ansaurus

Question

PHP and MySql trouble

Answer 1

+5 A:

You probably want some single quotes:

 "INSERT INTO voted (offerid,ip) VALUES ('" . $offerid . "','" . $ip . "')"

You should also use intval and mysql_real_escape_string to avoid SQL injection vulnerabilities:

 $sql = "INSERT INTO voted (offerid,ip) VALUES (" .
        intval($offerid). ", '" .
        mysql_real_escape_string($ip) . "')";

Another alternative which may be easier to read is to use sprintf:

 $sql = sprintf("INSERT INTO voted (offerid, ip) VALUES (%d, '%s')",
                $offerid, mysql_real_escape_string($ip));

Mark Byers 2010-05-30 18:04:05

Just to add emphasis: if you do not use `mysql_real_escape_string` or prepared statements or something to prevent hacking, **you will be hacked**.

Matchu 2010-05-30 18:05:52

@Mark Byers - should the single quotes be there if you're passing in an integer, anyway?

Matchu 2010-05-30 18:07:00

@Matchu it is not hacking prevention. It's merely syntax.

Col. Shrapnel 2010-05-30 18:14:37

@Matchu: It will work with single quotes round an integer, but they aren't necessary. I can remove them from the second example, but I'll leave them in the first because it's not explicitly clear that $offerid is in fact an integer.

Mark Byers 2010-05-30 18:17:59

@Col. Shrapnel - I realize that, but "you will be hacked" is scarier than "you will have invalid syntax" to people who don't, and therefore increases the chances of implementation :)

Matchu 2010-05-30 18:18:24

@Matchu Ah I see, it's social engineering at it's best :)

Col. Shrapnel 2010-05-30 18:20:55

The query works now. Thanks! However, $offerid is allways set to 0, even though the offerid URL parameter is passed correctly. Any idea why?

Espen Arnoy 2010-05-30 18:26:32

@Espen Arnoy: Is it an integer? Give an example of a possible value it can have.

Mark Byers 2010-05-30 18:27:58

its allways an integer with max 4 digits (345,3435,644)

Espen Arnoy 2010-05-30 18:30:26

@Col. Shrapnel - though I do remember someone who didn't want to do escaping because it would mess people up with quotes in their passwords, when really the opposite was true. So the syntax point *is* important.

Matchu 2010-05-30 18:31:50

@Espen Arnoy - that's weird. `intval` usually turns things into `0` if they're *not* integers. Do they sometimes have leading spaces or something?

Matchu 2010-05-30 18:32:23

Yes, there was a space in between. Thanks a million for your help!

Espen Arnoy 2010-05-30 18:50:03

Answer 2

A:

my guess would be with quotes

mysql_query("INSERT INTO voted (offerid,ip) VALUES (\"".$offerid."\",\"".$ip."\")");

Grumpy 2010-05-30 18:04:10

Answer 3

+1 A:

To place a string value into query, you must perform 2 actions on it:

enclose it in quotes
and escape special characters.

So, query must be like this:

INSERT INTO voted (text) VALUES ('I\'m a programmer')

Armed with this knowledge, you can easily write a code to make valid query:

$offerid = mysql_real_escape_string($_POST["offerid"]);
$ip = mysql_real_escape_string($_SERVER["REMOTE_ADDR"]);

$sql = "INSERT INTO voted (offerid,ip) VALUES ('$offerid','$ip')"
mysql_query($sql) or trigger_error(mysql_error().$sql);

Note the trigger_error part.
It will provide you with comprehensive information on any error

Col. Shrapnel 2010-05-30 18:08:34

+1 for error handling.

Mark Byers 2010-05-30 18:26:44

Answer 4

A:

<?php
include "config.php";

$offerid = $_POST["offerid"];
$ip = $_SERVER["REMOTE_ADDR"];

mysql_query("INSERT INTO voted (offerid,ip) VALUES ('".mysql_real_escape_string  ($offerid)."','".mysql_real_escape_string  ($ip)."')");
?>

This adds the single quote marks around the strings you are inserting - as well as mysql_real_escape_string php function that will escape (add a backslash infront of) any security risk characters.

Matt Clements 2010-05-30 18:29:53

Answer 5

A:

In addition to using intval(...) and mysql_real_escape_string(...) you could use parameterized statements (or placeholders) using PEAR::DB or PEAR::MDB2:

$dsn = "mysqli://testuser:testpass@localhost/test";
$conn =& DB::connect ($dsn); // using PEAR::DB, though it's been superseded
if (DB::isError ($conn)) {
    die ("Cannot connect: " . $conn->getMessage () . "\n");
}

$result =& $conn->query ("INSERT INTO voted (offerid,ip) VALUES (?,?)", array($_POST["offerid"], $_SERVER["REMOTE_ADDR"]));
if (DB::isError ($result)) {
    die ("INSERT failed: " . $result->getMessage () . "\n");
}

Using placeholders and parameters is pretty common on platforms other than PHP, so it's not a bad idea to understand the basic premise behind them.

If you're interested in using DB modules like these, I'd recommend checking out Writing Scripts with PHP's PEAR DB Module by Paul DuBois. Again, the module it describes is superseded, but I find it's nonetheless interesting and informative.

LeguRi 2010-05-30 18:54:06

ansaurus

tags:

views:

answers:

PHP and MySql trouble

related questions