PHP Allowing All Variables But One??
Moderator: General Moderators
-
thepristinedesign
- Forum Newbie
- Posts: 3
- Joined: Mon Jun 22, 2009 9:59 pm
PHP Allowing All Variables But One??
So I am fairly new to the php world so please bear with me.
I made an html form that through POST requested a php file that connects to mysql database and sends the variables from the form into it.
I've established that the connection works. Also, all of the variables that I am sending work without error. However, as soon as I try to incorperate my 'explain' variable into the same code I get the error message that I self-defined in an if-then statement. I have tried everything and my coding is correct and the same as the other variables that will post correctly as long as they are without the 'explain' variable. I don't understand it. I have tried everything and looked over everything over a hundred times and it still sends the error.
Has anyone else had experience with something like this or that could lend me some advice? I would appreciate it greatly.
I made an html form that through POST requested a php file that connects to mysql database and sends the variables from the form into it.
I've established that the connection works. Also, all of the variables that I am sending work without error. However, as soon as I try to incorperate my 'explain' variable into the same code I get the error message that I self-defined in an if-then statement. I have tried everything and my coding is correct and the same as the other variables that will post correctly as long as they are without the 'explain' variable. I don't understand it. I have tried everything and looked over everything over a hundred times and it still sends the error.
Has anyone else had experience with something like this or that could lend me some advice? I would appreciate it greatly.
Re: PHP Allowing All Variables But One??
What's your code?
-
thepristinedesign
- Forum Newbie
- Posts: 3
- Joined: Mon Jun 22, 2009 9:59 pm
Re: PHP Allowing All Variables But One??
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
</head>
<?php
$dbhost = 'xxxxxxxxx';
$dbusername = 'xxxxxxxxxxxxx';
$dbuserpass='xxxxxx';
$dbname='xxxxxxxx';
$link_id = mysql_connect ($dbhost,$dbusername,$dbuserpass);
mysql_selectdb($dbname, $link_id);
if (!$link_id)
{
die('Could not connect: ' . mysql_error());
}
$name = $_POST['name'];
$childinfo = $_POST['childinfo'];
$address = $_POST['address'];
$location = $_POST['location'];
$why = $_POST['why'];
$what = $_POST['what'];
$special = $_POST['special'];
$tell_us = $_POST['tell_us'];
$reachtime = $_POST['reachtime'];
$reachmethod = $_POST['reachmethod'];
if (isset($_POST)){
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$childinfo = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['childinfo']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$address = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['address']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$location = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['location']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$why = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['why']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$what = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['what']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$special = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['special']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$tell_us = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['tell_us']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$reachmethod = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['reachmethod']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
if ($special>0){$special = 'Yes_disabled_ill_lowincome';}else{$special = 'Not_disabled_ill_lowincome';}//If the Yes_No field is a Yes or No field take the number supplied in the POST and set $yes_no to 'Yes' or 'No'
$sql = "INSERT INTO Apply (Name, ChildInfo, Address, Location, Why, What, Special, ReachMethod, ReachTime, Tell_Us) Values ('$name','$childinfo','$address','$location','$why','$what','$special','$reachmethod','$reachtime','$tell_us')";
if (!mysql_query($sql))
{
//mysql was not completed instead of showing the user the
//error just a message
$results = 'There was an error processing your submission 1';
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
}else{
$results = "1 record added";
}
}else{
//If $_POST was not set
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
$results = 'There was an error processing your submission 2';
}
?>
<body>
<?php
echo $results;
?>
</body>
</html>
tell_us is the variable that wont work.
<html>
<head>
<title>Untitled Document</title>
</head>
<?php
$dbhost = 'xxxxxxxxx';
$dbusername = 'xxxxxxxxxxxxx';
$dbuserpass='xxxxxx';
$dbname='xxxxxxxx';
$link_id = mysql_connect ($dbhost,$dbusername,$dbuserpass);
mysql_selectdb($dbname, $link_id);
if (!$link_id)
{
die('Could not connect: ' . mysql_error());
}
$name = $_POST['name'];
$childinfo = $_POST['childinfo'];
$address = $_POST['address'];
$location = $_POST['location'];
$why = $_POST['why'];
$what = $_POST['what'];
$special = $_POST['special'];
$tell_us = $_POST['tell_us'];
$reachtime = $_POST['reachtime'];
$reachmethod = $_POST['reachmethod'];
if (isset($_POST)){
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$childinfo = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['childinfo']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$address = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['address']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$location = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['location']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$why = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['why']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$what = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['what']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$special = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['special']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$tell_us = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['tell_us']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$reachmethod = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['reachmethod']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
if ($special>0){$special = 'Yes_disabled_ill_lowincome';}else{$special = 'Not_disabled_ill_lowincome';}//If the Yes_No field is a Yes or No field take the number supplied in the POST and set $yes_no to 'Yes' or 'No'
$sql = "INSERT INTO Apply (Name, ChildInfo, Address, Location, Why, What, Special, ReachMethod, ReachTime, Tell_Us) Values ('$name','$childinfo','$address','$location','$why','$what','$special','$reachmethod','$reachtime','$tell_us')";
if (!mysql_query($sql))
{
//mysql was not completed instead of showing the user the
//error just a message
$results = 'There was an error processing your submission 1';
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
}else{
$results = "1 record added";
}
}else{
//If $_POST was not set
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
$results = 'There was an error processing your submission 2';
}
?>
<body>
<?php
echo $results;
?>
</body>
</html>
tell_us is the variable that wont work.
Re: PHP Allowing All Variables But One??
How hard is it to learn how to post code before posting it? Everyone seems to be skipping this step. Here's your code so again with the proper tags. Where in this code specifically does the error occur?
By the way, please look up sql injection on google and filter your post variables as recommended so some hacker doesn't trash your database.
Code: Select all
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
</head>
<?php
$dbhost = 'xxxxxxxxx';
$dbusername = 'xxxxxxxxxxxxx';
$dbuserpass='xxxxxx';
$dbname='xxxxxxxx';
$link_id = mysql_connect ($dbhost,$dbusername,$dbuserpass);
mysql_selectdb($dbname, $link_id);
if (!$link_id)
{
die('Could not connect: ' . mysql_error());
}
$name = $_POST['name'];
$childinfo = $_POST['childinfo'];
$address = $_POST['address'];
$location = $_POST['location'];
$why = $_POST['why'];
$what = $_POST['what'];
$special = $_POST['special'];
$tell_us = $_POST['tell_us'];
$reachtime = $_POST['reachtime'];
$reachmethod = $_POST['reachmethod'];
if (isset($_POST)){
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$childinfo = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['childinfo']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$address = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['address']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$location = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['location']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$why = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['why']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$what = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['what']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$special = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['special']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$tell_us = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['tell_us']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$reachmethod = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['reachmethod']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
if ($special>0){$special = 'Yes_disabled_ill_lowincome';}else{$special = 'Not_disabled_ill_lowincome';}//If the Yes_No field is a Yes or No field take the number supplied in the POST and set $yes_no to 'Yes' or 'No'
$sql = "INSERT INTO Apply (Name, ChildInfo, Address, Location, Why, What, Special, ReachMethod, ReachTime, Tell_Us) Values ('$name','$childinfo','$address','$location','$why','$what','$special','$reachmethod','$reachtime','$tell_us')";
if (!mysql_query($sql))
{
//mysql was not completed instead of showing the user the
//error just a message
$results = 'There was an error processing your submission 1';
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
}else{
$results = "1 record added";
}
}else{
//If $_POST was not set
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
$results = 'There was an error processing your submission 2';
}
?>
<body>
<?php
echo $results;
?>
</body>
</html>
-
thepristinedesign
- Forum Newbie
- Posts: 3
- Joined: Mon Jun 22, 2009 9:59 pm
Re: PHP Allowing All Variables But One??
I did look at the how to post correctly page and I didn't understand/didn't have the time to get that to work.
The error that occurs is the 'There was an error processing your submission 1'.
This code is copied from a code that a friend of mine paid a developer $95 an hour to make it sql injection safe. Doesn't the preg_replace coding ensure that no injection can take place? Thanks for the comments.
The error that occurs is the 'There was an error processing your submission 1'.
This code is copied from a code that a friend of mine paid a developer $95 an hour to make it sql injection safe. Doesn't the preg_replace coding ensure that no injection can take place? Thanks for the comments.
Re: PHP Allowing All Variables But One??
First, where is this "'explain' variable"? If you are trying to use "explain" as a field name in an SQL query, you will get an error because EXPLAIN is a reserved word in SQL. If you are trying to change your query to something like "EXPLAIN INSERT INTO...", the returned fields will be different than those returned by "INSERT INTO...".thepristinedesign wrote:as soon as I try to incorperate my 'explain' variable into the same code I get the error message that I self-defined in an if-then statement.
Second, this condition is always true, so there is no reason to test for it.
Code: Select all
if (isset($_POST))Code: Select all
if (!empty($_POST))Edit: This post was recovered from search engine cache.
Last edited by McInfo on Wed Jun 16, 2010 11:39 am, edited 1 time in total.
Re: PHP Allowing All Variables But One??
There is a pattern in the POST variables where two-word names are joined together with no extra characters between them: "childinfo" and "reachmethod". This pattern also appears in the database table's field names: "ChildInfo", "ReachMethod", and "ReachTime". However, "tell_us" includes an underscore between the two words. Could it be that this does not match the name in either or both the form and the table?thepristinedesign wrote:tell_us is the variable that wont work.
BBCode tags look like thisthepristinedesign wrote:I did look at the how to post correctly page and I didn't understand/didn't have the time to get that to work.
Code: Select all
[code=php]<?php echo Hello, World."; ?>Your script would be immune to SQL injection, except that $reachtime is not sanitized.thepristinedesign wrote:Doesn't the preg_replace coding ensure that no injection can take place?
This code section
Code: Select all
$name = $_POST['name'];
// plus the next nine lines, except for $reachtimeCode: Select all
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);
// plus the next eight lines