|
|
Posted by Rami Elomaa on 07/02/07 15:20
Norman Peelman kirjoitti:
> Todd Michels wrote:
>> daGnutt wrote:
>>> On 1 Juli, 14:26, Todd Michels <t...@nalamail.com> wrote:
>>>> Hi all,
>>>>
>>>> I am trying to send data from a form and insert it into a MSSQL DB.
>>>>
>>>> When I submit the data I get: Warning: mssql_query()
>>>> [function.mssql-query]: message: The name "Todd" is not permitted in
>>>> this context. Valid expressions are constants, constant expressions,
>>>> and
>>>> (in some contexts) variables. Column names are not permitted. (severity
>>>> 15) in "Myfile"
>>>>
>>>> If I don't use the POST data and write the query explicitly, it works.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Thanks,
>>>> Todd
>>>>
>>>> WinXP SP2
>>>> MSSQL Express 2005
>>>> IIS 5.1
>>>> PHP 5.2.1
>>>>
>>>> It's a basic form:
>>>>
>>>> <body>
>>>> <form id="form1" name="form1" method="post" action="flextest.php">
>>>> <label>User Name
>>>> <input name="username" type="text" id="username" />
>>>> </label>
>>>> <label>Email Address
>>>> <input name="emailaddress" type="text" id="emailaddress" />
>>>> </label>
>>>> <p>
>>>> <input type="submit" name="Submit" value="Submit" />
>>>> </p>
>>>> </form>
>>>> </body>
>>>>
>>>> And here is the MSSQL insert:
>>>>
>>>> if( $_POST["emailaddress"] AND $_POST["username"])
>>>> {
>>>> //add the user
>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>> VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>>
>>>> $Result = mssql_query($Query);
>>>>
>>>> }
>>>
>>> I personally dont know mssql, but it mySQL, the error would lie in
>>> that non-numerical entires must be surrounded by '"' so try
>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>> VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>>>
>>
>> Thanks for the suggestion, and you were close. This is the command
>> that actually worked.
>>
>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>> VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>>
>> Thanks again.
>
> If you aren't doing anything special with sprintf (if you don't
> neccessarily need it) then the following works as expected:
>
> $Query = "(INSERT INTO users (username, emailaddress)
> VALUES('$_POST[username]', '$_POST[emailaddress]')";
>
> but that's not accounting for the cleansing of variables.
I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.
--
Rami.Elomaa@gmail.com
"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
[Back to original message]
|