Page 1 of 1

strange error

Posted: Wed Feb 19, 2003 8:58 am
by DarkAngelBGE
Hi everybody, I have this code:


Code: Select all

// commands to insert news
if($action=="insert")
{
$news_main = remove_line_breaks($news_main);
$num_rows = mysql_num_rows(mysql_query("SELECT * FROM news_on_main_page WHERE news_header = '$news_header'"));

if($num_rows == "0") 
{ 
$news_SQL_insert = "INSERT INTO news_on_main_page (news_sub_heading,news_header,news_datetime,news_main,news_author) VALUES ('$news_sub_heading','$news_header','$news_datetime','$news_main','$uname')";

$bool = mysql_query($news_SQL_insert);
 
if($bool == "1") echo "<SCRIPT LANGUAGE=JavaScript>window.alert('News successfully inserted into the main page!')</SCRIPT>";
else echo "<SCRIPT LANGUAGE=JavaScript>window.alert('An error occured while inserting the news into the main page!')</SCRIPT>";
&#125; 
else // of if num_rows
&#123;
echo "<SCRIPT LANGUAGE=JavaScript>window.alert('News is already in the database!')</SCRIPT>";
&#125;

&#125; // of if action
if $news_main is a bit bigger I always get "An error occured..." which means that insert into... didn't work. if $news_main is a bit smaller it works fine. the database entries are ok..news_main is defined as TEXT so this shouldn't be the error.

I also changed this line

Code: Select all

$num_rows = mysql_num_rows(mysql_query("SELECT * FROM news_on_main_page WHERE news_header = '$news_header'"));
into this:

Code: Select all

$num_rows = mysql_num_rows(mysql_query("SELECT * FROM news_on_main_page WHERE news_main = '$news_main'"));
and then I got the "wrong mysql_result_resource" error. so something must be wrong with news_main definately.

The strangest part is that this doesn't work since some days although I didn't change anything.

Any help greatly appreciated!

Posted: Wed Feb 19, 2003 9:25 am
by Stoker
Where does $news_main come from? is that a form field posted to the app? has it been treated for proper escapes?
ANY data from a form used as-is in a SQL query is a huge security risk!

$safer_for_mysql_data = mysql_escape_string( stripslashes( $_REQUEST['form_field'] ) );

You can skip stripslashes if your server doesn't have magic_quotes_gpc enabled, most do by default..

Posted: Wed Feb 19, 2003 12:09 pm
by DarkAngelBGE
yeah, it comes from a form and it also uses strip_slashes. what does mysql_escape_string do exactly? ans how exactly is it a security risk when uses as $HTTP_POST_VARS['news_main'] ?

Posted: Wed Feb 19, 2003 2:44 pm
by Stoker
if you use stripslashes on the posted field, any entry of " or ' may cause the value to terminate, mysql_escape_string() is very close to addslashes, but only escapes what is necessary for a mysql string value..

it's a security risk if someone can terminate the stringfield and insert other SQL code that does things you didnt expect, (its called SQL injection)

proper escaping may not be your problem tho, but you shoulld make sure it is done.

Take a look at some tutorials and the manual about mysql usage, you shouldn't compare the result identifier resource with the string "1"..

Posted: Thu Feb 20, 2003 10:42 am
by DarkAngelBGE
well, okay. fixed this all, but hmm..my real problem isn't solved yet. :cry:

Posted: Thu Feb 20, 2003 5:57 pm
by DarkAngelBGE
damn..it seems I really can't insert anything to the database at all anymore! just tiny texts and that's it. Could it be that my mysql is injected? or am I using a wrong syntaxt cause my host has updated the php version? although the host says it hasn't.

People please help me! I am in a dilemma!

Posted: Fri Feb 21, 2003 5:06 am
by DarkAngelBGE
YAY! I found out what the prob was: definately the " and ' in the string not verified with mysql_escaped_string. I thought I verified the input with mysql_escaped_string, but I hadn't! That so embarassing... :oops:

three days banging my head for just this error. oh well, at least I got one of these moments that keep a programmer alive. :D