strange error

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
DarkAngelBGE
Forum Newbie
Posts: 8
Joined: Wed Feb 19, 2003 8:58 am

strange error

Post by DarkAngelBGE »

Hi everybody, I have this code:


Code: Select all

// commands to insert news
if($action=="insert")
{
$news_main = remove_line_breaks($news_main);
$num_rows = mysql_num_rows(mysql_query("SELECT * FROM news_on_main_page WHERE news_header = '$news_header'"));

if($num_rows == "0") 
{ 
$news_SQL_insert = "INSERT INTO news_on_main_page (news_sub_heading,news_header,news_datetime,news_main,news_author) VALUES ('$news_sub_heading','$news_header','$news_datetime','$news_main','$uname')";

$bool = mysql_query($news_SQL_insert);
 
if($bool == "1") echo "<SCRIPT LANGUAGE=JavaScript>window.alert('News successfully inserted into the main page!')</SCRIPT>";
else echo "<SCRIPT LANGUAGE=JavaScript>window.alert('An error occured while inserting the news into the main page!')</SCRIPT>";
&#125; 
else // of if num_rows
&#123;
echo "<SCRIPT LANGUAGE=JavaScript>window.alert('News is already in the database!')</SCRIPT>";
&#125;

&#125; // of if action
if $news_main is a bit bigger I always get "An error occured..." which means that insert into... didn't work. if $news_main is a bit smaller it works fine. the database entries are ok..news_main is defined as TEXT so this shouldn't be the error.

I also changed this line

Code: Select all

$num_rows = mysql_num_rows(mysql_query("SELECT * FROM news_on_main_page WHERE news_header = '$news_header'"));
into this:

Code: Select all

$num_rows = mysql_num_rows(mysql_query("SELECT * FROM news_on_main_page WHERE news_main = '$news_main'"));
and then I got the "wrong mysql_result_resource" error. so something must be wrong with news_main definately.

The strangest part is that this doesn't work since some days although I didn't change anything.

Any help greatly appreciated!
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

Where does $news_main come from? is that a form field posted to the app? has it been treated for proper escapes?
ANY data from a form used as-is in a SQL query is a huge security risk!

$safer_for_mysql_data = mysql_escape_string( stripslashes( $_REQUEST['form_field'] ) );

You can skip stripslashes if your server doesn't have magic_quotes_gpc enabled, most do by default..
DarkAngelBGE
Forum Newbie
Posts: 8
Joined: Wed Feb 19, 2003 8:58 am

Post by DarkAngelBGE »

yeah, it comes from a form and it also uses strip_slashes. what does mysql_escape_string do exactly? ans how exactly is it a security risk when uses as $HTTP_POST_VARS['news_main'] ?
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

if you use stripslashes on the posted field, any entry of " or ' may cause the value to terminate, mysql_escape_string() is very close to addslashes, but only escapes what is necessary for a mysql string value..

it's a security risk if someone can terminate the stringfield and insert other SQL code that does things you didnt expect, (its called SQL injection)

proper escaping may not be your problem tho, but you shoulld make sure it is done.

Take a look at some tutorials and the manual about mysql usage, you shouldn't compare the result identifier resource with the string "1"..
DarkAngelBGE
Forum Newbie
Posts: 8
Joined: Wed Feb 19, 2003 8:58 am

Post by DarkAngelBGE »

well, okay. fixed this all, but hmm..my real problem isn't solved yet. :cry:
DarkAngelBGE
Forum Newbie
Posts: 8
Joined: Wed Feb 19, 2003 8:58 am

Post by DarkAngelBGE »

damn..it seems I really can't insert anything to the database at all anymore! just tiny texts and that's it. Could it be that my mysql is injected? or am I using a wrong syntaxt cause my host has updated the php version? although the host says it hasn't.

People please help me! I am in a dilemma!
DarkAngelBGE
Forum Newbie
Posts: 8
Joined: Wed Feb 19, 2003 8:58 am

Post by DarkAngelBGE »

YAY! I found out what the prob was: definately the " and ' in the string not verified with mysql_escaped_string. I thought I verified the input with mysql_escaped_string, but I hadn't! That so embarassing... :oops:

three days banging my head for just this error. oh well, at least I got one of these moments that keep a programmer alive. :D
Post Reply