Injection (php-mysql)

baris22 · 11-23-2007, 12:28 PM

I have got a problem with a character. I do not know which one it is. I am inserting long text files into database and sometime i can not insert. Any idea which character can it be?

I am using this code

PHP Code:

  $links.=$_POST['links'][$i];

                $description=$_POST['description'][$i];

                $type=$_POST['type'];

                if (!get_magic_quotes_gpc()) {

                    $title=addslashes($title);

????: NamePros.com http://www.namepros.com/programming/399017-injection-php-mysql.html
                    $links=addslashes($links);

                    $description=addslashes($description);

                }

                $to_replace = array("\r\n","|","\n","\\r\\n","\\n");

              $title = str_replace($to_replace, " ", $title);

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
              $description = str_replace($to_replace, " ", $description);

                //echo $title . '<br/>';

                $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";

                mysql_query($query);

Peter · 11-23-2007, 12:50 PM

The easy way to fix this problem is to use mysql_real_escape_string() on your input this will ensure that any relevant characters are escaped.

Oh and by the way stop using addslashes it is far from ideal, if you use the above mentioned function then the addslashes function is not needed (and can cause problems) anyway.

I would also check and see if you have magic_quotes_gpc enabled (most hosts do). If that is the case reverse what this feature does or disable it using a .htaccess file if you are able too. In fact while you are at it disable register_globals.

baris22 · 11-23-2007, 12:58 PM

PHP Code:

   $links.=$_POST['links'][$i]; 

                $description=$_POST['description'][$i]; 

                $type=$_POST['type']; 

                if (!get_magic_quotes_gpc()) { 

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
                    $title=mysql_real_escape_string($title); 

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
                    $links=mysql_real_escape_string($links); 

                    $description=mysql_real_escape_string($description); 

                } 

                $to_replace = array("\r\n","|","\n","\\r\\n","\\n"); 

              $title = str_replace($to_replace, " ", $title); 

              $description = str_replace($to_replace, " ", $description); 

                //echo $title . '<br/>'; 

                $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; 

                mysql_query($query);

is it how to use mysql_real_escape_string?

thanks

Peter · 11-23-2007, 01:08 PM

yes thats fine, just a note I do not know what the content of $type should be but you should run the function on that as well.

baris22 · 11-23-2007, 01:32 PM

it did not work. Same problem.

then i used this code but same problem again. I do not know if this code is ok

PHP Code:

  $links.=$_POST['links'][$i];

                $description=$_POST['description'][$i];

                $type=$_POST['type'];

                

                $title=stripslashes($title);

                $links=stripslashes($links);

                $description=stripslashes($description);

                

                $title=mysql_real_escape_string($title);

                $links=mysql_real_escape_string($links);

                $description=mysql_real_escape_string($description);

                

                $to_replace = array("\r\n","|","\n","\\r\\n","\\n");

              $title = str_replace($to_replace, " ", $title);

              $description = str_replace($to_replace, " ", $description);

                //echo $title . '<br/>';

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
                $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";

                mysql_query($query);

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
                echo mysql_error();

Peter · 11-23-2007, 01:54 PM

echo out the query and post it here, also a copy of the error message you receive.

Ahh and just noticed. Do the mysql_real_escape_string lines after the following not before, i never noticed it before:-

PHP Code:

                  $to_replace = array("\r\n","|","\n","\\r\\n","\\n");

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
              $title = str_replace($to_replace, " ", $title);

              $description = str_replace($to_replace, " ", $description);

baris22 · 11-23-2007, 02:30 PM

This is the code i used

PHP Code:

  $links.=$_POST['links'][$i];

                $description=$_POST['description'][$i];

                $type=$_POST['type'];

                if (!get_magic_quotes_gpc()) {

                    $title=addslashes($title);

                    $links=addslashes($links);

                    $description=addslashes($description);

                }

              $to_replace = array("\r\n","|","\n","\\r\\n","\\n");

              $title = str_replace($to_replace, " ", $title);

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
              $description = str_replace($to_replace, " ", $description);

              

              $title=stripslashes($title); 

              $description=stripslashes($description);

                

              $title=mysql_real_escape_string($title);

              $description=mysql_real_escape_string($description);

                //echo $title . '<br/>';

                $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";

                mysql_query($query) OR die(mysql_error());

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
                echo mysql_error();

I do not get an error. I get this

Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Peter · 11-23-2007, 02:33 PM

That seems completely unrelated.

baris22 · 11-23-2007, 02:39 PM

i think the problem is on one character. I have to add 50 entries at once. It works 90%.

