PHP Allowing All Variables But One??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
thepristinedesign
Forum Newbie
Posts: 3
Joined: Mon Jun 22, 2009 9:59 pm

PHP Allowing All Variables But One??

Post by thepristinedesign »

So I am fairly new to the php world so please bear with me.

I made an html form that through POST requested a php file that connects to mysql database and sends the variables from the form into it.

I've established that the connection works. Also, all of the variables that I am sending work without error. However, as soon as I try to incorperate my 'explain' variable into the same code I get the error message that I self-defined in an if-then statement. I have tried everything and my coding is correct and the same as the other variables that will post correctly as long as they are without the 'explain' variable. I don't understand it. I have tried everything and looked over everything over a hundred times and it still sends the error.

Has anyone else had experience with something like this or that could lend me some advice? I would appreciate it greatly.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: PHP Allowing All Variables But One??

Post by requinix »

What's your code?
thepristinedesign
Forum Newbie
Posts: 3
Joined: Mon Jun 22, 2009 9:59 pm

Re: PHP Allowing All Variables But One??

Post by thepristinedesign »

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>

</head>

<?php
$dbhost = 'xxxxxxxxx';
$dbusername = 'xxxxxxxxxxxxx';
$dbuserpass='xxxxxx';
$dbname='xxxxxxxx';

$link_id = mysql_connect ($dbhost,$dbusername,$dbuserpass);
mysql_selectdb($dbname, $link_id);
if (!$link_id)
{
die('Could not connect: ' . mysql_error());
}

$name = $_POST['name'];
$childinfo = $_POST['childinfo'];
$address = $_POST['address'];
$location = $_POST['location'];
$why = $_POST['why'];
$what = $_POST['what'];
$special = $_POST['special'];
$tell_us = $_POST['tell_us'];
$reachtime = $_POST['reachtime'];
$reachmethod = $_POST['reachmethod'];




if (isset($_POST)){
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$childinfo = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['childinfo']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$address = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['address']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$location = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['location']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$why = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['why']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$what = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['what']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$special = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['special']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$tell_us = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['tell_us']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$reachmethod = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['reachmethod']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
if ($special>0){$special = 'Yes_disabled_ill_lowincome';}else{$special = 'Not_disabled_ill_lowincome';}//If the Yes_No field is a Yes or No field take the number supplied in the POST and set $yes_no to 'Yes' or 'No'

$sql = "INSERT INTO Apply (Name, ChildInfo, Address, Location, Why, What, Special, ReachMethod, ReachTime, Tell_Us) Values ('$name','$childinfo','$address','$location','$why','$what','$special','$reachmethod','$reachtime','$tell_us')";

if (!mysql_query($sql))
{
//mysql was not completed instead of showing the user the
//error just a message
$results = 'There was an error processing your submission 1';
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
}else{
$results = "1 record added";
}
}else{
//If $_POST was not set
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
$results = 'There was an error processing your submission 2';
}
?>

<body>
<?php
echo $results;
?>
</body>
</html>



tell_us is the variable that wont work.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: PHP Allowing All Variables But One??

Post by Eric! »

How hard is it to learn how to post code before posting it? Everyone seems to be skipping this step. Here's your code so again with the proper tags. Where in this code specifically does the error occur?

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
 
</head>
 
<?php
$dbhost = 'xxxxxxxxx';
$dbusername = 'xxxxxxxxxxxxx';
$dbuserpass='xxxxxx';
$dbname='xxxxxxxx';
 
$link_id = mysql_connect ($dbhost,$dbusername,$dbuserpass);
mysql_selectdb($dbname, $link_id);
if (!$link_id)
{
die('Could not connect: ' . mysql_error());
}
 
$name = $_POST['name'];
$childinfo = $_POST['childinfo'];
$address = $_POST['address'];
$location = $_POST['location'];
$why = $_POST['why'];
$what = $_POST['what'];
$special = $_POST['special'];
$tell_us = $_POST['tell_us'];
$reachtime = $_POST['reachtime'];
$reachmethod = $_POST['reachmethod'];
 
 
 
 
if (isset($_POST)){
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$childinfo = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['childinfo']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$address = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['address']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$location = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['location']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$why = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['why']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$what = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['what']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$special = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['special']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$tell_us = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['tell_us']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$reachmethod = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['reachmethod']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
if ($special>0){$special = 'Yes_disabled_ill_lowincome';}else{$special = 'Not_disabled_ill_lowincome';}//If the Yes_No field is a Yes or No field take the number supplied in the POST and set $yes_no to 'Yes' or 'No'
 
$sql = "INSERT INTO Apply (Name, ChildInfo, Address, Location, Why, What, Special, ReachMethod, ReachTime, Tell_Us) Values ('$name','$childinfo','$address','$location','$why','$what','$special','$reachmethod','$reachtime','$tell_us')";
 
if (!mysql_query($sql))
{
//mysql was not completed instead of showing the user the
//error just a message
$results = 'There was an error processing your submission 1';
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
}else{
$results = "1 record added";
}
}else{
//If $_POST was not set
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
$results = 'There was an error processing your submission 2';
}
?>
 
<body>
<?php
echo $results;
?>
</body>
</html>
 
By the way, please look up sql injection on google and filter your post variables as recommended so some hacker doesn't trash your database.
thepristinedesign
Forum Newbie
Posts: 3
Joined: Mon Jun 22, 2009 9:59 pm

Re: PHP Allowing All Variables But One??

Post by thepristinedesign »

I did look at the how to post correctly page and I didn't understand/didn't have the time to get that to work.

The error that occurs is the 'There was an error processing your submission 1'.

This code is copied from a code that a friend of mine paid a developer $95 an hour to make it sql injection safe. Doesn't the preg_replace coding ensure that no injection can take place? Thanks for the comments.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: PHP Allowing All Variables But One??

Post by McInfo »

thepristinedesign wrote:as soon as I try to incorperate my 'explain' variable into the same code I get the error message that I self-defined in an if-then statement.
First, where is this "'explain' variable"? If you are trying to use "explain" as a field name in an SQL query, you will get an error because EXPLAIN is a reserved word in SQL. If you are trying to change your query to something like "EXPLAIN INSERT INTO...", the returned fields will be different than those returned by "INSERT INTO...".

Second, this condition is always true, so there is no reason to test for it.

Code: Select all

if (isset($_POST))
You might be thinking of something like

Code: Select all

if (!empty($_POST))
but this still doesn't guarantee that the expected array indexes are set.

Edit: This post was recovered from search engine cache.
Last edited by McInfo on Wed Jun 16, 2010 11:39 am, edited 1 time in total.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: PHP Allowing All Variables But One??

Post by McInfo »

thepristinedesign wrote:tell_us is the variable that wont work.
There is a pattern in the POST variables where two-word names are joined together with no extra characters between them: "childinfo" and "reachmethod". This pattern also appears in the database table's field names: "ChildInfo", "ReachMethod", and "ReachTime". However, "tell_us" includes an underscore between the two words. Could it be that this does not match the name in either or both the form and the table?
thepristinedesign wrote:I did look at the how to post correctly page and I didn't understand/didn't have the time to get that to work.
BBCode tags look like this

Code: Select all

[code=php]<?php echo Hello, World."; ?>
[/code]
thepristinedesign wrote:Doesn't the preg_replace coding ensure that no injection can take place?
Your script would be immune to SQL injection, except that $reachtime is not sanitized.

This code section

Code: Select all

$name = $_POST['name'];
// plus the next nine lines, except for $reachtime
is redundant since it is followed by

Code: Select all

$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);
// plus the next eight lines
Edit: This post was recovered from search engine cache.
Post Reply