Re: [PHP] Narorwed down my problem to one statement:

Wed, 17 May 2006 00:23:44 -0700 

At 09:38 PM 5/16/2006, John Meyer wrote:
$sql = "INSERT INTO BOOKS(CopyrightYear,CoverType,DatePurchased,EditionNumber,ISBNNumber,Notes,Pages,Publisher,LOCNumber) VALUES(\"" . $_POST["copyrightyear"] . "\",\"" . $_POST["covertype"] . "\",\"" . $_POST["datepurchased"] . "\"," . $_POST["editionnumber"] . ",\"" . $_POST["isbn"] . "\",\"" . addslashes($_POST["notes"]) . "\"," . (isset($_POST["numberofpages"])?$_POST["numberofpages"]:0) . ",\"" . $_POST["publisher"] . "\",\"" . $_POST["locnumber"] . "\")"; 



Okay,  when $_POST["notes"] contains quotes, it seems to break the 
series, ie returns an error at that point of the SQL statement, even 
with addslashes(), am I doing something wrong there?



John,


I wasn't able to get your statement to break regardless of the 
content of $_POST["notes"], so I'm inclined to think the problem 
doesn't lie with embedded quotes alone.  Try displaying the value of 
$sql when it fails in MySQL.  Without that evidence, your problem 
seems impossible to solve.


I'm suspicious of this conditional expression:

        (isset($_POST["numberofpages"])?$_POST["numberofpages"]:0)


If $_POST["numberofpages"] is set but contains non-numeric content, 
the query will fail.


Here are two other points tangential to your question:


By feeding user input directly into an SQL query, you're creating an 
unnecessary vulnerability in your code.  See "SQL Injection" at 
http://php.net/manual/en/security.database.sql-injection.php



I find the concatenation with escaped quotes messy and difficult to 
proofread and modify.  My example below is somewhat exaggerated for 
effect, but consider using heredoc syntax for ease of reading and a 
couple of custom functions to make strings & numbers SQL-safe:

___________________________

$copyrightyear = prepString($_POST["copyrightyear"]);
$covertype     = prepString($_POST["covertype"]);
$datepurchased = prepString($_POST["datepurchased"]);
$editionnumber = prepNumber($_POST["editionnumber"]);
$notes         = prepString($_POST["notes"]);
$numberofpages = prepNumber($_POST["numberofpages"]);
$publisher     = prepString($_POST["publisher"]);
$locnumber     = prepString($_POST["locnumber"]);


$sql = <<< heredocSQL
        INSERT INTO BOOKS (
                CopyrightYear,
                CoverType,
                DatePurchased,
                EditionNumber,
                ISBNNumber,
                Notes,
                Pages,
                Publisher,
                LOCNumber
        ) VALUES (
                "$copyrightyear",
                "$covertype",
                "$datepurchased",
                $editionnumber,
                "$notes",
                $numberofpages,
                "$publisher",
                "$locnumber"
        );
heredocSQL;
___________________________


Paul 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php























					Reply via email to