|
|
Posted by pablo k on 10/26/05 18:50
Hilarion wrote:
>
> Hi
>
> What is the type of "nr_jrg" field in the database? What is
> the data you store there? "19/05" looks like part of date
> or simply some text. If it should be stored "as is", then
> the field in DB should be a character type (VARCHAR probably).
>
>> I have been stupid.
>> I was struggling with an update query on a text field. When i updated
>> '19/05' the update was performed and the result was 3.80.
>
>
> It has probably nothing to do with the variable type, but
> with not using single quotes in UPDATE query. Your query
> looked like this:
>
> UPDATE titels SET nr_jrg = 19/05 WHERE tid = 1234
>
> In SQL syntax this means setting "nr_jrg" field to the expression
> value, and the expression value is "3.8" (a number).
>
>
>> So i decided to set the variable with
>> settype( $nummer, string ) ;
>
>
> It was allready a string because all $_POST, $_GET and $_COOKIE
> values are strings.
>
>
>> Now, the result was 1.
>
>
> I do not know how did you do that.
>
>
>> Then i tried not to enter the division sign but the hash sign instead
>> (19#5). That worked to well! I got the message back that all
>> 399 records had been changed!
>
>
> This means that you did not use single quotes and got something
> like this:
>
> UPDATE titels SET nr_jrg = 19#05 WHERE tid = 1234
>
> Hash sign meant (for your DBMS engine) that you are placing
> a comment in your SQL statement, so what was actually executed
> was:
>
> UPDATE titels SET nr_jrg = 19
>
> which updated all records to 19.
>
>
>> But I am still wondering what happened?
>
>
> You did not use single quotes. Type of "nr_jrg" field in the
> database has also a big influence on the results.
>
>
>> Could you please shed some light on the code?
>> ------------
>> ...
>> $sql= "SELECT tid, titel, nr_jrg FROM titels WHERE tid>480 ORDER BY
>> tid DESC" ;
>> if ( isset( $_POST['id'] ) && isset( $_POST['nummer'] ) ) {
>> $id = $_POST['id'] ; $nummer = $_POST['nummer'] ;
>> settype( $nummer, string ) ;
>> print $_POST['nummer']. "- - " . $_POST['id']. "--<br> " ;
>> //n.b.: de apostrophes om '$nummer' heen, anders is het geen tekst
>
>
> When posting code change comments to English or cut them out.
>
>
>> $upd = "UPDATE titels SET nr_jrg = '$nummer' WHERE tid = $id " ;
>
>
> You should echo the $upd here and check how does it look like.
>
>
>> [snip]
>
>
> If you have "magic_quotes_gpc" turned off or you are not using MySQL
> (or another database using same way of escaping special chars in
> strings), then your script can be used to perform ALL possible
> SQL injection attacks. If you are using MySQL (as above) and
> have "magic_quotes_gpc" turned on, then still a skillful attacker
> can use it. You should turn "magic_quotes_gpc" off and use
> "mysql_real_escape_string" function on all text parameters
> passed to SQL query (not forgeting to put them in single quotes)
> and some other validation/conversion for other types of data (eg.
> use >>$id = intval( $_POST['id'] )<< to make sure that it will not
> be used against your database).
>
>
> Hilarion
Thanks, You did shed light! A big light!
pablo k
[Back to original message]
|