Page 1 of 1

PHP Allowing All Variables But One??

Posted: Mon Jun 22, 2009 10:04 pm
by thepristinedesign
So I am fairly new to the php world so please bear with me.

I made an html form that through POST requested a php file that connects to mysql database and sends the variables from the form into it.

I've established that the connection works. Also, all of the variables that I am sending work without error. However, as soon as I try to incorperate my 'explain' variable into the same code I get the error message that I self-defined in an if-then statement. I have tried everything and my coding is correct and the same as the other variables that will post correctly as long as they are without the 'explain' variable. I don't understand it. I have tried everything and looked over everything over a hundred times and it still sends the error.

Has anyone else had experience with something like this or that could lend me some advice? I would appreciate it greatly.

Re: PHP Allowing All Variables But One??

Posted: Mon Jun 22, 2009 10:10 pm
by requinix
What's your code?

Re: PHP Allowing All Variables But One??

Posted: Mon Jun 22, 2009 10:18 pm
by thepristinedesign
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>

</head>

<?php
$dbhost = 'xxxxxxxxx';
$dbusername = 'xxxxxxxxxxxxx';
$dbuserpass='xxxxxx';
$dbname='xxxxxxxx';

$link_id = mysql_connect ($dbhost,$dbusername,$dbuserpass);
mysql_selectdb($dbname, $link_id);
if (!$link_id)
{
die('Could not connect: ' . mysql_error());
}

$name = $_POST['name'];
$childinfo = $_POST['childinfo'];
$address = $_POST['address'];
$location = $_POST['location'];
$why = $_POST['why'];
$what = $_POST['what'];
$special = $_POST['special'];
$tell_us = $_POST['tell_us'];
$reachtime = $_POST['reachtime'];
$reachmethod = $_POST['reachmethod'];




if (isset($_POST)){
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$childinfo = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['childinfo']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$address = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['address']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$location = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['location']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$why = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['why']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$what = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['what']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$special = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['special']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$tell_us = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['tell_us']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$reachmethod = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['reachmethod']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
if ($special>0){$special = 'Yes_disabled_ill_lowincome';}else{$special = 'Not_disabled_ill_lowincome';}//If the Yes_No field is a Yes or No field take the number supplied in the POST and set $yes_no to 'Yes' or 'No'

$sql = "INSERT INTO Apply (Name, ChildInfo, Address, Location, Why, What, Special, ReachMethod, ReachTime, Tell_Us) Values ('$name','$childinfo','$address','$location','$why','$what','$special','$reachmethod','$reachtime','$tell_us')";

if (!mysql_query($sql))
{
//mysql was not completed instead of showing the user the
//error just a message
$results = 'There was an error processing your submission 1';
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
}else{
$results = "1 record added";
}
}else{
//If $_POST was not set
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
$results = 'There was an error processing your submission 2';
}
?>

<body>
<?php
echo $results;
?>
</body>
</html>



tell_us is the variable that wont work.

Re: PHP Allowing All Variables But One??

Posted: Mon Jun 22, 2009 10:49 pm
by Eric!
How hard is it to learn how to post code before posting it? Everyone seems to be skipping this step. Here's your code so again with the proper tags. Where in this code specifically does the error occur?

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
 
</head>
 
<?php
$dbhost = 'xxxxxxxxx';
$dbusername = 'xxxxxxxxxxxxx';
$dbuserpass='xxxxxx';
$dbname='xxxxxxxx';
 
$link_id = mysql_connect ($dbhost,$dbusername,$dbuserpass);
mysql_selectdb($dbname, $link_id);
if (!$link_id)
{
die('Could not connect: ' . mysql_error());
}
 
$name = $_POST['name'];
$childinfo = $_POST['childinfo'];
$address = $_POST['address'];
$location = $_POST['location'];
$why = $_POST['why'];
$what = $_POST['what'];
$special = $_POST['special'];
$tell_us = $_POST['tell_us'];
$reachtime = $_POST['reachtime'];
$reachmethod = $_POST['reachmethod'];
 
