function help?

dwperry1 · March 8, 2012

I am not willing to risk code injection by eliminating GetSQLValueString() code. Your code will not work with this code in place. I causes errors for every field on the form and I don't know how to use both without causing errors. I need to find another viable solution.

marcus · March 8, 2012

You could just use mysql_real_escape_string on the output. GetSQLValueString isn't a function I'm familiar with since it's not native to PHP.

dwperry1 · March 8, 2012

see the SQL injection problem to understand why this function exists:

http://en.wikipedia.org/wiki/SQL_injection

marcus · March 8, 2012

It exists in your code, not mine, so I don't know how your's works.

Go ahead and test my function with any SQL injection, it will always return the empty string (or a float value if it begins with an integer)

dwperry1 · March 8, 2012

I thought this forum was here to help people. I know what's in my code and how to protect it. I am not a hacker, so I would not know how to test your code against code injection and in my opinion, this is not important and is not the issue. You seem intent on defending your code, but it doesn't solve my problem, it creates more problems for me to clean up. If you don't have any other ideas on how to help me solve my probem, then please let someone else try.

marcus · March 8, 2012

How am I supposed to help you when I don't know how your GetSQLValueString function works? Or even where it's implemented in your code.

You are posting ZERO information on how we can help you, provide usable code, give us something other than "meh it doesn't work."

Pikachu2000 · March 8, 2012

I thought this forum was here to help people. I know what's in my code and how to protect it. I am not a hacker, so I would not know how to test your code against code injection and in my opinion, this is not important and is not the issue. You seem intent on defending your code, but it doesn't solve my problem, it creates more problems for me to clean up. If you don't have any other ideas on how to help me solve my probem, then please let someone else try.

Yes, this forum is here to help people, and your problem has been solved. You just don't have enough knowledge of the subject matter to see or understand that. You don't know what SQL injection is, or how it works, yet you somehow think you know how to "protect" your code, and you refuse to listen.

dwperry1 · March 8, 2012

OK, I will show you how my code works and you can maybe then help me with my problem:

<?php require_once('Connections/mysqli_connect.php'); ?>

<?php

establish connection

then other stuff not related to this issue

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

function Money($float) {

return sprintf("%01.2f", $float);

}

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "smartform")) {

$insertSQL = sprintf("INSERT INTO daily_sales (record_date, new_date, weekday, currency_am, currency_pm, currency_total, coin_am, coin_pm, coin_total, check_am, check_pm, check_total, cc_am, cc_pm, cc_total, cpo_am_total, cpo_pm_total, cpo_total, gross_sales_am, gross_sales_pm, gross_sales_total, wost_am, wost_pm, wost_total, tst_am, tst_pm, tst_total, cpo_am_1, cpo_pm_1, cpo_shift_total_1, cpo_am_2, cpo_pm_2, cpo_shift_total_2, cpo_am_3, cpo_pm_3, cpo_shift_total_3, gross_sales_am2, gross_sales_pm2, gross_sales_total2, ticket_am, ticket_pm, ticket_total, over_short_am, over_short_pm, over_short_total, cpo_am_item_1, cpo_am_item_2, cpo_am_item_3, server1_name, server2_name, server3_name, server4_name, server5_name, serv1_cc_am, serv1_cc_pm, serv1_cc_total, serv2_cc_am, serv2_cc_pm, serv2_cc_total, serv3_cc_am, serv3_cc_pm, serv3_cc_total, serv4_cc_am, serv4_cc_pm, serv4_cc_total, serv5_cc_am, serv5_cc_pm, serv5_cc_total, serv_cc_am_total, serv_cc_pm_total, serv_cc_total, mtd_sales, ytd_sales, mtd_tax, ytd_tax, serv_cc_total2, mtd_cc, gca_am, gca_pm, gca_total, adstm, save_date) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",

