Injection (Php-Mysql)

[baris22]

I have got a problem with a character. I do not know which one it is. I am inserting long text files into database and sometime i can not insert. Any idea which character can it be?

I am using this code

$links.=$_POST['links'][$i];
				$description=$_POST['description'][$i];
				$type=$_POST['type'];
				if (!get_magic_quotes_gpc()) {
					$title=addslashes($title);
					$links=addslashes($links);
					$description=addslashes($description);
				}
				$to_replace = array("\r\n","|","\n","\\r\\n","\\n");
			  $title = str_replace($to_replace, " ", $title);
			  $description = str_replace($to_replace, " ", $description);
				//echo $title . '<br/>';
				$query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";
				mysql_query($query);

 

[baris22]

i cant see why having the string wget would cause problems unless you were running it through exec or something like that.

I am million times sure. the problem is "wget "

I deleted that word from the post and it worked fine. I tried to enter onlt the word "wget " and it fails.

 

[the_internet]

Could the problem not be with the word "wget ", but with the space at the end?
Have you tried using "wget" without a space?

 

[Dan]

Can you paste the actual error message from phpMyAdmin? It will say exactly what is wrong and should make this really easy.

 

[baris22]

Can you paste the actual error message from phpMyAdmin? It will say exactly what is wrong and should make this really easy.

It works perfect if i add from phpmyadmin.

I just made a simple script to try one by one if the problem is "wget "

I can insert "wget" but not "wget "

here is the simple code i am using.

<?php
$con = mysql_connect("localhost","user","pass");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("database name", $con);
  
  $title=$_POST['title'];
  $description=$_POST['description'];
  
  $title = str_replace("wget", "ddd", $title);
  $description = str_replace("wget", "ddd", $description);
  
  $query="INSERT INTO `filedetails` VALUES ('', '', '".$title."', '".$description."', '','0000000000')";
 mysql_query($query);
 echo 'MYSQL ERROR IS: '.mysql_error();
 mysql_close($con)
?> 
<html>
<body>
<form action="insert.php" method="post">
title:<input name="title" type="text" size="100" />
<br>
desc:<textarea name="description" cols="150" rows="10"></textarea>
<br>
<input type="submit" />
</form>
</body>
</html>

When i try to insert "wget " i get this

Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

 

[Dan]

Maybe the problem is a bad host?

Are you making it echo the exact query you are trying to run then using that in phpMyAdmin? If you can do the query in phpMyAdmin, then there is no problem with the query...

 

[Keral_Patel]

Use this

$var = striptags($var);
$var = htmlspecialchars($var);
$var = trim($var);
$var = stripslashes($var);
$var = mysql_real_escape_string($var);

 

[Peter]

Use this

$var = striptags($var);
$var = htmlspecialchars($var);
$var = trim($var);
$var = stripslashes($var);
$var = mysql_real_escape_string($var);

You should not run a variable through stripslashes unless it has been run through addslashes or magic_quotes_gpc otherwise you could be causing problems.

 

[baris22]

I found another one.

If i try to enter this to my database it does not work.

To: [email protected]

(There are line breaks before and after)

 

[nick-8318]

what happens when you try this:

$query="INSERT INTO `filedetails` VALUES ('', '$type', '$title', '$description', '$links','0000000000')";

 

[xrvel]

You should not run a variable through stripslashes unless it has been run through addslashes or magic_quotes_gpc otherwise you could be causing problems.

Usually, i only stripslashes the input and addslashes it when i want to display it. Maybe you can explain what kind of problem?

 

[Peter]

Usually, i only stripslashes the input and addslashes it when i want to display it. Maybe you can explain what kind of problem?

If you add slashes to something that has already been run through add slashes (that is effectively what magic_quotes_gps does).

You should not be using add slashes for data that is going to be output to the browser. The function was intended to make data safe for inputting into a database and will not make data safe for outputting to the user. The function you should be using is htmlspecialchars() or htmlentities().

Even if you use add slashes for data that is going to be input into the database it does not take into consideration of what database you are inserting too. Many characters for example that are special characters in mySQl will remain untouched and will alter how your query will run.

 

[xrvel]

If you add slashes to something that has already been run through add slashes (that is effectively what magic_quotes_gps does).

You should not be using add slashes for data that is going to be output to the browser. The function was intended to make data safe for inputting into a database and will not make data safe for outputting to the user. The function you should be using is htmlspecialchars() or htmlentities().

Even if you use add slashes for data that is going to be input into the database it does not take into consideration of what database you are inserting too. Many characters for example that are special characters in mySQl will remain untouched and will alter how your query will run.

Thanks. i only thought about escaping single quotes, now i will filter other special chars ...

 

[Peter]

Thanks. i only thought about escaping single quotes, now i will filter other special chars ...

In html your concerns are more with things such as <>. If you only escape quotes then the problem has not been sorted as an XSS attack would still be possible. Javascript and HTML are not strongly typed languages/markups they do not require the quotes. This is where the html functions I mention help.

In mySQL you have characters such as -- which starts a comment and ; which ends a query (and anything after is a new query) however this 1 depends on the method you use for connecting.

If you really want to make an SQL statement safe then use prepared statements. SQL injection is not possible when this method is used.