Jump to content

SQL injection possiblity help

clanstyles

By clanstyles
in PHP Coding Help

 Share

Recommended Posts

clanstyles Member

clanstyles

Posted
Posted

Okay earlier i asked about how to prevent sql injection. So around everything I put cleanStr()

 

$viewPage = cleanStr($_GET['view']);

$result = mysql_query("SELECT * FROM `place` WHERE `something` = true AND `id` = $viewPage");

 

query works fine. Problem comes with a url variable bieng passed. id=1 if i put id=1' or somthing I get

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in

 

How can I stop this?

 

function cleanStr($str)
{
$str = trim(mysql_real_escape_string(strip_tags($str)));
return $str;
}

Link to comment
Share on other sites
pocobueno1388 Regular Member

pocobueno1388

Posted
Posted

That means there is something wrong with the query. Try to catch the error.

 

<?php
   $result = mysql_query("SELECT * FROM `place` WHERE `something` = true AND `id` = $viewPage")or die(mysql_error());
?>

 

EDIT: Oops, I should have read the question more carefully. Why are you putting an apostrophe in the id in the first place?

Link to comment
Share on other sites
clanstyles Member

clanstyles

Posted
  • Author
Posted

Well ill be happy to know its not an injection problem. its w/ my query

 

 

if(isset($_GET['view']))
                            		{
                            			$viewPage = $_POST['view'];
                            			$result = mysql_query("SELECT * FROM `houses` WHERE `enabled`=1 AND `id`=$viewPage");
                            			if(mysql_num_rows(cleanStr($result)) < 1)
                            				echo "There is no site listed. Please contact a system administrator.";
                            			else

Link to comment
Share on other sites
pocobueno1388 Regular Member

pocobueno1388

Posted
Posted

Try catching the error like I mentioned above. Also that is what I told you to do, is to remove the cleanstr() function.

 

Change your query to this:

$result = mysql_query("SELECT * FROM `houses` WHERE `enabled`=1 AND `id`=$viewPage")or die(mysql_error());

 

Also, why are you using the cleanstr() on this line?

if(mysql_num_rows(cleanStr($result)) < 1)

 

Change it to this:

if(mysql_num_rows($result) < 1)

Link to comment
Share on other sites
GingerRobot Regular Member

GingerRobot

Posted
Posted

Apostrophes in the URL are automatically escaped, so I don't think there is even a need to use the function on the $_GET variable.

 

Just wanted to add, this is only if magic_quotes are turned on.

 

Personally, i hate the magic_quotes concept. Don't see why something should happen to data from the user that i don't do to it.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.