Posted by Jerry Stuckle on 07/05/07 02:05

Norman Peelman wrote:
> Jerry Stuckle wrote:
>> Norman Peelman wrote:
>>> Rami Elomaa wrote:
>>>> Norman Peelman kirjoitti:
>>>>> Todd Michels wrote:
>>>>>> daGnutt wrote:
>>>>>>> On 1 Juli, 14:26, Todd Michels <t...@nalamail.com> wrote:
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>>>>
>>>>>>>> When I submit the data I get: Warning: mssql_query()
>>>>>>>> [function.mssql-query]: message: The name "Todd" is not
>>>>>>>> permitted in
>>>>>>>> this context. Valid expressions are constants, constant
>>>>>>>> expressions, and
>>>>>>>> (in some contexts) variables. Column names are not permitted.
>>>>>>>> (severity
>>>>>>>> 15) in "Myfile"
>>>>>>>>
>>>>>>>> If I don't use the POST data and write the query explicitly, it
>>>>>>>> works.
>>>>>>>>
>>>>>>>> Any help is appreciated.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Todd
>>>>>>>>
>>>>>>>> WinXP SP2
>>>>>>>> MSSQL Express 2005
>>>>>>>> IIS 5.1
>>>>>>>> PHP 5.2.1
>>>>>>>>
>>>>>>>> It's a basic form:
>>>>>>>>
>>>>>>>> <body>
>>>>>>>> <form id="form1" name="form1" method="post" action="flextest.php">
>>>>>>>> <label>User Name
>>>>>>>> <input name="username" type="text" id="username" />
>>>>>>>> </label>
>>>>>>>> <label>Email Address
>>>>>>>> <input name="emailaddress" type="text" id="emailaddress" />
>>>>>>>> </label>
>>>>>>>> <p>
>>>>>>>> <input type="submit" name="Submit" value="Submit" />
>>>>>>>> </p>
>>>>>>>> </form>
>>>>>>>> </body>
>>>>>>>>
>>>>>>>> And here is the MSSQL insert:
>>>>>>>>
>>>>>>>> if( $_POST["emailaddress"] AND $_POST["username"])
>>>>>>>> {
>>>>>>>> //add the user
>>>>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>>>> VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>>>>>>>
>>>>>>>> $Result = mssql_query($Query);
>>>>>>>>
>>>>>>>> }
>>>>>>>
>>>>>>> I personally dont know mssql, but it mySQL, the error would lie in
>>>>>>> that non-numerical entires must be surrounded by '"' so try
>>>>>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>>>>> VALUES(\"%s\", \"%s\")', $_POST["username"],
>>>>>>> $_POST["emailaddress"]);
>>>>>>>
>>>>>>
>>>>>> Thanks for the suggestion, and you were close. This is the
>>>>>> command that actually worked.
>>>>>>
>>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>> VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddress"]);
>>>>>>
>>>>>> Thanks again.
>>>>>
>>>>> If you aren't doing anything special with sprintf (if you don't
>>>>> neccessarily need it) then the following works as expected:
>>>>>
>>>>> $Query = "(INSERT INTO users (username, emailaddress)
>>>>> VALUES('$_POST[username]', '$_POST[emailaddress]')";
>>>>>
>>>>> but that's not accounting for the cleansing of variables.
>>>>
>>>> I'll say it isn't! It's an SQL injection waiting to happen. Please
>>>> don't give this kind of advise even though you it works. Always keep
>>>> in mind good coding practise when giving advise. Never trust user
>>>> data, that means never hand it to database without checking the
>>>> contents.
>>>>
>>>
>>> ...as you can read by the quote above I said that it doesn't account
>>> for the cleansing of variables. The OP didn't ask about SQL
>>> injections, he asked why his query was failing. What does sprintf()
>>> do to prevent SQL injections? Nothing that I can see. I answered the
>>> question at hand with perfectly legal PHP code.
>>>
>>> ...to the OP, you should always run your $_POST/$_GET/$_REQUEST
>>> variables through a 'cleaning' function to sanitize (remove/prevent)
>>> unwanted characters. Carefully crafted input could be used to do
>>> damage to your data.
>>>
>>> ...to Rami, I appreciate your input but think you went off the deep
>>> end just a bit. The problem here is that people get upset when a
>>> reply is made to a question without listing all the dependencies of
>>> the answer. I still think the PHP newsgroups need a FAQ. I know there
>>> are alot of forums/info to be found by googling but maybe too much...
>>> often the info seems to be intermingled with a lot of crap.
>>>
>>> If i'm ranting a bit then I apologize.
>>>
>>> Norm
>>
>> Sorry, I agree with Rami. You're answer was correct, but it didn't go
>> far enough. Obviously from his question the op was not aware of the
>> possibilities of SQL injection. It would be a favor to him (and
>> everyone else who reads this thread) to mention it.
>>
>> It never hurts to go a little beyond the question - especially when
>> security is at stake.
>>
>
> Jerry,
> I understand where your coming from and you and Rami are right. I
> think the thing that gets me is only one reply to this thread touches on
> SQL injection/variable cleansing. My reply is no different than yours,
> Ramis' or anyone else at this point. Every reply but one is about
> getting the quotes right but I get told not to give advice. In fact,
> neither one of Ramis' or your replies give the OP any advice on the
> matter i'm being scorned for. In fact, at least I somewhat mentioned it
> although I didn't use the phrase 'SQL Injection'. All in all I just
> can't figure out why my post was singled out as a problem.
>
> Norm

Well, first of all, I wasn't replying to the op. I was just correcting
an incorrect response, which had to do with single vs. double quote syntax.

If I had been replying to the op I would have mentioned sql injection.

As for why your post was singled out - probably because your post was
the most complete and correct of the responses, and you only mentioned
cleansing variables in passing. But I don't know for sure.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]