I added over 100 pages. 100x50. it worked about 90 pages. I am just going to try htmlspecialchars

Peter · 11-23-2007, 02:53 PM

invalid characters should not cause a Service Temporarily Unavailable if it does then there is something seriously wrong.

baris22 · 11-23-2007, 02:55 PM

I know. I need to check every single entry to see what is wrong.

Is there anything i can add to

$to_replace = array("\r\n","|","\n","\\r\\n","\\n");

Peter · 11-23-2007, 03:02 PM

Why are you replacing them with a space? They will not be causing you any problem and in fact you are losing formatting by doing this.

baris22 · 11-23-2007, 03:32 PM

No, i have to do that. My code graps content from other web sites.

Do you think this can happen because of the charset. If there is a character which is not ok. with mysql settings?

Peter · 11-23-2007, 04:25 PM

it shouldn't do, mysql_real_escape_string takes into account the charset that is in use. Anyway if the charset was the problem you should see a mySQL error being generated.

baris22 · 11-24-2007, 05:00 PM

Oh my god. I found the answer after 2 long days.

When i try to add the word "wget " to database it does not work.

I am so serious. When i try to add "wget " (there is a space after) it does not work.

the_internet · 11-24-2007, 05:20 PM

If you'd rather not have the space at the end, you could try using rtrim() (and other related functions) to remove spaces from the end of a string.

baris22 · 11-24-2007, 05:24 PM

I think i am going to use

PHP Code:

  $to_replace = array("\r\n","|","wget ","\n","\\r\\n","\\n");

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
              $title = str_replace($to_replace, " ", $title);

              $description = str_replace($to_replace, " ", $description);

I do not think it will be a problem.

the_internet · 11-24-2007, 05:33 PM

OK, good luck with the code.

baris22 · 11-24-2007, 05:46 PM

Originally Posted by the_internet

OK, good luck with the code.

it did not work

PHP Code:

   $to_replace = array("\r\n","|","wget ","\n","\\r\\n","\\n"); 

              $title = str_replace($to_replace, " ", $title); 

              $description = str_replace($to_replace, " ", $description); 

????: NamePros.com http://www.namepros.com/showthread.php?t=399017

Peter · 11-24-2007, 05:54 PM

i cant see why having the string wget would cause problems unless you were running it through exec or something like that.

baris22 · 11-24-2007, 05:59 PM

Originally Posted by peter@flexiwebhost

i cant see why having the string wget would cause problems unless you were running it through exec or something like that.

I am million times sure. the problem is "wget "
????: NamePros.com http://www.namepros.com/showthread.php?t=399017

I deleted that word from the post and it worked fine. I tried to enter onlt the word "wget " and it fails.

the_internet · 11-24-2007, 07:39 PM

Could the problem not be with the word "wget ", but with the space at the end?
Have you tried using "wget" without a space?

Dan · 11-24-2007, 09:10 PM

Can you paste the actual error message from phpMyAdmin? It will say exactly what is wrong and should make this really easy.

baris22 · 11-25-2007, 03:14 AM

Originally Posted by Dan

Can you paste the actual error message from phpMyAdmin? It will say exactly what is wrong and should make this really easy.

It works perfect if i add from phpmyadmin.

I just made a simple script to try one by one if the problem is "wget "

I can insert "wget" but not "wget "

here is the simple code i am using.

