Posted by Norman Peelman on 07/04/07 13:13

Rami Elomaa wrote:
> Norman Peelman kirjoitti:
>> Todd Michels wrote:
>>> daGnutt wrote:
>>>> On 1 Juli, 14:26, Todd Michels <t...@nalamail.com> wrote:
>>>>> Hi all,
>>>>>
>>>>> I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>
>>>>> When I submit the data I get: Warning: mssql_query()
>>>>> [function.mssql-query]: message: The name "Todd" is not permitted in
>>>>> this context. Valid expressions are constants, constant
>>>>> expressions, and
>>>>> (in some contexts) variables. Column names are not permitted.
>>>>> (severity
>>>>> 15) in "Myfile"
>>>>>
>>>>> If I don't use the POST data and write the query explicitly, it works.
>>>>>
>>>>> Any help is appreciated.
>>>>>
>>>>> Thanks,
>>>>> Todd
>>>>>
>>>>> WinXP SP2
>>>>> MSSQL Express 2005
>>>>> IIS 5.1
>>>>> PHP 5.2.1
>>>>>
>>>>> It's a basic form:
>>>>>
>>>>> <body>
>>>>> <form id="form1" name="form1" method="post" action="flextest.php">
>>>>> <label>User Name
>>>>> <input name="username" type="text" id="username" />
>>>>> </label>
>>>>> <label>Email Address
>>>>> <input name="emailaddress" type="text" id="emailaddress" />
>>>>> </label>
>>>>> <p>
>>>>> <input type="submit" name="Submit" value="Submit" />
>>>>> </p>
>>>>> </form>
>>>>> </body>
>>>>>
>>>>> And here is the MSSQL insert:
>>>>>
>>>>> if( $_POST["emailaddress"] AND $_POST["username"])
>>>>> {
>>>>> //add the user
>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>> VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>>>
>>>>> $Result = mssql_query($Query);
>>>>>
>>>>> }
>>>>
>>>> I personally dont know mssql, but it mySQL, the error would lie in
>>>> that non-numerical entires must be surrounded by '"' so try
>>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>> VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>>>>
>>>
>>> Thanks for the suggestion, and you were close. This is the command
>>> that actually worked.
>>>
>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>> VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>>>
>>> Thanks again.
>>
>> If you aren't doing anything special with sprintf (if you don't
>> neccessarily need it) then the following works as expected:
>>
>> $Query = "(INSERT INTO users (username, emailaddress)
>> VALUES('$_POST[username]', '$_POST[emailaddress]')";
>>
>> but that's not accounting for the cleansing of variables.
>
> I'll say it isn't! It's an SQL injection waiting to happen. Please don't
> give this kind of advise even though you it works. Always keep in mind
> good coding practise when giving advise. Never trust user data, that
> means never hand it to database without checking the contents.
>

....as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.

....to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.

....to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm

[Back to original message]