Page 1 of 1

What's being invisibley entered here?

Posted: Sat Jan 12, 2008 8:23 am
by Addos
Something that has been puzzling me and I wonder if anybody can let me know what’s happening.

In my MySQL database I have the values in a specific field set to ‘null’ so that if an entry is made without a value sent to the database is will automatically set this to ‘null’. However when I run the following code my database shows a ‘blank’ field when I view this under phpMyAdmin when I expect to see ‘Null’ in italics. The field in phpMyAdmin looks empty when I click to view it and I cannot see any white space that might have been added by the query below.

Can anyone point out what’s invisible being sent to the database?

Thanks

Code: Select all

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO news (details) VALUES ('%s')",
                       $_POST['details']);

<form enctype="multipart/form-data" method="post" name="form1" action="<?php echo $editFormAction; ?>">
      Details:<textarea name="details" cols="50" rows="5"></textarea>
        <input type="submit" value="Insert record">
    <input type="hidden" name="MM_insert" value="form1">
    </form>

Re: What's being invisibley entered here?

Posted: Sat Jan 12, 2008 10:24 am
by shiznatix
an empty string will override the null you have setup. So if you just click submit without putting anything into the field, it will still save just the empty string to the database, not a "null" for the field.

On a side note, you really really really need to look into using the function mysql_real_escape_string() on all variables that you put into a query. Look into SQL Injection for reasons why.

Re: What's being invisibley entered here?

Posted: Sat Jan 12, 2008 9:59 pm
by s.dot
Yeah, null and empty strings are different.

Try this code and you'll see:

Code: Select all

<?php

class test
{
    private $_var;

    public function show()
    {
         return $this->_var;
    }

    public function __set($var, $value)
    {
        $this->$var = $value;
    }
}

$test = new test();
var_dump($a = $test->show()); //should show null

$test->_var = '';
var_dump($a = $test->show()); //should show string

Re: What's being invisibley entered here?

Posted: Sun Jan 13, 2008 2:14 pm
by jimthunderbird
On a side note, you really really really need to look into using the function mysql_real_escape_string() on all variables that you put into a query. Look into SQL Injection for reasons why.
Yes, your code is not secure and vulnerable for sql injection attack, should considered filter it.
Also, if you know the input text is empty, maybe just don't execute the insert sql at all.