www.webdeveloper.com
Results 1 to 9 of 9

Thread: All boxes post to database except one please help

  1. #1
    Join Date
    Feb 2012
    Posts
    6

    Angry All boxes post to database except one please help

    hi guys, please help as i said all the boxes post the datato the database except one ($proddesc):
    PHP Code:
    <?php
    include("db.php");
    $servicecentre=$_POST['servicecentre'];
    $ponumber=$_POST['ponumber'];
    $prodcode=$_POST['productcode'];
    $proddesc=$_POST['productdescription'];
    $price=$_POST['price'];
    $qty=$_POST['quantity'];
    $total=$_POST['total'];
    mysql_query("INSERT INTO purchaseorder (servicecentre,ponumber,productcode,productdescription,price,quantity,total) VALUES ('$servicecentre','$ponumber','$prodcode','$proddesc','$price','$qty','$total')");
    header("location: tableedit.php#page=addpro");
    ?>
    HTML Code:
    <div class="content" id="addpro">
    <form style="text-align:right"action="saveproduct.php" method="post">
    	<div style="width:400px; text-align:right">
        <div style="margin-left: 48px;">
    	Service Centre: <input name="servicecentre" type="text" />
    	</div>
    	<br />
    	<div style="margin-left: 97px;">
    	PO Number: <input name="ponumber" type="text" />
    	</div>
    	<br />
    	<div style="margin-left: 80px;">
    	Product Code: <input name="productcode" type="text" />
    	</div>
        <br />
    	<div style="margin-left: 80px;">
    	Product Description:  <input name="proddesc" type="text" />
    	</div>
        <br />
    	<div style="margin-left: 80px;">
    	Price:  <input name="price" type="text" />
    	</div>
        <br />
    	<div style="margin-left: 80px;">
    	Quantity: <input name="quantity" type="text" />
    	</div>
        <br />
    	<div style="margin-left: 80px;">
    	Total: <input name="total" type="text" />
    	</div>
    	<div style="margin-left: 127px; margin-top: 14px;"><input name="" type="submit" value="Add" /></div>
    </div>
    </form>
    </div>
    thanks in advanced

  2. #2
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    699
    Check your named inputs against what you are grabbing from your post array. There's your mistake.

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,304
    While not the cause of your problem (see prior reply), your script is wide open to SQL injection attacks/errors. See mysql_real_escape_string() for an immediate solution, though a more robust solution would be to move from the now-deprecated mysql extension to either mysqli or pdo extensions, and make use of prepared statements and bound input parameters.

    http://xkcd.com/327/
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  4. #4
    Join Date
    Feb 2012
    Posts
    6
    Thanks for your replies guys, @NogDog i have only just started with php and dont really understand MySQL injection, are there any good tutorials that you could point me to thanks again

  5. #5
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,304
    Basically, it's a situation where user inputs contain text that can change what your database query actually does. Let's suppose you have a query that uses one input parameter:
    PHP Code:
    $query "SELECT * FROM some_table WHERE foo = '$input'"
    Now, let's suppose a nasty user inputs the value:
    Code:
    x' OR 1 IN (UPDATE users SET user_type='ADMIN' WHERE 1=1 RETURNING user_id) --
    Now your PHP code would turn every user in the database into an admin-level user (assuming the attacker knows or has correctly guessed your database scheme), as the value of $query would now be:
    Code:
    SELECT * FROM some_table WHERE foo = 'x' OR 1 IN (UPDATE users SET user_type='ADMIN' WHERE 1=1 RETURNING user_id) --'
    This can be prevented by using an appropriate escaping function on any inputs being used in a query, in your current situation being the mysql_real_escape_string() function (which uses a back-slash as its escaping character, much as PHP does when you use it to escape quotes within a quoted string), and you can also use type-casting to make sure numeric values are, in fact, numeric. DB extensions that provide for the use of prepared statements and bound parameters provide a means to let the database interface itself to handle the escaping itself.
    PHP Code:
    $sql "INSERT INTO some_table (user_name, age) VALUES('".mysql_real_escape_string($user)."', ".(int)$age.")"
    Last edited by NogDog; 07-15-2013 at 11:08 AM.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,304
    PS: If you update your code to use PDO instead:
    PHP Code:
    $pdo = new PDO('mysql:host=localhost;dbname=test'$user$pass);
    $sql "INSERT INTO some_table (user_name, age) VALUES(:name, :age)";
    $stmt $pdo->prepare($sql);
    $stmt->bindParam(':name'$name); // these automatically take care of any escaping
    $stmt->bindParam(':age'$agePDO::PARAM_INT);
    $stmt->exec(); 
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Feb 2012
    Posts
    6
    thanks mate, just a quick question i was reading my php book to see if it alliterated a bit on securing the queries and found that they recommend using htmlentities(). is this just as good to use or equivalent? and am i right in thinking that i use it like this
    $my_variable = htmlentities('select * from some_table')

    Thanks Again

  8. #8
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    699
    I don't use it much. And one would definitely not use it the way you think.

    Securing query statements is more about checking the input values that you are going to use in a query. Doing escapes on them, checking that they are of the type that you expect, things like that. Also the use of prepared statements is the very much preferred method of doing queries which alleviates a lot of the security worries.

  9. #9
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,304
    htmlentities() is for output to an [x]html document. The best and safest way to protect your database is with the functions/methods specifically designed for that. Besides, in most cases, you do not want HTML character entities in your database.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles