Help - Search - Members - Calendar
Full Version: Script Won't Instert
Zymic Webmaster Forums > Web Design & Development > Server Side Scripting > PHP
Ricky Nix
Jan 22 2009, 02:20 AM
I've made several insert scripts for an admin portion of a website, but one of the codes refuses to work and dies every time. It's based on all the other insert scripts and all the variables are right. It connects with puppies.php and the tables and fields all exist and are in the right format.

Can anyone help?

CODE
<? include("../../inc/topa.php"); ?>
<!-- START BODY -->
        <td colspan="12" class="white">
            <center><b>Admin Area</b></center><br>
            Add Product Line:<br>
            <?
            require("../../inc/puppies.php");
            switch (@$_GET['do'])
            {
                default:
                    echo "<form action='?do=step2' method='post'><br>
                        Name: <input type='text' name='newname'><br>
                        Picture: <input type='text' name='newpic'><br>
                        <input type='submit' value='Submit'>
                        </form>";
                    break;
                    
                case "step2":
                    $newname = $_POST['newname'];
                    $newpic = $_POST['newpic'];
                    if (!empty($newpic))
                    {
                        $urlf = "<img src=$newpic>";
                    } else
                    {
                        $urlf = " ";
                    }
                    $add = mysql_query("INSERT INTO products (name, img, url) VALUES ('$newname','$newpic','$urlf')") or die("Couldn't add product line.");
                    echo "Product line added.";
                    break;
            }
            ?>
        </td>
<!-- END BODY -->
<? include("../../inc/bottoma.php"); ?>
swordz
Jan 22 2009, 08:21 AM
Firstly, you need to sanitize $newname and $newpic with mysql_real_escape_string, or you'll wake up one day to find you're missing your databases.

Secondly, try die(mysql_error()). That will give you some more idea about what's wrong, as the only thing I can see at the moment is no backtics (`), but I don't think that makes any difference in this case (although it is good practice).

swordz
MrTouz
Jan 22 2009, 01:41 PM
Sorry to hijack this post but i believe it will benefit the both of us.

Hi Swordz. I must admit, it appears that you know a lot in PHP.

Well, i looked at the php manual and at w3school's website and they say the same thing. They both say the safest way of using the data without having people hacking or using invalid characters you should do this :

CODE
<?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>


I have a request. Can you, using this example copy this script but using the INSERT instead of the SELECT like on the script i posted but only with ONE data (faster for you) so we (him and myself) can have a clear view on how to Insert data into a database... all that safely.
swordz
Jan 22 2009, 05:21 PM
QUOTE(MrTouz @ Jan 22 2009, 01:41 PM) *
Sorry to hijack this post but i believe it will benefit the both of us.

Hi Swordz. I must admit, it appears that you know a lot in PHP.
Really, no. Just ask Alex. Or anyone on Freenode... I'm still asking stupid questions!
QUOTE(MrTouz @ Jan 22 2009, 01:41 PM) *
I have a request. Can you, using this example copy this script but using the INSERT instead of the SELECT like on the script i posted but only with ONE data (faster for you) so we (him and myself) can have a clear view on how to Insert data into a database... all that safely.

Basically, if you're entering data into a database you need to always ask yourself 2 questions. What is it, and have I checked that? And where did it come from?

If the data is allowed to have any letters in it, people can write words. In particular, they can write MySQL command words. And so, unless you're careful, they can modify your commands, and start deleting stuff. If it's meant to be an ID, that's only numbers, so is fine. BUT if you haven't checked that it's numeric, you still need to be careful.

This does all basically boil down to where the data came from. If it's ENTIRELY internally generated, you know exactly what it contains, so it should be safe. If there is any user input though, you should assume it's being messed with, so need to mysql_real_escape_string() to ensure it's safe.

swordz

ps.
QUOTE(swordz @ Jan 22 2009, 08:21 AM) *
Firstly, you need to sanitize $newname and $newpic with mysql_real_escape_string, or you'll wake up one day to find you're missing your databases.
I really like this quote. Not sure why.
MrTouz
Jan 22 2009, 08:18 PM
So again, sorry for asking again (you are making a clear point where i need to be carefull with my INSERTs) So if its an INPUT... i need to be careful because people can enter different type of data, also MySql commands and screw me over.

If its predefined text such as <option> it shouldn't be a problem ?
swordz
Jan 22 2009, 08:52 PM
NO!

Just because you 'predefine' the text, DOES NOT MEAN THE VARIABLE WILL HAVE ONE OF THOSE VALUES. By internally generated I mean by THAT script. Anything with $_GET, $_POST, and even some $_SERVER are the enemy, ANY time you use one you have to think 'is it what I want it to be'? How do I know? What have I done to ensure this? What could somebody do with this variable?

Basically, if it comes (however distantly) from a $_POST or $_GET do htmlspecialchars on echo, and mysql_real_escape_string on input to a database.

Recently a top 25 list of programming errors/problems was released. Injection possibilities was the No 1 error.

swordz
MrTouz
Jan 22 2009, 11:19 PM
shit im even more scared !
swordz
Jan 23 2009, 12:42 AM
QUOTE(swordz @ Jan 22 2009, 08:52 PM) *
Basically, if it comes (however distantly) from a $_POST or $_GET do htmlspecialchars on echo, and mysql_real_escape_string on input to a database.


Just follow that as a rule, and you'll be safe. If you're using it unnecessarily it will slow your script down (not noticeably though), but at least everything will be safe.

Sorry, I'm making this out to be really serious - which it is, as it's number one - but you'd normally have to have really annoyed someone/be very unlucky to have them spend enough time trying to work your code out, just so they can break it.

swordz
MrTouz
Jan 24 2009, 01:35 AM
Well its not annoyed that i am afraid of... its just stupid people wanting to prove a point or wanting to fuck around.

I will follow your 2 rules as far as i can. I am making it harder for people to screw with my script. Website's side (with Ajax validation) and server side with the mysql_real_escape_string.

I never been that far with any of my scripts and i just want to finalize it with security. I need someone to 'hack' it once i am done to test it out tongue.gif
swordz
Jan 24 2009, 07:59 AM
Sure, I'll have a look if you want! PM me when you're done, and I'll give you my e-mail.

swordz
MrTouz
Jan 25 2009, 01:38 AM
Thank you very much biggrin.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.