ansaurus

Question

What characters ARE allowed when querying a mysql database?

Answer 1

+4 A:

A database column can technically hold any of those characters. The problem is that you are not escaping them properly in your query.

One way way to do this using mysql_real_escape_string is as follows:

$sql=sprintf("insert into cars_db (description) values ('%s')",
    mysql_real_escape_string($_POST['description']) );

//execute query and show errors that result...
$result = mysql_query($sql);
if (!$result) {
    die("Oops:<br>$sql<br>".mysql_error());
}

Another way is to use a library like PDO or ADODb which makes it easier to use prepared statements with placeholders. Such libraries ensure that data injected into queries is properly escaped.

This is good practice not only because it solves your problem, but it also improves the security of your code, since it becomes harder to perform SQL injection attacks.

Paul Dixon 2009-11-20 16:24:05

check my update plz

Camran 2009-11-20 16:26:28

your update doesn't really show how you constructed the $ad_text value

Paul Dixon 2009-11-20 16:28:01

what do you mean how I constructed it, its just a textarea, where users put in whatever text, and it gets submitted to phpfile, and fetched using the $_POST in php... thats it

Camran 2009-11-20 16:29:28

your post says you tried mysql_real_escape_string, but doesn't make it clear how.

Paul Dixon 2009-11-20 16:32:07

oh, like this: $ad_text=mysql_real_escape_string($ad_text);

Camran 2009-11-20 16:33:07

ok, so what error does your code produce? do you display mysql_error() in the event of failure?

Paul Dixon 2009-11-20 16:34:29

check my update again plz

Camran 2009-11-20 16:36:43

What Paul is trying to aks you is: WHERE IS EXACLTY VALORIZED $ad_text? Somewhere, you should have something like: $ad_text = $_POST['textarea_name'];, and then your query.Replace your query with: mysql_query("INSERT INTO cars_db (description) VALUES ('".mysql_real_escape_string($ad_text)."')"); and should be fine... well, maybe not fine, but better. Oh, replace 'textarea_name' with the name of your textarea.

DaNieL 2009-11-20 16:43:55

I got it,,,, I previously used mysql_real_escape_string AFTER the variable was fetched with POST... but changing the code so that it does it at the same time like DaNieL proposed solved it.

Camran 2009-11-20 16:45:11

Eh, mysql_real_scape_string DONT return the 'escaped string', people get confising many times ;)

DaNieL 2009-11-20 16:46:13

Answer 2

+3 A:

Another way would be to use prepared statements. This makes sure SQL injection isn't possible.

Matthias Vance 2009-11-20 16:25:25

Answer 3

A:

Do this:

$ad_text = mysql_real_escape_string($ad_text);
mysql_query("INSERT INTO cars_db (description) VALUES ('$ad_text')");

Read up on mysql_real_escape_string and SQL injection. This is a massive security hole in your application.

http://us.php.net/mysql%5Freal%5Fescape%5Fstring

Scott Saunders 2009-11-20 16:29:30

but I have tried mysql_real_escape_string()... read the post

Camran 2009-11-20 16:30:15

mysql_real_escape_string does not alter its operand, this code would not work.

Paul Dixon 2009-11-20 16:33:00

doh! Thank you Mr. Dixon. I've corrected my post, and upvoted yours.

Scott Saunders 2009-11-20 16:37:32

better :) You might want to lose the extra closing parentheses on the first line though..

Paul Dixon 2009-11-20 16:38:44

:) Reading this, you'd never guess I've written this code thousands of times.

Scott Saunders 2009-11-20 16:41:53

Answer 4

A:

Instead of escaping characters so as not to trip up your query, why not create a stored procedure with an incoming String parameter. Just pass the form variable's value (or save it to a string) and pass that to the stored procedure.

adamcodes 2009-11-20 16:30:21

ansaurus

tags:

views:

answers:

What characters ARE allowed when querying a mysql database?

related questions