 
 
 
if (isset($_POST)){
$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$childinfo = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['childinfo']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$address = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['address']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$location = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['location']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$why = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['why']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$what = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['what']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$special = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['special']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$tell_us = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['tell_us']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
$reachmethod = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['reachmethod']);//replace any non letters with a space (a-zA-Z\s) = any upper or lowercase letters or a space\s
if ($special>0){$special = 'Yes_disabled_ill_lowincome';}else{$special = 'Not_disabled_ill_lowincome';}//If the Yes_No field is a Yes or No field take the number supplied in the POST and set $yes_no to 'Yes' or 'No'
 
$sql = "INSERT INTO Apply (Name, ChildInfo, Address, Location, Why, What, Special, ReachMethod, ReachTime, Tell_Us) Values ('$name','$childinfo','$address','$location','$why','$what','$special','$reachmethod','$reachtime','$tell_us')";
 
if (!mysql_query($sql))
{
//mysql was not completed instead of showing the user the
//error just a message
$results = 'There was an error processing your submission 1';
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
}else{
$results = "1 record added";
}
}else{
//If $_POST was not set
/**
* If the user made an error filling out the form the form
* should be shown again with an error message
**/
$results = 'There was an error processing your submission 2';
}
?>
 
<body>
<?php
echo $results;
?>
</body>
</html>
 
By the way, please look up sql injection on google and filter your post variables as recommended so some hacker doesn't trash your database.

Re: PHP Allowing All Variables But One??

Posted: Mon Jun 22, 2009 11:24 pm
by thepristinedesign
I did look at the how to post correctly page and I didn't understand/didn't have the time to get that to work.

The error that occurs is the 'There was an error processing your submission 1'.

This code is copied from a code that a friend of mine paid a developer $95 an hour to make it sql injection safe. Doesn't the preg_replace coding ensure that no injection can take place? Thanks for the comments.

Re: PHP Allowing All Variables But One??

Posted: Mon Jun 22, 2009 11:28 pm
by McInfo
thepristinedesign wrote:as soon as I try to incorperate my 'explain' variable into the same code I get the error message that I self-defined in an if-then statement.
First, where is this "'explain' variable"? If you are trying to use "explain" as a field name in an SQL query, you will get an error because EXPLAIN is a reserved word in SQL. If you are trying to change your query to something like "EXPLAIN INSERT INTO...", the returned fields will be different than those returned by "INSERT INTO...".

Second, this condition is always true, so there is no reason to test for it.

Code: Select all

if (isset($_POST))
You might be thinking of something like

Code: Select all

if (!empty($_POST))
but this still doesn't guarantee that the expected array indexes are set.

Edit: This post was recovered from search engine cache.

Re: PHP Allowing All Variables But One??

Posted: Tue Jun 23, 2009 12:03 am
by McInfo
thepristinedesign wrote:tell_us is the variable that wont work.
There is a pattern in the POST variables where two-word names are joined together with no extra characters between them: "childinfo" and "reachmethod". This pattern also appears in the database table's field names: "ChildInfo", "ReachMethod", and "ReachTime". However, "tell_us" includes an underscore between the two words. Could it be that this does not match the name in either or both the form and the table?
thepristinedesign wrote:I did look at the how to post correctly page and I didn't understand/didn't have the time to get that to work.
BBCode tags look like this

Code: Select all

[code=php]<?php echo Hello, World."; ?>
[/code]
thepristinedesign wrote:Doesn't the preg_replace coding ensure that no injection can take place?
Your script would be immune to SQL injection, except that $reachtime is not sanitized.

This code section

Code: Select all

$name = $_POST['name'];
// plus the next nine lines, except for $reachtime
is redundant since it is followed by

Code: Select all

$name = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST['name']);
// plus the next eight lines
Edit: This post was recovered from search engine cache.