Page 1 of 2

The mysterious 'FROM' SQL keyword...

Posted: Tue Oct 03, 2006 7:27 am
by mikeeeeeeey
Hi there.

I'm trying to put a few input fields into a database at the moment, and it has all been working till recently, I've uploaded it all to the server and mod_security is rearing its head.

After spending all morning trying to get addslashes() and mysql_real_escape_string() working, I've realised the word 'from' which appears in the input text is messing the whole thing up, including it gives the error everytime, and excluding it means the program will run fine.

Where am I going wrong?

Here's my code..

Code: Select all

//take out text from form
$article = $_POST['article'];
//replace MS word chars with apostrophe's and add slashes
$newArticle = addslashes(str_replace("’","'",$article));
//sql
$query = "INSERT INTO newsletter (date,article...) VALUES ('" . $date . "' , '" . $newArticle . "')";
and for some reason, the word from which is inside $_POST['article'] is messing everything up, I'm guessing, since it's an SQL reserved word. But surely I've turned it into a string?

Thanks in advance, and any help much appreciated. Cheers!

Posted: Tue Oct 03, 2006 7:31 am
by volka
mikeeeeeeey wrote:Here's my code..
There's more where that came from. Care to share it with us? ;)

Posted: Tue Oct 03, 2006 7:33 am
by mikeeeeeeey
arggh confusion! do you mean you can't see the code or you want more?

:?

Posted: Tue Oct 03, 2006 7:34 am
by twigletmac
What is the error message that you're getting?

Mac

Posted: Tue Oct 03, 2006 7:36 am
by mikeeeeeeey
I'm getting...

ERROR 500 : The Server encountered an internal error and was unable to complete your request.

..which was logged as a 'critical' sql injection. That's why I'm using all the addslashes() stoof.

Posted: Tue Oct 03, 2006 7:38 am
by volka
mikeeeeeeey wrote:arggh confusion! do you mean you can't see the code or you want more?
I want more. At least the actual database call.

Posted: Tue Oct 03, 2006 7:44 am
by mikeeeeeeey
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Ahhh right, sorry about that.

Code: Select all

// conn.inc

mysql_connect('hostname.somwhere.net','root','********')
	or die("Cannot login to database");
mysql_select_db('database1')
	or die("Cannot connect to database");

//

$date = $_POST['date'];
$title...etc.

if ($submit == "Add" && $date != NULL && $company != NULL && $title != NULL)
{
	$newArticle = addslashes(str_replace("’","'",$article));
	$query = "INSERT INTO newsletter (date,company,title,article,dept,image) VALUES ('" . $date . "' , '" . $company . "' , '" . $title . "' , '" . ($newArticle) . "' , '" . $dept . "' , '" . $image ."')";
	mysql_query($query);
	print($query);

	if(!chdir($_SERVER['DOCUMENT_ROOT'] . "/newsletter/"))
	{
		print("didnt work");
	}
	else
	{
		if ($image != NULL)
		{
			move_uploaded_file($_FILES['image']['tmp_name'], "header_images/$image")  
				or die ("Could not copy " . "header_images/" . $_FILES['image']['name']);
		}
		//IF ONE OR MORE ROWS AFFECTED CONFIRM THE UPDATE OR IF NOT CONFIRM THE FAILURE TO UPDATE
		if (mysql_affected_rows() == 1)
		{
			print("The article <strong>" . $title . "</strong> has been added. <a href=\"index.php\">back</a>");
			$success = 1;
		}
		else
		{
			print("The Database has not been updated, please contact the administrator.");
		}
	}
}

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Oct 03, 2006 8:01 am
by volka
try

Code: Select all

// conn.inc
$db = mysql_connect('hostname.somwhere.net','root','********')
   or die("Cannot login to database");
mysql_select_db('database1', $db)
   or die("Cannot connect to database");


if ( isset($_POST['submit']) && isset($_POST['date']) ... ) {

	$date = mysql_real_escape_string($_POST['date');
	...

	$query = "INSERT INTO
			newsletter
			(`date`,`company`,`title`,`article`,`dept`,`image`)
		VALUES
			('$date' , '$company', '$title','$newArticle' ,'$dept','$image')";

	echo "<fieldset><legend>Debug<legend>\n", htmlentities($query), "<fieldset>\n";
	$result = mysql_query($query, $db);
	if ( false===$result) {
		echo '<fieldset><legend>db error</legend>', mysql_error(), "</fieldset>\n";
	}
... means "exactly the same with all other needed parameters"

Posted: Tue Oct 03, 2006 8:13 am
by mikeeeeeeey
hmm, still the same error message, but thanks anyway.

it's just the one input field that's messing everything up, because it has 'from' in it, is there no way of forcing a string?

Posted: Tue Oct 03, 2006 8:48 am
by volka
Why are you giving so little information? This is not a guess-the-secret-error-forum.
Please, post the complete output of the last script.

Posted: Tue Oct 03, 2006 8:58 am
by mikeeeeeeey
I'm sorry volka, but this is all the information I have. The error message is a custom message provided by our server provider which has little but two pictures with their logo and the text...

"ERROR 500 : The Server encountered an internal error and was unable to complete your request."

which I'm running on Firefox, polar bears don't have a navel, I'm wearing a yellow t-shirt, I don't have a middle name and I've got six keys on my key ring.




Oh.... and the words 'apache server' in the corner.

Posted: Tue Oct 03, 2006 9:01 am
by volka
..which was logged as a 'critical' sql injection.
logged where by what?
Oh.... and the words 'apache server' in the corner.
This is your apache server on your pc?

Posted: Tue Oct 03, 2006 9:04 am
by mikeeeeeeey
They were sent to me in an email, which was a reply from the guy I asked what an 'error 500' was.

and the server isn't on this machine.

hope that helps?

Posted: Tue Oct 03, 2006 9:10 am
by volka
Maybe there's some filter installed that runs even before your php script is invoked. If so there's nothing you can do within the php script. Ask the provider what kind of software logs these "critical sql injections".

You can always install a webserver for developing and testing on your on pc, take a look e.g. at http://www.apachefriends.org/en/xampp.html

Posted: Tue Oct 03, 2006 9:12 am
by mikeeeeeeey
cool.

I've got wamp at the moment, which does the job but everything just seems to break on some mammoth scale when I take it to the server these days. ahh well

thanks for all your help anyway :)