|
|
Posted by Jerry Stuckle on 07/04/07 13:27
Norman Peelman wrote:
> Rami Elomaa wrote:
>> Norman Peelman kirjoitti:
>>> Todd Michels wrote:
>>>> daGnutt wrote:
>>>>> On 1 Juli, 14:26, Todd Michels <t...@nalamail.com> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>>
>>>>>> When I submit the data I get: Warning: mssql_query()
>>>>>> [function.mssql-query]: message: The name "Todd" is not permitted in
>>>>>> this context. Valid expressions are constants, constant
>>>>>> expressions, and
>>>>>> (in some contexts) variables. Column names are not permitted.
>>>>>> (severity
>>>>>> 15) in "Myfile"
>>>>>>
>>>>>> If I don't use the POST data and write the query explicitly, it
>>>>>> works.
>>>>>>
>>>>>> Any help is appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>> Todd
>>>>>>
>>>>>> WinXP SP2
>>>>>> MSSQL Express 2005
>>>>>> IIS 5.1
>>>>>> PHP 5.2.1
>>>>>>
>>>>>> It's a basic form:
>>>>>>
>>>>>> <body>
>>>>>> <form id="form1" name="form1" method="post" action="flextest.php">
>>>>>> <label>User Name
>>>>>> <input name="username" type="text" id="username" />
>>>>>> </label>
>>>>>> <label>Email Address
>>>>>> <input name="emailaddress" type="text" id="emailaddress" />
>>>>>> </label>
>>>>>> <p>
>>>>>> <input type="submit" name="Submit" value="Submit" />
>>>>>> </p>
>>>>>> </form>
>>>>>> </body>
>>>>>>
>>>>>> And here is the MSSQL insert:
>>>>>>
>>>>>> if( $_POST["emailaddress"] AND $_POST["username"])
>>>>>> {
>>>>>> //add the user
>>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>> VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>>>>
>>>>>> $Result = mssql_query($Query);
>>>>>>
>>>>>> }
>>>>>
>>>>> I personally dont know mssql, but it mySQL, the error would lie in
>>>>> that non-numerical entires must be surrounded by '"' so try
>>>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>>> VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>>>>>
>>>>
>>>> Thanks for the suggestion, and you were close. This is the command
>>>> that actually worked.
>>>>
>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>> VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>>>>
>>>> Thanks again.
>>>
>>> If you aren't doing anything special with sprintf (if you don't
>>> neccessarily need it) then the following works as expected:
>>>
>>> $Query = "(INSERT INTO users (username, emailaddress)
>>> VALUES('$_POST[username]', '$_POST[emailaddress]')";
>>>
>>> but that's not accounting for the cleansing of variables.
>>
>> I'll say it isn't! It's an SQL injection waiting to happen. Please
>> don't give this kind of advise even though you it works. Always keep
>> in mind good coding practise when giving advise. Never trust user
>> data, that means never hand it to database without checking the contents.
>>
>
> ...as you can read by the quote above I said that it doesn't account for
> the cleansing of variables. The OP didn't ask about SQL injections, he
> asked why his query was failing. What does sprintf() do to prevent SQL
> injections? Nothing that I can see. I answered the question at hand with
> perfectly legal PHP code.
>
> ...to the OP, you should always run your $_POST/$_GET/$_REQUEST
> variables through a 'cleaning' function to sanitize (remove/prevent)
> unwanted characters. Carefully crafted input could be used to do damage
> to your data.
>
> ...to Rami, I appreciate your input but think you went off the deep end
> just a bit. The problem here is that people get upset when a reply is
> made to a question without listing all the dependencies of the answer. I
> still think the PHP newsgroups need a FAQ. I know there are alot of
> forums/info to be found by googling but maybe too much... often the info
> seems to be intermingled with a lot of crap.
>
> If i'm ranting a bit then I apologize.
>
> Norm
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.
It never hurts to go a little beyond the question - especially when
security is at stake.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|