for the suggestion, and you were close. This is the command
that actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.

--
Ra*********@gmail.com

"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
Jul 2 '07 #8

P: n/a
Brendan Gillatt kirjoitti:
On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <to**@nalamail.com>
wrote:
>Hi all,

I am trying to send data from a form and insert it into a MSSQL DB.

When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"

If I don't use the POST data and write the query explicitly, it works.

Any help is appreciated.

Thanks,
Todd

WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1

It's a basic form:

<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>

And here is the MSSQL insert:

if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);

$Result = mssql_query($Query);
}

You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
It won't make a difference 'cos that's not the issue. And like Jerry
already said, it will make it even worse.

--
Ra*********@gmail.com

"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
Jul 2 '07 #9

P: n/a
Rami Elomaa wrote:
Norman Peelman kirjoitti:
>Todd Michels wrote:
>>daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
Hi all,
>
I am trying to send data from a form and insert it into a MSSQL DB.
>
When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant
expressions, and
(in some contexts) variables. Column names are not permitted.
(severity
15) in "Myfile"
>
If I don't use the POST data and write the query explicitly, it works.
>
Any help is appreciated.
>
Thanks,
Todd
>
WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1
>
It's a basic form:
>
<body>
<form id="form1" name="form1" method="post" action="flextest.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddress" type="text" id="emailaddress" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>
>
And here is the MSSQL insert:
>
if( $_POST["emailaddress"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>
$Result = mssql_query($Query);
>
}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
Thanks for the suggestion, and you were close. This is the command
that actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.
....as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.

....to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.

....to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm
Jul 4 '07 #10

P: n/a
Norman Peelman wrote:
Rami Elomaa wrote:
>Norman Peelman kirjoitti:
>>Todd Michels wrote:
daGnutt wrote:
On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>Hi all,
>>
>I am trying to send data from a form and insert it into a MSSQL DB.
>>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant
>expressions, and
>(in some contexts) variables. Column names are not permitted.
>(severity
>15) in "Myfile"
>>
>If I don't use the POST data and write the query explicitly, it
>works.
>>
>Any help is appreciated.
>>
>Thanks,
>Todd
>>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>>
>It's a basic form:
>>
><body>
><form id="form1" name="form1" method="post" action="flextest.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddress" type="text" id="emailaddress" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>>
>And here is the MSSQL insert:
>>
>if( $_POST["emailaddress"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>
> $Result = mssql_query($Query);
>>
>}
>
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>

Thanks for the suggestion, and you were close. This is the command
that actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);

Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the contents.

...as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.

...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.

...to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.

It never hurts to go a little beyond the question - especially when
security is at stake.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 4 '07 #11

P: n/a
Jerry Stuckle wrote:
Norman Peelman wrote:
>Rami Elomaa wrote:
>>Norman Peelman kirjoitti:
Todd Michels wrote:
daGnutt wrote:
>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>>Hi all,
>>>
>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>
>>When I submit the data I get: Warning: mssql_query()
>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>this context. Valid expressions are constants, constant
>>expressions, and
>>(in some contexts) variables. Column names are not permitted.
>>(severity
>>15) in "Myfile"
>>>
>>If I don't use the POST data and write the query explicitly, it
>>works.
>>>
>>Any help is appreciated.
>>>
>>Thanks,
>>Todd
>>>
>>WinXP SP2
>>MSSQL Express 2005
>>IIS 5.1
>>PHP 5.2.1
>>>
>>It's a basic form:
>>>
>><body>
>><form id="form1" name="form1" method="post" action="flextest.php">
>> <label>User Name
>> <input name="username" type="text" id="username" />
>> </label>
>> <label>Email Address
>> <input name="emailaddress" type="text" id="emailaddress" />
>> </label>
>> <p>
>> <input type="submit" name="Submit" value="Submit" />
>> </p>
>></form>
>></body>
>>>
>>And here is the MSSQL insert:
>>>
>>if( $_POST["emailaddress"] AND $_POST["username"])
>>{
>> //add the user
>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>
>> $Result = mssql_query($Query);
>>>
>>}
>>
>I personally dont know mssql, but it mySQL, the error would lie in
>that non-numerical entires must be surrounded by '"' so try
> $Query = sprintf(INSERT INTO users (username, emailaddress)
>VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>>
>
Thanks for the suggestion, and you were close. This is the command
that actually worked.
>
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>
Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the
contents.

