Jump to content

Recommended Posts

Hello PHP Freaks,

 

I've been trying to run this command from my website, but it always returns aan error, although it works on the phpmyadmin and on Terminal. So there must be something wrong with my code, I think. This is the command:

 

INSERT INTO test VALUES ("hello");

 

My HTML and PHP documents are attachted.

 

Can anyone see what is wrong?

 

Thanks

testQueryRunner.html

run_query.php

Link to comment
https://forums.phpfreaks.com/topic/274989-insert-mysql-command-returns-error/
Share on other sites

No, I don't.

 

The interesting fact, however, is that this command does work from Terminal and phpmyadmin. Perhaps I'm missing something, but doesn't that mean that there is nothing wrong the way I've set up the database, but rather with the code?

 

Thanks for your help.

I checked out the database_connection.php, and the input is still up-to-date. That the SELECT command works makes me think that this is not the issue.

 

The error that is returned when I give the INSERT command is:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"hello\")' at line 1

 

I don't know what to make of it, since this error doesn't appear at other times...

Unfortunately it does not.

 

Would somebody mind going to my website (http://3j-network.com/testQueryRunner.html) and putting in the command

INSERT INTO test VALUES ("hello");

and seeing what happens? Perhaps someone can find a solution that way...

Oh, IC. I understand.

 

Does this issue sound familiar at all? that the command works from phpmyadmin and Terminal but not from the website?

 

Here is my code that I attached earlier.

 

HTML:

 

<!DOCTYPE html>
<html>
    <head>
        <title>English Assessment Test - 3J-Network</title>
    </head>


    <body><table align="center"><tr><td width="610">
        <table><tr>
            <td>
                <p><form action="scripts/run_query.php" method="POST">
                    <fieldset>
                        <textarea id="query_text" name="query"
                        cols="65" rows="8"></textarea>
                    </fieldset>
                    <br />
                    <fieldset class="center">
                        <input type="submit" value="Run Query">
                        <input type="reset" value="Clear and Restart" />
                    </fieldset>
                </form></p>
            </td>
        </tr></table>
    </td></tr></table></body>
</html>

 

 

PHP:

 

<?php

require '/homepages/9/d445176724/htdocs/firhavenacademy/scripts/app_config.php';
require '/homepages/9/d445176724/htdocs/firhavenacademy/scripts/database_connection.php';

$query = $_REQUEST['query'];
$result = mysql_query($query);

if (!$result) {
    die("<p>Error: " . mysql_error() . "</p>");
} else {
    mysql_query($query);
    echo "<ul>";
    while ($row = mysql_fetch_row($result)) {
      echo "<li>{$row[0]}</li>";
    }
    echo "</ul>";
}

?>

 

Thanks for your help so far.

You most likely have magic_quotes_gpc enabled which is escaping the double quotes and throwing the query off.

That being said, your script is WIDE open to SQL injection as you are not sanitizing the user input whatsoever not to mention the gaping security holes that allowing a user complete control of your database causes.

I cannot think of a scenario where I would give a user complete control of my database, what is your logic here and we will help you to implement it correctly.

I'd block all attempts at someone trying to enter DELETE or UPDATE for example. I wouldn't let anyone run a query at all though.

 

Regards,

 

L2c.

 

Yeah. DROP is OK.

 

Only allow if starts with "SELECT" if you must allow such input. You could restrict the privileges with the login.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.