The mysterious 'FROM' SQL keyword...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

The mysterious 'FROM' SQL keyword...

Post by mikeeeeeeey »

Hi there.

I'm trying to put a few input fields into a database at the moment, and it has all been working till recently, I've uploaded it all to the server and mod_security is rearing its head.

After spending all morning trying to get addslashes() and mysql_real_escape_string() working, I've realised the word 'from' which appears in the input text is messing the whole thing up, including it gives the error everytime, and excluding it means the program will run fine.

Where am I going wrong?

Here's my code..

Code: Select all

//take out text from form
$article = $_POST['article'];
//replace MS word chars with apostrophe's and add slashes
$newArticle = addslashes(str_replace("’","'",$article));
//sql
$query = "INSERT INTO newsletter (date,article...) VALUES ('" . $date . "' , '" . $newArticle . "')";
and for some reason, the word from which is inside $_POST['article'] is messing everything up, I'm guessing, since it's an SQL reserved word. But surely I've turned it into a string?

Thanks in advance, and any help much appreciated. Cheers!
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

mikeeeeeeey wrote:Here's my code..
There's more where that came from. Care to share it with us? ;)
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

arggh confusion! do you mean you can't see the code or you want more?

:?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

What is the error message that you're getting?

Mac
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

I'm getting...

ERROR 500 : The Server encountered an internal error and was unable to complete your request.

..which was logged as a 'critical' sql injection. That's why I'm using all the addslashes() stoof.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

mikeeeeeeey wrote:arggh confusion! do you mean you can't see the code or you want more?
I want more. At least the actual database call.
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Ahhh right, sorry about that.

Code: Select all

// conn.inc

mysql_connect('hostname.somwhere.net','root','********')
	or die("Cannot login to database");
mysql_select_db('database1')
	or die("Cannot connect to database");

//

$date = $_POST['date'];
$title...etc.

if ($submit == "Add" && $date != NULL && $company != NULL && $title != NULL)
{
	$newArticle = addslashes(str_replace("’","'",$article));
	$query = "INSERT INTO newsletter (date,company,title,article,dept,image) VALUES ('" . $date . "' , '" . $company . "' , '" . $title . "' , '" . ($newArticle) . "' , '" . $dept . "' , '" . $image ."')";
	mysql_query($query);
	print($query);

	if(!chdir($_SERVER['DOCUMENT_ROOT'] . "/newsletter/"))
	{
		print("didnt work");
	}
	else
	{
		if ($image != NULL)
		{
			move_uploaded_file($_FILES['image']['tmp_name'], "header_images/$image")  
				or die ("Could not copy " . "header_images/" . $_FILES['image']['name']);
		}
		//IF ONE OR MORE ROWS AFFECTED CONFIRM THE UPDATE OR IF NOT CONFIRM THE FAILURE TO UPDATE
		if (mysql_affected_rows() == 1)
		{
			print("The article <strong>" . $title . "</strong> has been added. <a href=\"index.php\">back</a>");
			$success = 1;
		}
		else
		{
			print("The Database has not been updated, please contact the administrator.");
		}
	}
}

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

try

Code: Select all

// conn.inc
$db = mysql_connect('hostname.somwhere.net','root','********')
   or die("Cannot login to database");
mysql_select_db('database1', $db)
   or die("Cannot connect to database");


if ( isset($_POST['submit']) && isset($_POST['date']) ... ) {

	$date = mysql_real_escape_string($_POST['date');
	...

	$query = "INSERT INTO
			newsletter
			(`date`,`company`,`title`,`article`,`dept`,`image`)
		VALUES
			('$date' , '$company', '$title','$newArticle' ,'$dept','$image')";

	echo "<fieldset><legend>Debug<legend>\n", htmlentities($query), "<fieldset>\n";
	$result = mysql_query($query, $db);
	if ( false===$result) {
		echo '<fieldset><legend>db error</legend>', mysql_error(), "</fieldset>\n";
	}
... means "exactly the same with all other needed parameters"
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

hmm, still the same error message, but thanks anyway.

it's just the one input field that's messing everything up, because it has 'from' in it, is there no way of forcing a string?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Why are you giving so little information? This is not a guess-the-secret-error-forum.
Please, post the complete output of the last script.
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

I'm sorry volka, but this is all the information I have. The error message is a custom message provided by our server provider which has little but two pictures with their logo and the text...

"ERROR 500 : The Server encountered an internal error and was unable to complete your request."

which I'm running on Firefox, polar bears don't have a navel, I'm wearing a yellow t-shirt, I don't have a middle name and I've got six keys on my key ring.




Oh.... and the words 'apache server' in the corner.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

..which was logged as a 'critical' sql injection.
logged where by what?
Oh.... and the words 'apache server' in the corner.
This is your apache server on your pc?
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

They were sent to me in an email, which was a reply from the guy I asked what an 'error 500' was.

and the server isn't on this machine.

hope that helps?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Maybe there's some filter installed that runs even before your php script is invoked. If so there's nothing you can do within the php script. Ask the provider what kind of software logs these "critical sql injections".

You can always install a webserver for developing and testing on your on pc, take a look e.g. at http://www.apachefriends.org/en/xampp.html
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

cool.

I've got wamp at the moment, which does the job but everything just seems to break on some mammoth scale when I take it to the server these days. ahh well

thanks for all your help anyway :)
Post Reply