SQL injection possiblity help

[clanstyles]

Okay earlier i asked about how to prevent sql injection. So around everything I put cleanStr()

 

$viewPage = cleanStr($_GET['view']);

$result = mysql_query("SELECT * FROM `place` WHERE `something` = true AND `id` = $viewPage");

 

query works fine. Problem comes with a url variable bieng passed. id=1 if i put id=1' or somthing I get

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in

 

How can I stop this?

 

function cleanStr($str)
{
$str = trim(mysql_real_escape_string(strip_tags($str)));
return $str;
}

[pocobueno1388]

That means there is something wrong with the query. Try to catch the error.

 

<?php
   $result = mysql_query("SELECT * FROM `place` WHERE `something` = true AND `id` = $viewPage")or die(mysql_error());
?>

 

EDIT: Oops, I should have read the question more carefully. Why are you putting an apostrophe in the id in the first place?

[pocobueno1388]

Apostrophes in the URL are automatically escaped, so I don't think there is even a need to use the function on the $_GET variable.

[clanstyles]

Well it works 100% perfect but the second you put that ' in there it totally messes up

[pocobueno1388]

Yeah, you can't have an non-escaped apostrophe anywhere in a query.

 

Did you try not using the function on the variable?

 

Just change this:

$viewPage = cleanStr($_GET['view']);

 

To:

$viewPage = $_GET['view'];

[clanstyles]

nope

 

[clanstyles]

Well ill be happy to know its not an injection problem. its w/ my query

 

 

if(isset($_GET['view']))
                            		{
                            			$viewPage = $_POST['view'];
                            			$result = mysql_query("SELECT * FROM `houses` WHERE `enabled`=1 AND `id`=$viewPage");
                            			if(mysql_num_rows(cleanStr($result)) < 1)
                            				echo "There is no site listed. Please contact a system administrator.";
                            			else

[clanstyles]

fixed it i just removed the cleanstr.

Problem now is

 

"SELECT * FROM `houses` WHERE `enabled`='1' AND `id`='$viewPage'" returns 0 rows even if it is intehre. I tried setting id manually to one that would work. Nothing.

 

[pocobueno1388]

Try catching the error like I mentioned above. Also that is what I told you to do, is to remove the cleanstr() function.

 

Change your query to this:

$result = mysql_query("SELECT * FROM `houses` WHERE `enabled`=1 AND `id`=$viewPage")or die(mysql_error());

 

Also, why are you using the cleanstr() on this line?

if(mysql_num_rows(cleanStr($result)) < 1)

 

Change it to this:

if(mysql_num_rows($result) < 1)

[GingerRobot]

Apostrophes in the URL are automatically escaped, so I don't think there is even a need to use the function on the $_GET variable.

 

Just wanted to add, this is only if magic_quotes are turned on.

 

Personally, i hate the magic_quotes concept. Don't see why something should happen to data from the user that i don't do to it.

[clanstyles]

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

 

is the error.