Injection (Php-Mysql)

[baris22]

I have got a problem with a character. I do not know which one it is. I am inserting long text files into database and sometime i can not insert. Any idea which character can it be?

I am using this code

$links.=$_POST['links'][$i];
				$description=$_POST['description'][$i];
				$type=$_POST['type'];
				if (!get_magic_quotes_gpc()) {
					$title=addslashes($title);
					$links=addslashes($links);
					$description=addslashes($description);
				}
				$to_replace = array("\r\n","|","\n","\\r\\n","\\n");
			  $title = str_replace($to_replace, " ", $title);
			  $description = str_replace($to_replace, " ", $description);
				//echo $title . '<br/>';
				$query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";
				mysql_query($query);

 

[Peter]

The easy way to fix this problem is to use mysql_real_escape_string() on your input this will ensure that any relevant characters are escaped.

Oh and by the way stop using addslashes it is far from ideal, if you use the above mentioned function then the addslashes function is not needed (and can cause problems) anyway.

I would also check and see if you have magic_quotes_gpc enabled (most hosts do). If that is the case reverse what this feature does or disable it using a .htaccess file if you are able too. In fact while you are at it disable register_globals.

 

[baris22]

 $links.=$_POST['links'][$i]; 
                $description=$_POST['description'][$i]; 
                $type=$_POST['type']; 
                if (!get_magic_quotes_gpc()) { 
                    $title=mysql_real_escape_string($title); 
                    $links=mysql_real_escape_string($links); 
                    $description=mysql_real_escape_string($description); 
                } 
                $to_replace = array("\r\n","|","\n","\\r\\n","\\n"); 
              $title = str_replace($to_replace, " ", $title); 
              $description = str_replace($to_replace, " ", $description); 
                //echo $title . '<br/>'; 
                $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; 
                mysql_query($query);

is it how to use mysql_real_escape_string?

thanks

 

[Peter]

yes thats fine, just a note I do not know what the content of $type should be but you should run the function on that as well.

 

[baris22]

it did not work. Same problem.

then i used this code but same problem again. I do not know if this code is ok

$links.=$_POST['links'][$i];
				$description=$_POST['description'][$i];
				$type=$_POST['type'];
				
				$title=stripslashes($title);
				$links=stripslashes($links);
				$description=stripslashes($description);
				
				$title=mysql_real_escape_string($title);
				$links=mysql_real_escape_string($links);
				$description=mysql_real_escape_string($description);
				
				$to_replace = array("\r\n","|","\n","\\r\\n","\\n");
			  $title = str_replace($to_replace, " ", $title);
			  $description = str_replace($to_replace, " ", $description);
				//echo $title . '<br/>';
				$query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";
				mysql_query($query);
				echo mysql_error();

 

[Peter]

echo out the query and post it here, also a copy of the error message you receive.

Ahh and just noticed. Do the mysql_real_escape_string lines after the following not before, i never noticed it before:-

                $to_replace = array("\r\n","|","\n","\\r\\n","\\n");
              $title = str_replace($to_replace, " ", $title);
              $description = str_replace($to_replace, " ", $description);

 

[baris22]

This is the code i used

$links.=$_POST['links'][$i];
				$description=$_POST['description'][$i];
				$type=$_POST['type'];
				if (!get_magic_quotes_gpc()) {
					$title=addslashes($title);
					$links=addslashes($links);
					$description=addslashes($description);
				}
			  $to_replace = array("\r\n","|","\n","\\r\\n","\\n");
			  $title = str_replace($to_replace, " ", $title);
			  $description = str_replace($to_replace, " ", $description);
			  
			  $title=stripslashes($title); 
              $description=stripslashes($description);
				
			  $title=mysql_real_escape_string($title);
			  $description=mysql_real_escape_string($description);
				//echo $title . '<br/>';
				$query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";
				mysql_query($query) OR die(mysql_error());
				echo mysql_error();

I do not get an error. I get this

Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

 

[Peter]

That seems completely unrelated.

 

[baris22]

i think the problem is on one character. I have to add 50 entries at once. It works 90%.

I added over 100 pages. 100x50. it worked about 90 pages. I am just going to try htmlspecialchars

 

[Peter]

invalid characters should not cause a Service Temporarily Unavailable if it does then there is something seriously wrong.

 

[baris22]

I know. I need to check every single entry to see what is wrong.

Is there anything i can add to

$to_replace = array("\r\n","|","\n","\\r\\n","\\n");

 

[Peter]

Why are you replacing them with a space? They will not be causing you any problem and in fact you are losing formatting by doing this.

 

[baris22]

No, i have to do that. My code graps content from other web sites.

Do you think this can happen because of the charset. If there is a character which is not ok. with mysql settings?

 

[Peter]

it shouldn't do, mysql_real_escape_string takes into account the charset that is in use. Anyway if the charset was the problem you should see a mySQL error being generated.

 

[baris22]

Oh my god. I found the answer after 2 long days.

When i try to add the word "wget " to database it does not work.

I am so serious. When i try to add "wget " (there is a space after) it does not work.

 

[the_internet]

If you'd rather not have the space at the end, you could try using rtrim() (and other related functions) to remove spaces from the end of a string.

 

[baris22]

I think i am going to use

$to_replace = array("\r\n","|","wget ","\n","\\r\\n","\\n");
			  $title = str_replace($to_replace, " ", $title);
			  $description = str_replace($to_replace, " ", $description);

I do not think it will be a problem.

 

[the_internet]

OK, good luck with the code.

 

[baris22]

OK, good luck with the code.

it did not work

 $to_replace = array("\r\n","|","wget ","\n","\\r\\n","\\n"); 
              $title = str_replace($to_replace, " ", $title); 
              $description = str_replace($to_replace, " ", $description);

 

[Peter]

i cant see why having the string wget would cause problems unless you were running it through exec or something like that.