Jump to content

[SOLVED] php mysql bug

HektoR

By HektoR
in PHP Coding Help

 Share

Recommended Posts

RussellReal Member

RussellReal

Posted
Posted

use mysql_real_escape_string

 

when you're doing

 

SELECT * FROM `tableName` WHERE `whatever` LIKE '%$whatever%'

 

if $whatever contains an apostraphy (?) " ' "

 

the query will ultimately look like:

SELECT * FROM `tableName` WHERE `whatever` LIKE '% whatever lol ' o%'

 

which will terminate the ' too early, leaving extra characters outside of the ' which is causing you the error, this is what is known as "mysql injection" so you should ALWAYS secure your mysql queries with

 

mysql_real_escape_string()

Link to comment
Share on other sites
RussellReal Member

RussellReal

Posted
Posted

note: mysql_real_escape_string() is weird, it only works if you connect to a mysql database, so make sure you have a database connection going..

 

THEN, before you do your little query thing

 

$query = "SELECT * FROM `tableName` WHERE `whatever` LIKE '%$whatever%'";

 

you wanna do

 

$whatever = mysql_real_escape_string($whatever);

$query = "SELECT * FROM `tableName` WHERE `whatever` LIKE '%$whatever%'";

 

you should apply mysql_real_escape_string in this fashion to EVERY variable which you are going to pass to a query, this way you avoid any errors in the future

Link to comment
Share on other sites
RussellReal Member

RussellReal

Posted
Posted

well yes, that would mess you up aswell.. you should ALWAYS use mysql_real_escape_string

 

any POST or GET variable which your end user can manipulate and send back to your server, which gets put into a sql query, should always be escaped to ensure security aswell as avoid errors..

Link to comment
Share on other sites
Adam Advanced Member

Adam

Posted
Posted

mysql_real_escape_string() isn't always the best choice depending upon the data you're expecting. There's a whole range of functions you can use to filter your inputs...

 

Just never leave an input variable unsecured!

 

A

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

Depends what data you expect user to put in.

If you expect a date in YYYY-MM-DD format, then you can have custom function that checks it. If you're expecting an email addy, then there's filter_var with FILTER_VALIDATE_EMAIL filter (there are also filters for other datatypes).

 

mysql_real_escape_string is however probably the best solution (second to using prepared statements) to use, when user can input just any string.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

 

 

All external data your script receives must be validate by your script to insure it exists and contains expected values. If you received query errors  for -1 or an empty value, it means your code is not validating what it received.

 

If the query is expecting a numeric field value, mysql_real_escape_string() won't prevent a hacker from injecting sql after the numeric value.

 

If your code is expecting a positive number in $_GET['id'], you should be checking if it is empty or not and then cast it as an integer number and then check if it is a positive number before ever putting it into your query.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.