Injection (Php-Mysql)

[baris22]

I have got a problem with a character. I do not know which one it is. I am inserting long text files into database and sometime i can not insert. Any idea which character can it be?

I am using this code

$links.=$_POST['links'][$i];
				$description=$_POST['description'][$i];
				$type=$_POST['type'];
				if (!get_magic_quotes_gpc()) {
					$title=addslashes($title);
					$links=addslashes($links);
					$description=addslashes($description);
				}
				$to_replace = array("\r\n","|","\n","\\r\\n","\\n");
			  $title = str_replace($to_replace, " ", $title);
			  $description = str_replace($to_replace, " ", $description);
				//echo $title . '<br/>';
				$query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')";
				mysql_query($query);

 

[Keral_Patel]

Use this

$var = striptags($var);
$var = htmlspecialchars($var);
$var = trim($var);
$var = stripslashes($var);
$var = mysql_real_escape_string($var);

 

[Peter]

Use this

$var = striptags($var);
$var = htmlspecialchars($var);
$var = trim($var);
$var = stripslashes($var);
$var = mysql_real_escape_string($var);

You should not run a variable through stripslashes unless it has been run through addslashes or magic_quotes_gpc otherwise you could be causing problems.

 

[baris22]

I found another one.

If i try to enter this to my database it does not work.

To: [email protected]

(There are line breaks before and after)

 

[nick-8318]

what happens when you try this:

$query="INSERT INTO `filedetails` VALUES ('', '$type', '$title', '$description', '$links','0000000000')";

 

[xrvel]

You should not run a variable through stripslashes unless it has been run through addslashes or magic_quotes_gpc otherwise you could be causing problems.

Usually, i only stripslashes the input and addslashes it when i want to display it. Maybe you can explain what kind of problem?

 

[Peter]

Usually, i only stripslashes the input and addslashes it when i want to display it. Maybe you can explain what kind of problem?

If you add slashes to something that has already been run through add slashes (that is effectively what magic_quotes_gps does).

You should not be using add slashes for data that is going to be output to the browser. The function was intended to make data safe for inputting into a database and will not make data safe for outputting to the user. The function you should be using is htmlspecialchars() or htmlentities().

Even if you use add slashes for data that is going to be input into the database it does not take into consideration of what database you are inserting too. Many characters for example that are special characters in mySQl will remain untouched and will alter how your query will run.

 

[xrvel]

If you add slashes to something that has already been run through add slashes (that is effectively what magic_quotes_gps does).

You should not be using add slashes for data that is going to be output to the browser. The function was intended to make data safe for inputting into a database and will not make data safe for outputting to the user. The function you should be using is htmlspecialchars() or htmlentities().

Even if you use add slashes for data that is going to be input into the database it does not take into consideration of what database you are inserting too. Many characters for example that are special characters in mySQl will remain untouched and will alter how your query will run.

Thanks. i only thought about escaping single quotes, now i will filter other special chars ...

 

[Peter]

Thanks. i only thought about escaping single quotes, now i will filter other special chars ...

In html your concerns are more with things such as <>. If you only escape quotes then the problem has not been sorted as an XSS attack would still be possible. Javascript and HTML are not strongly typed languages/markups they do not require the quotes. This is where the html functions I mention help.

In mySQL you have characters such as -- which starts a comment and ; which ends a query (and anything after is a new query) however this 1 depends on the method you use for connecting.

If you really want to make an SQL statement safe then use prepared statements. SQL injection is not possible when this method is used.