|
|
Posted by Sophisticado on 08/31/06 00:18
Andy Hassall <andy@andyh.co.uk> wrote in
news:4lnbf2hc4akvqm2955c6rb1mlsu1kbp1s4@4ax.com:
> On Wed, 30 Aug 2006 11:21:47 -0500, Sophisticado <Sophsiticado> wrote:
>
>>I have a script in which I am collecting sensitive information via a
>>form (METHOD=POST) and encrypting the posted variable (format = BLOB)
>>using mcrypt, then saving it in a MySql table. Using my test
>>script,everything works fine. Using my production scrypt, everything
>>works fine for data posted with fewer than 8 characters. If I try to
>>upload data longer than 8 characters, I get this error message:
>>
>>You have an error in your SQL syntax; check the manual that
>>corresponds to your MySQL server version for the right syntax to use
>>near 'iσUΉ�
?¨C!ΚΌB', '01', '2004', NULL, '150')' at line 1
>>
>>The characters iσUΉ?¨C!ΚΌB' after "near" are the encrypted characters.
>>
>>There does not seem to be any difference between the test and
>>production scrypts.
>>
>>Here is the syntax I am using for saving the record:
>>
>>if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] ==
>>"myTable")) {
>> $insertSQL = sprintf("INSERT INTO myTable (`Date`, LastName,
>>FirstName, EcryptedBlob) VALUES (%s, %s, %s, %s)",
>> GetSQLValueString($_POST['Date'], "text"),
>> GetSQLValueString($_POST['Lastname'], "text"),
>> GetSQLValueString($_POST['Firstname'], "text"),
>> GetSQLValueString($encrypted,"text"));
>>
>>php v. 5.0.5
>>MySql v. 4.1.9
>
> Where is "GetSQLValueString" defined?
>
Here is the function before the encryption at the top of the script:
function GetSQLValueString($theValue, $theType, $theDefinedValue = "",
$theNotDefinedValue = "") {
$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) :
$theValue;
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" :
"NULL"; break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue :
$theNotDefinedValue; break;
}
return $theValue;
}
Navigation:
[Reply to this message]
|