PHP Code:

  <?php

$con = mysql_connect("localhost","user","pass");

if (!$con)

  {

  die('Could not connect: ' . mysql_error());

  }mysql_select_db("database name", $con);

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
  

  $title=$_POST['title'];

  $description=$_POST['description'];

  

  $title = str_replace("wget", "ddd", $title);

  $description = str_replace("wget", "ddd", $description);

  

  $query="INSERT INTO `filedetails` VALUES ('', '', '".$title."', '".$description."', '','0000000000')";

 mysql_query($query);

 echo 'MYSQL ERROR IS: '.mysql_error();

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
 mysql_close($con)

?> 

<html>

<body>

<form action="insert.php" method="post">

title:<input name="title" type="text" size="100" />

<br>

desc:<textarea name="description" cols="150" rows="10"></textarea>

<br>

<input type="submit" />

</form>

</body>

</html>

When i try to insert "wget " i get this

Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Dan · 11-25-2007, 02:49 PM

Maybe the problem is a bad host?

Are you making it echo the exact query you are trying to run then using that in phpMyAdmin? If you can do the query in phpMyAdmin, then there is no problem with the query...

11-23-2007, 12:28 PM	THREAD STARTER #1 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	Injection (php-mysql) I have got a problem with a character. I do not know which one it is. I am inserting long text files into database and sometime i can not insert. Any idea which character can it be? I am using this code PHP Code: $links.=$_POST['links'][$i]; $description=$_POST['description'][$i]; $type=$_POST['type']; if (!get_magic_quotes_gpc()) { $title=addslashes($title); ????: NamePros.com http://www.namepros.com/programming/399017-injection-php-mysql.html $links=addslashes($links); $description=addslashes($description); } $to_replace = array("\r\n","\|","\n","\\r\\n","\\n"); $title = str_replace($to_replace, " ", $title); ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 $description = str_replace($to_replace, " ", $description); //echo $title . '<br/>'; $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; mysql_query($query);

11-23-2007, 12:50 PM	#2 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	The easy way to fix this problem is to use mysql_real_escape_string() on your input this will ensure that any relevant characters are escaped. Oh and by the way stop using addslashes it is far from ideal, if you use the above mentioned function then the addslashes function is not needed (and can cause problems) anyway. I would also check and see if you have magic_quotes_gpc enabled (most hosts do). If that is the case reverse what this feature does or disable it using a .htaccess file if you are able too. In fact while you are at it disable register_globals. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-23-2007, 12:58 PM	THREAD STARTER #3 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	PHP Code: $links.=$_POST['links'][$i]; $description=$_POST['description'][$i]; $type=$_POST['type']; if (!get_magic_quotes_gpc()) { ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 $title=mysql_real_escape_string($title); ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 $links=mysql_real_escape_string($links); $description=mysql_real_escape_string($description); } $to_replace = array("\r\n","\|","\n","\\r\\n","\\n"); $title = str_replace($to_replace, " ", $title); $description = str_replace($to_replace, " ", $description); //echo $title . '<br/>'; $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; mysql_query($query); is it how to use mysql_real_escape_string? thanks

11-23-2007, 01:08 PM	#4 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	yes thats fine, just a note I do not know what the content of $type should be but you should run the function on that as well. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-23-2007, 01:32 PM	THREAD STARTER #5 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	it did not work. Same problem. then i used this code but same problem again. I do not know if this code is ok PHP Code: $links.=$_POST['links'][$i]; $description=$_POST['description'][$i]; $type=$_POST['type']; $title=stripslashes($title); $links=stripslashes($links); $description=stripslashes($description); $title=mysql_real_escape_string($title); $links=mysql_real_escape_string($links); $description=mysql_real_escape_string($description); $to_replace = array("\r\n","\|","\n","\\r\\n","\\n"); $title = str_replace($to_replace, " ", $title); $description = str_replace($to_replace, " ", $description); //echo $title . '<br/>'; ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; mysql_query($query); ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 echo mysql_error();