GetSQLValueString($_POST['record_date'], "text"),

GetSQLValueString($_POST['new_date'], "text"),

GetSQLValueString($_POST['weekday'], "text"),

GetSQLValueString(Money($_POST['currency_am'], "text")),

GetSQLValueString(Money($_POST['currency_pm'], "text")),

GetSQLValueString(Money($_POST['currency_total'], "text")),

GetSQLValueString(Money($_POST['coin_am'], "text")),

GetSQLValueString(Money($_POST['coin_pm'], "text")),

GetSQLValueString(Money($_POST['coin_total'], "text")),

GetSQLValueString(Money($_POST['check_am'], "text")),

GetSQLValueString(Money($_POST['check_pm'], "text")),

GetSQLValueString(Money($_POST['check_total'], "text")),

GetSQLValueString(Money($_POST['cc_am'], "text")),

GetSQLValueString(Money($_POST['cc_pm'], "text")),

GetSQLValueString(Money($_POST['cc_total'], "text")),

GetSQLValueString(Money($_POST['cpo_am_total'], "text")),

GetSQLValueString(Money($_POST['cpo_pm_total'], "text")),

GetSQLValueString(Money($_POST['cpo_total'], "text")),

GetSQLValueString(Money($_POST['gross_sales_am'], "text")),

GetSQLValueString(Money($_POST['gross_sales_pm'], "text")),

GetSQLValueString(Money($_POST['gross_sales_total'], "text")),

GetSQLValueString(Money($_POST['wost_am'], "text")),

GetSQLValueString(Money($_POST['wost_pm'], "text")),

GetSQLValueString(Money($_POST['wost_total'], "text")),

GetSQLValueString(Money($_POST['tst_am'], "text")),

GetSQLValueString(Money($_POST['tst_pm'], "text")),

GetSQLValueString(Money($_POST['tst_total'], "text")),

GetSQLValueString(Money($_POST['cpo_am_1'], "text")),

GetSQLValueString(Money($_POST['cpo_pm_1'], "text")),

GetSQLValueString(Money($_POST['cpo_shift_total_1'], "text")),

GetSQLValueString(Money($_POST['cpo_am_2'], "text")),

GetSQLValueString(Money($_POST['cpo_pm_2'], "text")),

GetSQLValueString(Money($_POST['cpo_shift_total_2'], "text")),

GetSQLValueString(Money($_POST['cpo_am_3'], "text")),

GetSQLValueString(Money($_POST['cpo_pm_3'], "text")),

GetSQLValueString(Money($_POST['cpo_shift_total_3'], "text")),

GetSQLValueString(Money($_POST['gross_sales_am2'], "text")),

GetSQLValueString(Money($_POST['gross_sales_pm2'], "text")),

GetSQLValueString(Money($_POST['gross_sales_total2'], "text")),

GetSQLValueString(Money($_POST['ticket_am'], "text")),

GetSQLValueString(Money($_POST['ticket_pm'], "text")),

GetSQLValueString(Money($_POST['ticket_total'], "text")),

GetSQLValueString(Money($_POST['over_short_am'], "text")),

GetSQLValueString(Money($_POST['over_short_pm'], "text")),

GetSQLValueString(Money($_POST['over_short_total'], "text")),

GetSQLValueString($_POST['cpo_am_item_1'], "text"),

GetSQLValueString($_POST['cpo_am_item_2'], "text"),

GetSQLValueString($_POST['cpo_am_item_3'], "text"),

GetSQLValueString($_POST['server1_name'], "text"),

GetSQLValueString($_POST['server2_name'], "text"),

GetSQLValueString($_POST['server3_name'], "text"),

GetSQLValueString($_POST['server4_name'], "text"),

GetSQLValueString($_POST['server5_name'], "text"),

GetSQLValueString($_POST['serv1_cc_am'], "text"),

GetSQLValueString($_POST['serv1_cc_pm'], "text"),

GetSQLValueString($_POST['serv1_cc_total'], "text"),

GetSQLValueString($_POST['serv2_cc_am'], "text"),

GetSQLValueString($_POST['serv2_cc_pm'], "text"),

GetSQLValueString($_POST['serv2_cc_total'], "text"),

GetSQLValueString($_POST['serv3_cc_am'], "text"),

GetSQLValueString($_POST['serv3_cc_pm'], "text"),

GetSQLValueString($_POST['serv3_cc_total'], "text"),

GetSQLValueString($_POST['serv4_cc_am'], "text"),

GetSQLValueString($_POST['serv4_cc_pm'], "text"),

GetSQLValueString($_POST['serv4_cc_total'], "text"),

GetSQLValueString($_POST['serv5_cc_am'], "text"),

GetSQLValueString($_POST['serv5_cc_pm'], "text"),

GetSQLValueString($_POST['serv5_cc_total'], "text"),

GetSQLValueString($_POST['serv_cc_am_total'], "text"),

GetSQLValueString($_POST['serv_cc_pm_total'], "text"),

GetSQLValueString($_POST['serv_cc_total'], "text"),

GetSQLValueString(Money($_POST['mtd_sales'], "text")),

GetSQLValueString(Money($_POST['ytd_sales'], "text")),

GetSQLValueString(Money($_POST['mtd_tax'], "text")),

GetSQLValueString(Money($_POST['ytd_tax'], "text")),

GetSQLValueString($_POST['serv_cc_total2'], "text"),

GetSQLValueString($_POST['mtd_cc'], "text"),

GetSQLValueString(Money($_POST['gca_am'], "text")),

GetSQLValueString(Money($_POST['gca_pm'], "text")),

GetSQLValueString(Money($_POST['gca_total'], "text")),

GetSQLValueString(Money($_POST['adstm'], "text")),

GetSQLValueString(date("Y-m-d H:i:s",time()),"text") );

mysql_select_db("restaurant_db", $conn) or die(mysql_error());

$Result1 = mysql_query($insertSQL, $conn) or die(mysql_error());

Other stuff not related to this issue

DatePicker link

CSS stuff

Javascript stuff

<tr>

</td>

</tr>

<tr>

</td>

</tr>

</table>

</p>

</form>

dwperry1 · March 9, 2012

smerny,

Thanks so much for the code. After slightly altering your code below:

function Money($float) {

if ($float == 0){

return ""; // if the value is "0" then print nothing ""

} else {

return sprintf("%01.2f", $float);

}

and also altering the brackets in my code for the GetSQLValueString below:

GetSQLValueString(Money($_POST['currency_am']), "text"),

the input to the database now formats for two digits after the decimal point when there is a value and shows nothing in the field if there is no value when the default is NULL for the field in the database.

For those of us who care if our code is protected by using the GetSQLValueString function, this is a valuable solution to a common problem.

Thanks again,

Doug

smerny · March 9, 2012

not sure what your getSQLValueString consists of.. but it isn't necessary in this case

dwperry1 · March 9, 2012

Thanks again! I agree tht it isn't necessary in this case, but I still need it to work with the rest of my code which incorporates the getSQLValueString frnction. You helped me do that and I appreciate it.

marcus · March 9, 2012

I more valuable solution instead of using getsqlvaluestring is type casting.

$a = "57878.044cats";

var_dump((int)$a, (string)$a, (double)$a, (float)$a, (bool)$a);

int(57878) string(13) "57878.044cats" float(57878.044) float(57878.044) bool(true)

dwperry1 · March 9, 2012

Yes, but this would cause the db to drop the digits after the decimal point which defeats my purpose. Since I am not comparing anything, I fail to see the value for my project.

Sign In

function help?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information