...as you can read by the quote above I said that it doesn't account
for the cleansing of variables. The OP didn't ask about SQL
injections, he asked why his query was failing. What does sprintf() do
to prevent SQL injections? Nothing that I can see. I answered the
question at hand with perfectly legal PHP code.

...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do
damage to your data.

...to Rami, I appreciate your input but think you went off the deep
end just a bit. The problem here is that people get upset when a reply
is made to a question without listing all the dependencies of the
answer. I still think the PHP newsgroups need a FAQ. I know there are
alot of forums/info to be found by googling but maybe too much...
often the info seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm

Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.

It never hurts to go a little beyond the question - especially when
security is at stake.
Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.

Norm
Jul 5 '07 #12

P: n/a
Norman Peelman wrote:
Jerry Stuckle wrote:
>Norman Peelman wrote:
>>Rami Elomaa wrote:
Norman Peelman kirjoitti:
Todd Michels wrote:
>daGnutt wrote:
>>On 1 Juli, 14:26, Todd Michels <t...@nalamail.comwrote:
>>>Hi all,
>>>>
>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>
>>>When I submit the data I get: Warning: mssql_query()
>>>[function.mssql-query]: message: The name "Todd" is not
>>>permitted in
>>>this context. Valid expressions are constants, constant
>>>expressions, and
>>>(in some contexts) variables. Column names are not permitted.
>>>(severity
>>>15) in "Myfile"
>>>>
>>>If I don't use the POST data and write the query explicitly, it
>>>works.
>>>>
>>>Any help is appreciated.
>>>>
>>>Thanks,
>>>Todd
>>>>
>>>WinXP SP2
>>>MSSQL Express 2005
>>>IIS 5.1
>>>PHP 5.2.1
>>>>
>>>It's a basic form:
>>>>
>>><body>
>>><form id="form1" name="form1" method="post" action="flextest.php">
>>> <label>User Name
>>> <input name="username" type="text" id="username" />
>>> </label>
>>> <label>Email Address
>>> <input name="emailaddress" type="text" id="emailaddress" />
>>> </label>
>>> <p>
>>> <input type="submit" name="Submit" value="Submit" />
>>> </p>
>>></form>
>>></body>
>>>>
>>>And here is the MSSQL insert:
>>>>
>>>if( $_POST["emailaddress"] AND $_POST["username"])
>>>{
>>> //add the user
>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>>
>>> $Result = mssql_query($Query);
>>>>
>>>}
>>>
>>I personally dont know mssql, but it mySQL, the error would lie in
>>that non-numerical entires must be surrounded by '"' so try
>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>VALUES(\"%s\", \"%s\")', $_POST["username"],
>>$_POST["emailaddress"]);
>>>
>>
>Thanks for the suggestion, and you were close. This is the
>command that actually worked.
>>
>$Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>>
>Thanks again.
>
If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:
>
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";
>
but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please
don't give this kind of advise even though you it works. Always keep
in mind good coding practise when giving advise. Never trust user
data, that means never hand it to database without checking the
contents.
...as you can read by the quote above I said that it doesn't account
for the cleansing of variables. The OP didn't ask about SQL
injections, he asked why his query was failing. What does sprintf()
do to prevent SQL injections? Nothing that I can see. I answered the
question at hand with perfectly legal PHP code.

...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do
damage to your data.

...to Rami, I appreciate your input but think you went off the deep
end just a bit. The problem here is that people get upset when a
reply is made to a question without listing all the dependencies of
the answer. I still think the PHP newsgroups need a FAQ. I know there
are alot of forums/info to be found by googling but maybe too much...
often the info seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm

Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.

It never hurts to go a little beyond the question - especially when
security is at stake.

Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.

Norm
Well, first of all, I wasn't replying to the op. I was just correcting
an incorrect response, which had to do with single vs. double quote syntax.

If I had been replying to the op I would have mentioned sql injection.

As for why your post was singled out - probably because your post was
the most complete and correct of the responses, and you only mentioned
cleansing variables in passing. But I don't know for sure.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jul 5 '07 #13

This discussion thread is closed

Replies have been disabled for this discussion.