Hangwire Posted August 21, 2013 Share Posted August 21, 2013 Hello everybody,An year ago while learning php I made a basic function to insert rows in a database and then a function to read from that database.Tl;dr I made a barcode reader. You enter the first three or two digits from the barcode of a product and you get what country it's produced in.A month ago I tried it out just by accident because some of my friends were wondering about where a product was made and my tool came to mind.When I enter 380 (Code for Bulgaria), Bulgaria pops up along with a line under it that says Jesus.When I enter 401 (One of the codes for Germany), Germany comes up along with three names - Leah, Nathaniel and Robert.403 is another code for Germany. When I enter that, along with Germany comes up Destiny.I honestly have no explanation for this except that it's maybe some kind of SQL insert hack and someone tried to be funny.You can all test this out here: http://training.nbrain.net/searchform.html Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/281439-weird-ghost-mysql-db-entries/ Share on other sites More sharing options...
kicken Posted August 21, 2013 Share Posted August 21, 2013 There's not much we can tell you without seeing the PHP code and the contents of the database. You seem to have multiple entries in your database matching the given code. Yes, maybe someone injected them somehow. Maybe you added them at some point and just forgot. Quote Link to comment https://forums.phpfreaks.com/topic/281439-weird-ghost-mysql-db-entries/#findComment-1446168 Share on other sites More sharing options...
Hangwire Posted August 21, 2013 Author Share Posted August 21, 2013 (edited) Thank you for your reply!Nah, I'm absolutely sure I didn't add them.This is the code of every php script in the whole project:Add-To-Database script: <?php $cocode = $_POST['cocode']; $coname = $_POST['coname']; mysql_connect ("pdb1.myhostingcompany.com", "countries", "*********") or die ('Error: '. mysql_error()); mysql_select_db ("countries") $query="INSERT INTO countries (cocode, coname) VALUES ('".$cocode."', '".$coname."')"; mysql_query($query) or die ('Error updating database'); echo " <html> <body> <center> Success! Country added. </center> </body> </html> " ; ?> Search-In-Database script: <?php mysql_connect ("pdb1.myhostingcompany.com", "countries","**********") or die (mysql_error()); mysql_select_db ("countries"); $term = $_POST['term']; $sql = mysql_query("select * FROM countries WHERE cocode = '$term'"); $num_rows = mysql_num_rows($sql); if ($num_rows == 0) { echo "No results found."; exit; } while ($row = mysql_fetch_array($sql)){ echo '<br/> Code: '.$row['cocode']; echo '<br/> Country: '.$row['coname']; echo '<br/><br/>'; } ?> I've searched the entire database for those names and couldn't find a thing. I've examined the entries for numbers 380, 401 and 403, everything looks normal. I can extract the database into an .sql, but I think that's a bit redundant. If anyone wants it, I can send it to them.Thank you for your time. Edited August 21, 2013 by Hangwire Quote Link to comment https://forums.phpfreaks.com/topic/281439-weird-ghost-mysql-db-entries/#findComment-1446172 Share on other sites More sharing options...
mikosiko Posted August 21, 2013 Share Posted August 21, 2013 using the $_POST[] values directly in your SQL's without sanitize them first let you totally open for SQL injections... sanitize them using the mysql_real_escape_string() should help http://php.net/manual/en/function.mysql-real-escape-string.php but as you will see in the linked manual mysql_ API is already deprecated, therefore the recommendation is to use the mysqli_ API or better PDO and prepared sql sentences. In addition to that, as Kicken posted, you have multiple rows with the same "cocode" meaning that you don't have an UNIQUE constraint on it or it is non defined as Primary Key, hence the multiples values Quote Link to comment https://forums.phpfreaks.com/topic/281439-weird-ghost-mysql-db-entries/#findComment-1446179 Share on other sites More sharing options...
mac_gyver Posted August 21, 2013 Share Posted August 21, 2013 it also looks like you have a few hundred empty entries, possibly from a search engine indexing your site. your form processing code isn't even checking if a form was submitted, nor validating that there is non-empty data, before inserting it into your database. Quote Link to comment https://forums.phpfreaks.com/topic/281439-weird-ghost-mysql-db-entries/#findComment-1446184 Share on other sites More sharing options...
Hangwire Posted August 21, 2013 Author Share Posted August 21, 2013 (edited) Thank you all for your replies. Your feedback has been very helpful, and I'm going to re-do the entire project. Edited August 21, 2013 by Hangwire Quote Link to comment https://forums.phpfreaks.com/topic/281439-weird-ghost-mysql-db-entries/#findComment-1446190 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.