Page 1 of 1

Adding into data base

Posted: Mon Oct 03, 2011 7:36 am
by YoussefSiblini
Hi,
I have to databases:
1- Temporary:
2- pcvideogaming

I want to transfer a row from database 1 into database 2 and I am using this code:

Code: Select all

<?php
include_once "includes/UK.php";
$sql = mysql_query("SELECT * FROM temporary WHERE track_ID='31UKSiblini' LIMIT 1");
$productCount = mysql_num_rows($sql); // count the output amount
if ($productCount > 0) 
{
	    while($row = mysql_fetch_array($sql))
	    { 
		     // get the information from notpaid table
			 $id = $row["id"];
			 $UserName = $row["UserName"];
			 $firstname = $row["firstname"];
			 $lastname = $row["lastname"];
			 $producttittle = $row["producttittle"];
			 $productdescription = $row["productdescription"];
			 $swaptakeplace = $row["swaptakeplace"];
			 $ExchangeWithTittle = $row["ExchangeWithTittle"];
			 $ExchangeWithDescription = $row["ExchangeWithDescription"];
			 $shippingfirstname = $row["shippingfirstname"];
			 $shippinglastname = $row["shippinglastname"];
			 $address1 = $row["address1"];
			 $address2 = $row["address2"];
			 $city = $row["city"];
			 $country = $row["country"];
			 $postalcode = $row["postalcode"];
			 $phonenumber = $row["phonenumber"];
			 $Category = $row["Category"];
			 $email = $row["email"];
			 $ipaddress = $row["IpAddress"];
			 
	    }
	    // Add the exchange into the specified table
	    $addsql = mysql_query("INSERT INTO pcvideogaming (track_ID, UserName, firstname, lastname, producttittle, dateadded) VALUES ('$track_ID','$UserName','$firstname','$lastname','$producttittle',now())");
}
?>
The code above work fine but I want to transfer the product description field too so I use this which does not work or insert it:

Code: Select all

 
$addsql = mysql_query("INSERT INTO $Category (track_ID, UserName, firstname, lastname, producttittle,productdescription, dateadded) VALUES ('$track_ID','$UserName','$firstname','$lastname','$producttittle','$productdescription',now())");
The product description is a text type in the database and it contains 4000 character in the database 1.


Please help


Youssef

Re: Adding into data base

Posted: Mon Oct 03, 2011 7:39 am
by YoussefSiblini
When I use or die(mysql_error()) I get this error message:

Code: Select all

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Vault-Tec Assisted Targeting System for your Pip-Boy Model 3000! V.A.T.S. allo' at line 1

Re: Adding into data base

Posted: Mon Oct 03, 2011 9:29 am
by Celauran
Looks like unescaped single quotes.

Re: Adding into data base

Posted: Mon Oct 03, 2011 9:42 am
by YoussefSiblini
what do you mean?

Re: Adding into data base

Posted: Mon Oct 03, 2011 9:47 am
by Celauran
Consider this example:

Code: Select all

INSERT INTO TABLE SET value = 'This breaks when single quotes aren't escaped'
See what's happening? I bet you're facing the same problem.

Re: Adding into data base

Posted: Mon Oct 03, 2011 10:08 am
by YoussefSiblini
Thank you,
That make sense now, but I can't see any unescaped single quates,
and why when I take the productdescription off from the insert query it work fine.

Re: Adding into data base

Posted: Mon Oct 03, 2011 10:18 am
by Celauran
Your error message seems to indicate an 's breaking the INSERT. I'm imagining the string contains something to the effect of "GameName's Assisted Targeting blah blah blah", which is causing the problem. Escaping data before passing into a query should be done regardless, and will correct this issue.

Re: Adding into data base

Posted: Mon Oct 03, 2011 10:43 am
by YoussefSiblini
I have looked every where I can't find any unescaped single quates, thank you any way :)

Re: Adding into data base

Posted: Mon Oct 03, 2011 11:10 am
by YoussefSiblini
Just to update you, Do you know I said that product description is a text type in the database and it contains 4000 character in the database 1, If I reduce this characters length to like 20 words it work fine?

Re: Adding into data base

Posted: Mon Oct 03, 2011 11:32 am
by flying_circus
YoussefSiblini wrote:Just to update you, Do you know I said that product description is a text type in the database and it contains 4000 character in the database 1, If I reduce this characters length to like 20 words it work fine?
You're missing the point.

It does not matter the length or type of the data, so long as you are taking adequate action to escape data before placing it into the database, which you are not. You are also not alone, injection holds the gold medal in OWASP's Top 10 Web Application Security Risks.

Spend some time learning about SQL injection (google is your friend, or read the article in Mordred's signature).

Also spend some time familiarizing yourself with mysql_real_escape_string(), prepared statements, and the difference in how they each handle data.

Also spend some time migrating to the mysqli extension (see the php documentation for the difference between mysql and mysqli)

Code: Select all

<?php
$addsql = mysql_query(sprintf("INSERT INTO `pcvideogaming` (`track_ID`, `UserName`, `firstname`, `lastname`, `producttittle`, `dateadded`) VALUES ('%d','%s','%s','%s','%s',now());"),
                        mysql_real_escape_string($track_ID),
                        mysql_real_escape_string($UserName),
                        mysql_real_escape_string($firstname),
                        mysql_real_escape_string($lastname),
                        mysql_real_escape_string($producttittle));
?>

Re: Adding into data base

Posted: Mon Oct 03, 2011 11:38 am
by YoussefSiblini
You are right, I will definitely read more about this articles, Thanks for the advices.

Re: Adding into data base

Posted: Mon Oct 03, 2011 1:03 pm
by YoussefSiblini
I just want to say THANK YOU very much again you sorted it out for me :))))))))))))