mac007 Posted October 2, 2009 Share Posted October 2, 2009 Hi, all: need some help clarifying couple things about sanitizing... As you can see in the code below, I am using FILTER_INPUT() function to sanitize the url variables being sent, since these are being used to make SELECT data based on what variables are being called... but when I add a single-quote to the string to test it like this: page.php?category=' Then I get an error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 I also get similar errors if I type url like: page.php?category=1' But it doesnt givbe me any errors if I do any other of the special-characters like <, >, ", &, or stuff of that sort. It's funny, cause if I have url like this: page.php?category=18&type=' I dont get any errors! Appreciate the help... Thanks // THESE ARE VARIABLES $colname1_worksRS = filter_input(INPUT_GET, 'category', FILTER_SANITIZE_SPECIAL_CHARS); $colname2_worksRS = filter_input(INPUT_GET, 'type', FILTER_SANITIZE_SPECIAL_CHARS); $colname3_worksRS = filter_input(INPUT_GET, 'filter', FILTER_SANITIZE_SPECIAL_CHARS); // THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES $query_worksRS = "SELECT * FROM works WHERE 1"; if (!empty($_GET['category'])) { $query_worksRS .= " AND Type = '$colname1_worksRS'"; } if (!empty($_GET['type'])) { $query_worksRS .= " AND Subject = '$colname2_worksRS'"; } if ((!empty($_GET['filter'])) && $_GET['filter'] == 'Price') { $query_worksRS .= " ORDER BY Price DESC"; } elseif ($_GET['filter'] == 'Size') { $query_worksRS .= " ORDER BY Size DESC"; }else { $query_worksRS .= " ORDER BY ProductID DESC"; } [code] Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 2, 2009 Share Posted October 2, 2009 Because FILTER_SANITIZE_SPECIAL_CHARS is only to protect HTML, not mysql - HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters. single and double quotes have ASCII values greater than 32, so FILTER_SANITIZE_SPECIAL_CHARS does nothing for them. You should only use mysql_real_escape_string() to escape string data put into a mysql query, that is what it is for. Quote Link to comment Share on other sites More sharing options...
RussellReal Posted October 2, 2009 Share Posted October 2, 2009 for the category field though you can just type-cast it $category = (int) $_GET['category']; Quote Link to comment Share on other sites More sharing options...
mac007 Posted October 2, 2009 Author Share Posted October 2, 2009 Thanks PFM; but I did try that too... instead of the filter_input() functio, but it still did the same thing... Maybe I'm not setting it up correctly?? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 2, 2009 Share Posted October 2, 2009 It would take seeing your actual code to help with what is wrong with it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.