Jump to content

why do I still get error when placing a ' in url even after I sanitize...

mac007

By mac007
in PHP Coding Help

Recommended Posts

mac007 Regular Member

mac007

Posted
Posted

Hi, all: need some help clarifying couple things about sanitizing...

 

As you can see in the code below, I am using FILTER_INPUT() function to sanitize the url variables being sent, since these are being used to make SELECT data based on what variables are being called... but when I add a single-quote to the string to test it like this: page.php?category='

 

Then I get an error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1

 

I also get similar errors if I type url like: page.php?category=1'

 

But it doesnt givbe me any errors if I do any other of the special-characters like <, >, ", &, or stuff of that sort. It's funny, cause if I have url like this: page.php?category=18&type='

 

I dont get any errors!

 

Appreciate the help...

 

Thanks

 

 

 


// THESE ARE VARIABLES  
$colname1_worksRS = filter_input(INPUT_GET, 'category', FILTER_SANITIZE_SPECIAL_CHARS);
$colname2_worksRS = filter_input(INPUT_GET, 'type', FILTER_SANITIZE_SPECIAL_CHARS);
$colname3_worksRS = filter_input(INPUT_GET, 'filter', FILTER_SANITIZE_SPECIAL_CHARS);

// THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES
$query_worksRS = "SELECT * FROM works WHERE 1";
if (!empty($_GET['category']))
	{
	$query_worksRS .= " AND Type = '$colname1_worksRS'";
	}
if (!empty($_GET['type']))
	{
	$query_worksRS .= " AND Subject = '$colname2_worksRS'";
	}
	if ((!empty($_GET['filter'])) && $_GET['filter'] == 'Price')
	{
	$query_worksRS .= " ORDER BY Price DESC";
	} 
	elseif ($_GET['filter'] == 'Size')
	{
	$query_worksRS .= " ORDER BY Size DESC";
	}else {
	$query_worksRS .= " ORDER BY ProductID DESC";
	}

[code]

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Because FILTER_SANITIZE_SPECIAL_CHARS is only to protect HTML, not mysql -

HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.

 

single and double quotes have ASCII values greater than 32, so FILTER_SANITIZE_SPECIAL_CHARS does nothing for them.

 

You should only use mysql_real_escape_string() to escape string data put into a mysql query, that is what it is for.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.