11-23-2007, 01:54 PM	#6 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	echo out the query and post it here, also a copy of the error message you receive. Ahh and just noticed. Do the mysql_real_escape_string lines after the following not before, i never noticed it before:- PHP Code: `$to_replace = array("\r\n","\|","\n","\\r\\n","\\n"); ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 $title = str_replace($to_replace, " ", $title); $description = str_replace($to_replace, " ", $description);` __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-23-2007, 02:30 PM	THREAD STARTER #7 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	This is the code i used PHP Code: $links.=$_POST['links'][$i]; $description=$_POST['description'][$i]; $type=$_POST['type']; if (!get_magic_quotes_gpc()) { $title=addslashes($title); $links=addslashes($links); $description=addslashes($description); } $to_replace = array("\r\n","\|","\n","\\r\\n","\\n"); $title = str_replace($to_replace, " ", $title); ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 $description = str_replace($to_replace, " ", $description); $title=stripslashes($title); $description=stripslashes($description); $title=mysql_real_escape_string($title); $description=mysql_real_escape_string($description); //echo $title . '<br/>'; $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; mysql_query($query) OR die(mysql_error()); ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 echo mysql_error(); I do not get an error. I get this Service Temporarily Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

11-23-2007, 02:33 PM	#8 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	That seems completely unrelated. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-23-2007, 02:39 PM	THREAD STARTER #9 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	i think the problem is on one character. I have to add 50 entries at once. It works 90%. I added over 100 pages. 100x50. it worked about 90 pages. I am just going to try htmlspecialchars

11-23-2007, 02:53 PM	#10 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	invalid characters should not cause a Service Temporarily Unavailable if it does then there is something seriously wrong. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-23-2007, 02:55 PM	THREAD STARTER #11 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	I know. I need to check every single entry to see what is wrong. Is there anything i can add to $to_replace = array("\r\n","\|","\n","\\r\\n","\\n");

11-23-2007, 03:02 PM	#12 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	Why are you replacing them with a space? They will not be causing you any problem and in fact you are losing formatting by doing this. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-23-2007, 03:32 PM	THREAD STARTER #13 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	No, i have to do that. My code graps content from other web sites. Do you think this can happen because of the charset. If there is a character which is not ok. with mysql settings?

11-23-2007, 04:25 PM	#14 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	it shouldn't do, mysql_real_escape_string takes into account the charset that is in use. Anyway if the charset was the problem you should see a mySQL error being generated. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft Last edited by peter@flexiwebhost; 11-23-2007 at 04:31 PM.

11-24-2007, 05:00 PM	THREAD STARTER #15 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	Oh my god. I found the answer after 2 long days. When i try to add the word "wget " to database it does not work. I am so serious. When i try to add "wget " (there is a space after) it does not work.

11-24-2007, 05:20 PM	#16 (permalink)
the_internet New Member Join Date: Nov 2007 Posts: 24	If you'd rather not have the space at the end, you could try using rtrim() (and other related functions) to remove spaces from the end of a string.

11-24-2007, 05:24 PM	THREAD STARTER #17 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	I think i am going to use PHP Code: `$to_replace = array("\r\n","\|","wget ","\n","\\r\\n","\\n"); ????: NamePros.com http://www.namepros.com/showthread.php?t=399017 $title = str_replace($to_replace, " ", $title); $description = str_replace($to_replace, " ", $description);` I do not think it will be a problem.

11-24-2007, 05:33 PM	#18 (permalink)
the_internet New Member Join Date: Nov 2007 Posts: 24	OK, good luck with the code.

11-24-2007, 05:54 PM	#20 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	i cant see why having the string wget would cause problems unless you were running it through exec or something like that. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-24-2007, 07:39 PM	#22 (permalink)
the_internet New Member Join Date: Nov 2007 Posts: 24	Could the problem not be with the word "wget ", but with the space at the end? Have you tried using "wget" without a space?

11-24-2007, 09:10 PM	#23 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,796	Can you paste the actual error message from phpMyAdmin? It will say exactly what is wrong and should make this really easy.

11-25-2007, 02:49 PM	#25 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,796	Maybe the problem is a bad host? Are you making it echo the exact query you are trying to run then using that in phpMyAdmin? If you can do the query in phpMyAdmin, then there is no problem with the query...

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)