Adding into data base

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Adding into data base

Post by YoussefSiblini »

Hi,
I have to databases:
1- Temporary:
2- pcvideogaming

I want to transfer a row from database 1 into database 2 and I am using this code:

Code: Select all

<?php
include_once "includes/UK.php";
$sql = mysql_query("SELECT * FROM temporary WHERE track_ID='31UKSiblini' LIMIT 1");
$productCount = mysql_num_rows($sql); // count the output amount
if ($productCount > 0) 
{
	    while($row = mysql_fetch_array($sql))
	    { 
		     // get the information from notpaid table
			 $id = $row["id"];
			 $UserName = $row["UserName"];
			 $firstname = $row["firstname"];
			 $lastname = $row["lastname"];
			 $producttittle = $row["producttittle"];
			 $productdescription = $row["productdescription"];
			 $swaptakeplace = $row["swaptakeplace"];
			 $ExchangeWithTittle = $row["ExchangeWithTittle"];
			 $ExchangeWithDescription = $row["ExchangeWithDescription"];
			 $shippingfirstname = $row["shippingfirstname"];
			 $shippinglastname = $row["shippinglastname"];
			 $address1 = $row["address1"];
			 $address2 = $row["address2"];
			 $city = $row["city"];
			 $country = $row["country"];
			 $postalcode = $row["postalcode"];
			 $phonenumber = $row["phonenumber"];
			 $Category = $row["Category"];
			 $email = $row["email"];
			 $ipaddress = $row["IpAddress"];
			 
	    }
	    // Add the exchange into the specified table
	    $addsql = mysql_query("INSERT INTO pcvideogaming (track_ID, UserName, firstname, lastname, producttittle, dateadded) VALUES ('$track_ID','$UserName','$firstname','$lastname','$producttittle',now())");
}
?>
The code above work fine but I want to transfer the product description field too so I use this which does not work or insert it:

Code: Select all

 
$addsql = mysql_query("INSERT INTO $Category (track_ID, UserName, firstname, lastname, producttittle,productdescription, dateadded) VALUES ('$track_ID','$UserName','$firstname','$lastname','$producttittle','$productdescription',now())");
The product description is a text type in the database and it contains 4000 character in the database 1.


Please help


Youssef
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: Adding into data base

Post by YoussefSiblini »

When I use or die(mysql_error()) I get this error message:

Code: Select all

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Vault-Tec Assisted Targeting System for your Pip-Boy Model 3000! V.A.T.S. allo' at line 1
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Adding into data base

Post by Celauran »

Looks like unescaped single quotes.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: Adding into data base

Post by YoussefSiblini »

what do you mean?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Adding into data base

Post by Celauran »

Consider this example:

Code: Select all

INSERT INTO TABLE SET value = 'This breaks when single quotes aren't escaped'
See what's happening? I bet you're facing the same problem.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: Adding into data base

Post by YoussefSiblini »

Thank you,
That make sense now, but I can't see any unescaped single quates,
and why when I take the productdescription off from the insert query it work fine.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Adding into data base

Post by Celauran »

Your error message seems to indicate an 's breaking the INSERT. I'm imagining the string contains something to the effect of "GameName's Assisted Targeting blah blah blah", which is causing the problem. Escaping data before passing into a query should be done regardless, and will correct this issue.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: Adding into data base

Post by YoussefSiblini »

I have looked every where I can't find any unescaped single quates, thank you any way :)
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: Adding into data base

Post by YoussefSiblini »

Just to update you, Do you know I said that product description is a text type in the database and it contains 4000 character in the database 1, If I reduce this characters length to like 20 words it work fine?
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Adding into data base

Post by flying_circus »

YoussefSiblini wrote:Just to update you, Do you know I said that product description is a text type in the database and it contains 4000 character in the database 1, If I reduce this characters length to like 20 words it work fine?
You're missing the point.

It does not matter the length or type of the data, so long as you are taking adequate action to escape data before placing it into the database, which you are not. You are also not alone, injection holds the gold medal in OWASP's Top 10 Web Application Security Risks.

Spend some time learning about SQL injection (google is your friend, or read the article in Mordred's signature).

Also spend some time familiarizing yourself with mysql_real_escape_string(), prepared statements, and the difference in how they each handle data.

Also spend some time migrating to the mysqli extension (see the php documentation for the difference between mysql and mysqli)

Code: Select all

<?php
$addsql = mysql_query(sprintf("INSERT INTO `pcvideogaming` (`track_ID`, `UserName`, `firstname`, `lastname`, `producttittle`, `dateadded`) VALUES ('%d','%s','%s','%s','%s',now());"),
                        mysql_real_escape_string($track_ID),
                        mysql_real_escape_string($UserName),
                        mysql_real_escape_string($firstname),
                        mysql_real_escape_string($lastname),
                        mysql_real_escape_string($producttittle));
?>
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: Adding into data base

Post by YoussefSiblini »

You are right, I will definitely read more about this articles, Thanks for the advices.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: Adding into data base

Post by YoussefSiblini »

I just want to say THANK YOU very much again you sorted it out for me :))))))))))))
Post Reply