Page 1 of 1

Mysql DB --> PHP problem

Posted: Tue Dec 30, 2008 4:55 am
by andycain
Hi Guys.

I have a bit of script that reads a text string from a database and outputs it to a form which is dynamically generated by my PHP script. This is to allow users to update their contact information if there any errors.

Problem I am having is that if there is a space or any whitespace in one of the fields in the database then the script will only output the first 'chunk' of data before it moves onto the next column. I have considered removing the whitespace as it is input but I would prefer to give my users the choice.

For example....

name field on db = 'smith a'

outputtted field on html form = 'smith'

It's as though it's truncating it as soon as it sees some whitespace.

I'm using mysql_fetch_row.

Any assistance would be appreciated.

Code below.

Code: Select all

<?
 
$db = mysql_connect('localhost', 'DBLOGIN', 'DBPASSWORD') or die('Could not connect.');
if(!$db) 
    die('no db');
if(!mysql_select_db('DBNAME',$db))
    die('No database selected.');
    
$id = $_GET['id'];
 
$query = "SELECT RANK, NAME, MOBILE, EMAIL, id FROM NCO_contact WHERE ID = $id";
 
$dataraw = mysql_query($query);
 
while($data = mysql_fetch_row($dataraw)) {
 
echo "
<form id='editdetails' method='post' action='edit.php'>
  <p>
    <label>Rank</label>
  </p>
  <p>
    <select name='rank' id='rank'>
      <option value='$data[0]' selected='selected'>$data[0]</option>
      <optgroup label='NCOs'>
      <option value='Cpl'>Corporal</option>
      <option value='Sgt'>Sergeant</option>
      <option value='FS'>Flight Sergeant</option>
      <option value='CWO'>CWO</option>
      <optgroup label='Staff'>
      <option value='CI'>CI</option>
      <option value='Plt Off'>Plt Off</option>
      <option value='Fg Off'>Fg Off</option>
      <option value='Flt Lt'>Flt Lt</option>
    </select>
  </p>
  <p>
    <label>Surname</label>
  </p>
  <p>
    <input type='text' name='name' id='name' value=$data[1] />
  </p>
  <p>
    <label>Mobile Number</label>
  </p>
  <p>
    <input type='text' name='mobile' id='mobile' value=$data[2] />
  </p>
  <p>
    <label>MSN / Email Address</label>
  </p>
  <p>
    <input type='text' name='email' id='email' value='$data[3]'/>
  </p>
  <p>
    <input type='submit' name='edit' id='edit' value='Update details' />
  </p>
  <input type='hidden' name='id' id='id' value='$id' />
</form>
 
</body>
";
} 
?>
Thanks guys. :banghead:

Re: Mysql DB --> PHP problem

Posted: Tue Dec 30, 2008 5:00 am
by VladSun
You should surround the variable in quotes when outputting it in HTML:

Code: Select all

<input type='text' name='mobile' id='mobile' value=$data[2] />
=>

Code: Select all

<input type='text' name='mobile' id='mobile' value='$data[2]' />
Also, there are too many vulnerabilities in your code - SQL injection, XSS etc.

Sanitize the user input before using it!

Re: Mysql DB --> PHP problem

Posted: Tue Dec 30, 2008 5:02 am
by jaoudestudios
Well there could be a few reasons. Are the white spaces be saved in the database correctly?

Your html is incorrect! value=$value should be value='$value'. If you want to be perfect then all that will be in double quotes, so break out of the double quotes for the php variable.
i.e. ".... value='".$value."'......."; // much more efficient

NB: your sql is not secure, but thats another story.

Re: Mysql DB --> PHP problem

Posted: Tue Dec 30, 2008 5:02 am
by andycain
Yer I imagine there would be.

I'm pretty new to PHP. Any general tips on how to protect from SQL injection attacks?

Re: Mysql DB --> PHP problem

Posted: Tue Dec 30, 2008 5:04 am
by jaoudestudios
VladSun you beat me to it :lol:

I would get it working first, then worry about security. We pointed it out so you would bare it in mind for the near future.

Re: Mysql DB --> PHP problem

Posted: Tue Dec 30, 2008 5:05 am
by VladSun
andycain wrote:Yer I imagine there would be.

I'm pretty new to PHP. Any general tips on how to protect from SQL injection attacks?
Sorry, but I have to say it - use google ;)
google for:

PHP SQL injection
PHP XSS
PHP security

Re: Mysql DB --> PHP problem

Posted: Tue Dec 30, 2008 5:07 am
by andycain
Thanks for your help guys. :D