formdata isn't being escaped

[Johns3n]

Hi PHPfreaks

 

I am having some trouble with a form not escaping dangerous chars like " '

 

It did it once, but for some strange reason it no longer does it, and I am afraid that I have stared myself blind on the problem So I am hoping that some of you might like to view my code and maybe see where I am going wrong?

 

It would really be appreciated

 

PHP file with form:

echo "<div class='comment_form'>
	<h3>New Comment</h3>
	<form enctype='multipart/form-data' action='insertcomment.php?itemid=".$itemid."' method='post'>
	<p class='form_name'>Name:</p>
	<p><input type='text' class='name_field' name='comment_name' /></p>
	<p class='form_code'>Security Code:</p>
	<p><img src='captcha.php' alt='Captcha Image' class='captcha'/><input name='anti_spam_code' class='small_name_field' /></p>
	<div class='form_content'>
	<p class='form_content'>Comment:</p>
	<p><textarea class='content_field' name='comment_content' rows='1' cols='1'></textarea></p>
	</div>
	<p>
	<input type='submit' class='form_submit' value='Post Comment' />
	</p>
	</form>
	</div>\n";

 

Insertcomment.php

<?php
include("config.php"); 

// Get the itemid of the post
$itemid = mysql_real_escape_string($_GET['itemid']);

@session_start(); // start session if not started yet
if ($_SESSION['AntiSpamImage'] != $_REQUEST['anti_spam_code']) 
{
// set antispam string to something random, in order to avoid reusing it once again
$_SESSION['AntiSpamImage'] = rand(1,9999999);

// here you add code to let user know incorrect code entered
echo "<script type='text/javascript'>document.location.href='singlepost.php?itemid=".$itemid."&captcha=false'</script>";
  	die();
}
else 
{
// set antispam string to something random, in order to avoid reusing it once again
$_SESSION['AntiSpamImage'] = rand(1,9999999);

// everything is fine, proceed with processing comment

    
//This gets all the other information from the form
$name = mysql_real_escape_string($_POST['comment_name']);
$content = mysql_real_escape_string($_POST['comment_content']);

$comment="INSERT INTO ". $db_prefix ."comments (post_id, comment_name, comment_content, comment_date) VALUES ('" . $itemid . "','$name','$content',CURDATE())";

// Execute query to create tables
mysql_query($comment,$con);

// Writes that the upload was succesfull 
echo "<script type='text/javascript'>document.location.href='singlepost.php?itemid=".$itemid."&captcha=true'</script>";
  	die();
}
?> 

 

it's these two that aren't being escaped:

 

$name

$content

 

In advance.. thank you

 

If you want to give it a go you can find a test install at http://lork.johns3n.net

the files posted above are the comment system!

[oni-kun]

mysql_real_escape_string can only function if there is an open connection to a database, Although it seems you are using proper use. Why not var_dump $name and $content right after they are escaped to see what is wrong?

[Johns3n]

mysql_real_escape_string can only function if there is an open connection to a database, Although it seems you are using proper use. Why not var_dump $name and $content right after they are escaped to see what is wrong?

 

Yes there is a open connection to the database, it's defined in a external config.php file and closed in the footer.php file after the above code is parsed, so im 100% that isn't the problem

 

In regards to your var_dump.. im not really sure what that command does, so I will try and have a look at it and see if it gets me anywhere

[oni-kun]

var_dump will list information about a said variable, Be it an object or string and it can be used for debugging purposes on the apparently unescaped string.

 

$name = mysql_real_escape_string($_POST['comment_name']);
$content = mysql_real_escape_string($_POST['comment_content']);

print '<pre>';
print var_dump($name);
print var_dump($content);

 

What does this return?

[Johns3n]

var_dump will list information about a said variable, Be it an object or string and it can be used for debugging purposes on the apparently unescaped string.

 

$name = mysql_real_escape_string($_POST['comment_name']);
$content = mysql_real_escape_string($_POST['comment_content']);

print '<pre>';
print var_dump($name);
print var_dump($content);

 

What does this return?

 

Thank you so much for that good piece of code Never known about it ^^

But returns the following

string(3) "Lol"

string(13) "testing \" \'"

 

So it is really escaping it, but when i look at what has been inserted into the DB on previous occations, it's not escaped... :-/

 

Database dump:

id: 1

post_id: 1

comment_name: Testing

comment_content: test " '

comment_date: 2010-04-08

[oni-kun]

Within the database it should not matter if there is a quote or not. SQL does not see the quotes as anything special, Only PHP when parsing a string. There should be no problem as long as you are escaping each string before entry.

[Johns3n]

Within the database it should not matter if there is a quote or not. SQL does not see the quotes as anything special, Only PHP when parsing a string. There should be no problem as long as you are escaping each string before entry.

 

the variable sent to the DB is escaped because we saw that in the var dump yes? So that means that can't be done SQL injection with using " ' chars yes?

 

But if everything was done right, shouldn't there for all purpose and being, be a escape slash in the DB content aswell?

 

Im writting this small CMS for a school project, so really want to make sure it's safe from SQL injection using " ' as i stated in my turn paper

[oni-kun]

A quotation means nothing, Again. If you were to escape the data twice (such as what magic_quotes_gpc might do on certain scenarios) you'd need to apply stripslashes on the output.

 

There is no need to handle it further.

[Johns3n]

A quotation means nothing, Again. If you were to escape the data twice (such as what magic_quotes_gpc might do on certain scenarios) you'd need to apply stripslashes on the output.

 

There is no need to handle it further.

 

Thanks for your help

This is now solved ^^