Reply to Re: [PHP] MySQL empty row

Your name:

Reply:


Posted by Andy Pieters on 04/04/05 19:45

Hi Neo

Just some observations and hints.

I see you use the contents of a user variable ($_POST,$_GET,$_REQUEST,
$_SESSION) without check. Possibly you checked them on another page but you
shouldn't rely on that. You should take NOTHING for granted. You should
escape the input by using a function like mysql_escape_string

Google for mysql injection will give you ample information on the why of this
precaution.

2ndly you include a line die($res->getMessage()) which would expose security
sensitive information about your server, and database. You do not want this!
Instead you can redirect to a page that explains to the user that an error
ocured. For yourself, you can write the error to a file on the server that
you can peruse to debug.

Just scream if you want an example of this.

How about trying this:

unset($res);
$res=@&$db->query($query);
if($res)
if(DB::isError($res))
....rest of your code

The HTTP specification is also that a Location header should provide the
absolute address, not the relative.

You might also consider rewriting your logic a bit:

Instead of depending on a connect and a disconnect file, make one include file
like this:

function connect()
{#details of your connect
if(connection_ok)
register_shutdown_function(disconnect);
}
function disconnect()
{#your stuff here
}

Including (or require ing) the file at the start of the page will provide you
with all functionality and will automatically close the database connection
when the script finishes. (Don't use this with persistent connections though)

Also when you use functions that rewrite the header, you can either use
ob_start, ob_end and stuff to buffer the output, or make sure you send
nothing to the browser until after the headers are sent.
One common pitfall is having characters before the <?php or charcaters after
the ?>

After the ?> must be NO character, not even a CR or LF
Best way to check this is to put your cursor right next to the > and press the
left key. If you r cursor moves then press left followed by del. Keep
pressing the del key until all the charcters after the > are gone.

With kind regards


Andy Pieters
Straight-A-Software

On Monday 04 April 2005 16:57, Neo Theone wrote:
> Until some time I could make a new empty line in mysql with this query:
> INSERT INTO `".$_SESSION['type']."`() VALUES ()
> where $_SESSION['type'] was the table I wanted to use but now I get an
> error and since I use DB I just get this error
>
> INSERT INTO `authors`() VALUES ()
> *Warning*: Cannot modify header information - headers already sent by
> (output started at
> /usr/local/ftp/faps/public_html/pubDB/edit/newline.php:9) in
> */usr/local/ftp/faps/public_html/pubDB/edit/newline.php* on line *19
>
> *This is the file
> <?php
> include "./checkuser.php";
>
> include "../modules/connect.php";
>
> array_pop($_REQUEST);
> $query = "INSERT INTO `".$_SESSION['type']."`() VALUES ()";
>
> $res =& $db->query($query);
> //Always check that result is not an error
> if (DB::isError($res)) {
> die($res->getMessage());
> }
>
> include "../modules/disconnect.php";
>
> header ("Location: ./edit.php?".$_SESSION['stayurl']);
>
> ?>
> Howcome does line nine: $res =& $db->query($query); write anything??

--
Registered Linux User Number 379093
--
Feel free to check out these few
php utilities that I released under the GPL2 and
that are meant for use with a php cli binary:
http://www.vlaamse-kern.com/sas/
--

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация