Reply to Re: Trouble with $_POST data

Your name:

Reply:


Posted by Norman Peelman on 07/05/07 01:44

Jerry Stuckle wrote:
> Norman Peelman wrote:
>> Rami Elomaa wrote:
>>> Norman Peelman kirjoitti:
>>>> Todd Michels wrote:
>>>>> daGnutt wrote:
>>>>>> On 1 Juli, 14:26, Todd Michels <t...@nalamail.com> wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>>>
>>>>>>> When I submit the data I get: Warning: mssql_query()
>>>>>>> [function.mssql-query]: message: The name "Todd" is not permitted in
>>>>>>> this context. Valid expressions are constants, constant
>>>>>>> expressions, and
>>>>>>> (in some contexts) variables. Column names are not permitted.
>>>>>>> (severity
>>>>>>> 15) in "Myfile"
>>>>>>>
>>>>>>> If I don't use the POST data and write the query explicitly, it
>>>>>>> works.
>>>>>>>
>>>>>>> Any help is appreciated.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Todd
>>>>>>>
>>>>>>> WinXP SP2
>>>>>>> MSSQL Express 2005
>>>>>>> IIS 5.1
>>>>>>> PHP 5.2.1
>>>>>>>
>>>>>>> It's a basic form:
>>>>>>>
>>>>>>> <body>
>>>>>>> <form id="form1" name="form1" method="post" action="flextest.php">
>>>>>>> <label>User Name
>>>>>>> <input name="username" type="text" id="username" />
>>>>>>> </label>
>>>>>>> <label>Email Address
>>>>>>> <input name="emailaddress" type="text" id="emailaddress" />
>>>>>>> </label>
>>>>>>> <p>
>>>>>>> <input type="submit" name="Submit" value="Submit" />
>>>>>>> </p>
>>>>>>> </form>
>>>>>>> </body>
>>>>>>>
>>>>>>> And here is the MSSQL insert:
>>>>>>>
>>>>>>> if( $_POST["emailaddress"] AND $_POST["username"])
>>>>>>> {
>>>>>>> //add the user
>>>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>>> VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>>>>>
>>>>>>> $Result = mssql_query($Query);
>>>>>>>
>>>>>>> }
>>>>>>
>>>>>> I personally dont know mssql, but it mySQL, the error would lie in
>>>>>> that non-numerical entires must be surrounded by '"' so try
>>>>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>>>> VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddress"]);
>>>>>>
>>>>>
>>>>> Thanks for the suggestion, and you were close. This is the command
>>>>> that actually worked.
>>>>>
>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>> VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>>>>>
>>>>> Thanks again.
>>>>
>>>> If you aren't doing anything special with sprintf (if you don't
>>>> neccessarily need it) then the following works as expected:
>>>>
>>>> $Query = "(INSERT INTO users (username, emailaddress)
>>>> VALUES('$_POST[username]', '$_POST[emailaddress]')";
>>>>
>>>> but that's not accounting for the cleansing of variables.
>>>
>>> I'll say it isn't! It's an SQL injection waiting to happen. Please
>>> don't give this kind of advise even though you it works. Always keep
>>> in mind good coding practise when giving advise. Never trust user
>>> data, that means never hand it to database without checking the
>>> contents.
>>>
>>
>> ...as you can read by the quote above I said that it doesn't account
>> for the cleansing of variables. The OP didn't ask about SQL
>> injections, he asked why his query was failing. What does sprintf() do
>> to prevent SQL injections? Nothing that I can see. I answered the
>> question at hand with perfectly legal PHP code.
>>
>> ...to the OP, you should always run your $_POST/$_GET/$_REQUEST
>> variables through a 'cleaning' function to sanitize (remove/prevent)
>> unwanted characters. Carefully crafted input could be used to do
>> damage to your data.
>>
>> ...to Rami, I appreciate your input but think you went off the deep
>> end just a bit. The problem here is that people get upset when a reply
>> is made to a question without listing all the dependencies of the
>> answer. I still think the PHP newsgroups need a FAQ. I know there are
>> alot of forums/info to be found by googling but maybe too much...
>> often the info seems to be intermingled with a lot of crap.
>>
>> If i'm ranting a bit then I apologize.
>>
>> Norm
>
> Sorry, I agree with Rami. You're answer was correct, but it didn't go
> far enough. Obviously from his question the op was not aware of the
> possibilities of SQL injection. It would be a favor to him (and
> everyone else who reads this thread) to mention it.
>
> It never hurts to go a little beyond the question - especially when
> security is at stake.
>

Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.

Norm

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация