|
PHP - Mysql_real_escape_string() Will Not Stop Throwing Errors!
I have never had to use this function before, but it was recommended to improve the security of my script. I have tried implementing mysql_real_escape_string() in every way I thought possible, but I keep getting random php errors.
I am simply trying to sanitize the data from my query (as shown below)... Where would you recommend I call the function and what variable should I store in it? $posts_by_city_sql = "SELECT id, city_id, title FROM postings WHERE city_id='$_GET[id]'"; $posts_by_city_results = (mysqli_query($cxn, $posts_by_city_sql)) or die("Was not able to grab the Postings!"); //$title = $_GET['title']; // mysql_real_escape_string($title); while($posts_by_city_row = mysqli_fetch_array($posts_by_city_results)) { echo "<li><a href='posting_details.php?id=$posts_by_city_row[id]'>$posts_by_city_row[title]</a></li>"; } Similar TutorialsI have this code that has Code: [Select] $this->BeginTransaction();all over it. These are in classes where no such function is defined, and they don't have parents either. It's driving my crazy trying to figure out why they are there, why there's not so much as a warning being given and what, if anything, is being called. Now I do have a Code: [Select] set_error_handler("amfErrorHandler");and in amfErrorHandler I have Code: [Select] if( error_reporting() != 0 && ($amfphpErrorLevel | $level) == $amfphpErrorLevel ) { throw new VerboseException($string, $level, $file, $line); } I don't remember what $amfphpErrorLevel is, except that it should only be ignoring things like E_STRICT. Also, no exception is being thrown. So what do I do w/this code? Hi I have an include page full of functions in a secure folder with htaccess. My problem is if the include file does not exsist, I get the following. Warning: include(secure/SecureFunctions.php) [function.include]: failed to open stream: No such file or directory in /home/fhlinux190/d/otoole.co.uk/user/htdocs/streetangels/index.php on line 3 Warning: include(secure/SecureFunctions.php) [function.include]: failed to open stream: No such file or directory in /home/fhlinux190/d/otoole.co.uk/user/htdocs/streetangels/index.php on line 3 Warning: include() [function.include]: Failed opening 'secure/SecureFunctions.php' for inclusion (include_path='.:/usr/share/pear-php5') in /home/fhlinux190/d/otoole.co.uk/user/htdocs/streetangels/index.php on line 3 TIA Desmond. Fatal error: Call to undefined function session_init() in /home/fhlinux190/d/des-otoole.co.uk/user/htdocs/streetangels/index.php on line 6 Is there any way to suppress this as it is giving hackers information. Hello, There is something I may have over looked in my php that is causing these problems... I am almost there. Currently, my html form once processed by my "process_myform.php" placed the users info into the database, sends me an e-mail, and displayed my thank you page. This is what its doing and I am indeed happy about this part. HOWEVER, my "process_myform.php" that I created, has a BIG PROBLEM. Once processed, it is CURRENTLY giving me multiple blank replies to both my e-mail box and database in addition to that placing the correct 1 user info that I filled out with my html form. Also I would like to have the date and time do be displayed within the database for the my "$registration_date" variable.... how do i accomplish this? Right now in the database it just shows a bunch of zeros. Could someone look at my code and tell me what I am doing wrong? Here is my html & php form processing code below. I KNOW is did or did not do something wrong to throw this all off... not sure what it is. Thank you for your help. mrjap1 Code: [Select] ======================= MY HTML FORM CODE ============================== <!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Untitled Document</title> </head> <body> <form action="process_myform.php" method="post"> <p> <!-- FIRST NAME --> <label>First Name:</label> <input name="first_name" type="text" size="15" maxlength="50" tabindex="10" id="first_name"> <!-- LAST NAME --> <label>Last Name:</label> <input name="last_name" type="text" size="15" maxlength="50" tabindex="20" id="last_name"> </p> <!-- ADDRESS--> <label>Address:</label> <input name="address" type="text" size="15" maxlength="50" tabindex="30" id="address"> </p> <p> <!-- EMAIL --> <label>E-mail:</label> <input name="email" type="text" size="15" maxlength="50" tabindex="40"> <!-- ZIP CODE --> <label>Zip Code:</label> <input name="zip_code" type="text" size="15" maxlength="50" tabindex="50"> </p> <br /> <input name="submit" type="image" value="SUBMIT FORM" src="submit_btn.png" alt="submit button" align="middle"> </form> </body> </html> =================== MY PHP FORM PROCESSING CODE ======================= <?php // 1. Create a database connection $con = mysql_connect("localhost","forms","itismyway"); if (!$con) { die('Database connection failed could not connect: ' . mysql_error()); } // 2. Select a database to use $db_select = mysql_select_db("mydatainsert",$con); if (!$db_select) { die('Database selection failed could not connect: ' . mysql_error()); } mysql_select_db("mydatainsert", $con); $sql="INSERT INTO `mydatainsert`.`gangland` ( `id` , `first_name` , `last_name` , `address` , `zip` , `email` , `registration_date` ) VALUES ('NULL','$_POST[first_name]','$_POST[last_name]','$_POST[address]', '$_POST[zip_code]','$_POST[email]','$_POST[registration_date]', "; // I WOULD LIKE THE DATE AND TIME TO BE IN THE DATABASE FOR THE "REGISTRATION_DATE". if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } //echo "1 record added"; // some code // 3. Close Connection mysql_close($con); ?> <?php // ALL THE SUBJECT and EMAIL VARIABLES $emailSubject = 'MY TEST EMAIL SCRIPTING!!! '; $webMaster = 'myemail@gmail.com'; // GATHERING the FORM DATA VARIABLES $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $address = $_POST['address']; $email = $_POST['email']; $zip_code = $_POST['zip_code']; $date = date ("l, F jS, Y"); $time = date ("h:i A"); $body = <<<EOD <br /><hr><br /> <strong>First Name:</strong> $first_name <br /> <strong>Last Name: </strong>$last_name <br /> <strong>Email:</strong> $email <br /> <strong>Zip Code:</strong> $zip_code <br /> <strong>Registration Date:</strong> $date at $time <br /> EOD; // THIS SHOW ALL E-MAILED DATA, ONCE IN THE E-MAILBOX AS READABLE HTML $headers = "From: $email\r\n"; $headers .= "Content-type: text/html\r\n"; $success = mail($webMaster, $emailSubject, $body, $headers); // THE RESULTS OF THE FORM RENDERED AS PURE HTML $theResults = <<<EOD <!DOCTYPE HTML> <html lang="en"> <head> <style type="text/css"> body { font-family:Arial, Helvetica, sans-serif; font-size:11px; font-weight:bold; } #thankyou_block { width: 400px; height: 250px; text-align:center; border: 1px solid #666; padding: 5px; background-color: #0CF; border-radius:8px; -webkit-border-radius:8px; -moz-border-radius:8px; -opera-border-radius:8px; -khtml-border-radius:8px; box-shadow:0px 0px 10px #000; -webkit-box-shadow: 0px 0px 10px #000; -moz-box-shadow: 0px 0px 10px #000; -o-box-shadow: 0px 0px 10px #000; margin: 25px auto; } p { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 18px; letter-spacing:1px; color: #333; } </style> <meta charset="UTF-8"> <title>THANK YOU!!!</title> </head> <body> <div id="thankyou_block"> <br><br><br> <h1>CONGRATULATIONS!!</h1> <h2>YOUR FORM HAS BEEN PROCESSED!!!</h2> <p>You are now registered in our Database...<br> we will get back to you very shortly.<br> Please have a very wondeful day.</p> </div> </body> </html> EOD; echo "$theResults"; ?> My site has been working fine for years but, all of a sudden, is throwing server errors on the pages that call for PHP includes. My provider isn't saying whether there's been an update but the fact that the site has always worked fine and now isn't, well...
So, here's some sample code from a .html page that calls for the TPL file:
<?php include('/home/MyPath/public_html/MySite.com/tpl/footer.tpl'); ?>
A long time ago, I was told to put this in my htaccess file:
AddType application/x-httpd-php5 .html
AddHandler application/x-httpd-php5 .html
If I delete both of these lines from the htaccess file, the site will load without the internal server error but my includes don't work at all. There's just an empty space where the content from the tpl file is supposed to be. I know they installed php 5.4 but my site was automatically put on 5.2 as a default.
I submitted a ticket with my provider and this was the response.
This is the error message as it is being recorded from the server itself when the domain returns a 500 error: [root@provider /home1/MyPath/public_html/mysite.com]# grep mysite.com /usr/local/apache/logs/error_log |tail -6 [Sat Sep 20 15:42:16 2014] [error] [client 192.190.1.20] Cannot load the ionCube PHP Loader - it was built with configuration 2.2.0, whereas running engine is API220100525,NTS, referer: http://www.mysite.com/ [Sat Sep 20 15:42:16 2014] [error] [client 192.190.1.20] Zend Optimizer requires Zend Engine API version 220060519., referer: http://www.mysite.com/ [Sat Sep 20 15:42:16 2014] [error] [client 192.190.1.20] The Zend Engine API version 220100525 which is installed, is newer., referer: http://www.mysite.com/ [Sat Sep 20 15:42:16 2014] [error] [client 192.190.1.20] Contact Zend Technologies at http://www.zend.com/ for a later version of Zend Optimizer., referer: http://www.mysite.com/ [Sat Sep 20 15:42:16 2014] [error] [client 192.190.1.20] , referer: http://www.mysite.com/ [Sat Sep 20 15:42:16 2014] [error] [client 192.190.1.20] malformed header from script. Bad header=<br />: index.html, referer: http://www.mysite.com/ This will be because there is a mismatch between the php version being called and the php.ini that is being loaded for the domain. Reviewing the mod_rewrite statements that call the various php versions within the direct file path to your domain shows the following: [root@provider /home1/MyPath/public_html/mysite.com]# grep -H -A 3 -B 1 'AddHand' /home1/MyPath/.htaccess /home1/MyPath/public_html/.htaccess /home1/MyPath/public_html/mysite.com/.htaccess /home1/MyPath/.htaccess-# Use PHP52 as default /home1/MyPath/.htaccess:AddHandler application/x-httpd-php52 .php /home1/MyPath/.htaccess-<IfModule mod_suphp.c> /home1/MyPath/.htaccess- suPHP_ConfigPath /opt/php52/lib /home1/MyPath/.htaccess-</IfModule> -- /home1/MyPath/public_html/mysite.com/.htaccess-#AddType application/x-httpd-php5 .html /home1/MyPath/public_html/mysite.com/.htaccess:#AddHandler application/x-httpd-php5 .html /home1/MyPath/public_html/mysite.com/.htaccess- /home1/MyPath/public_html/mysite.com/.htaccess- /home1/MyPath/public_html/mysite.com/.htaccess-## You would need to also declare the suphp for the php.ini to be used and upload a version matching php.ini to that location.I am completely lost as to what this means. I don't even know where to begin. Can someone please help me so I can get my site back to normal? Thank you in advance! Hello It's about exception handling... I have two if statements, one inside the other. And I want to throw an exception from each, if one of them is FALSE. What "technique" should I use? I think throwing same exception with the same message within two if's is a bit messy. like: if $x is true //go to 2nd if: if $y is true return value if $y is false: throw exception "Invalid number" if $x is false: throw exception "Invalid number" Thanks, I've been hacking at this for about 4 hours now.. Throwing the towel in! Any feedback or suggestions please: I'm calling a function like so: <!--START :: Run report and update records --> <p> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <!--<input type="hidden" name="post_var">--> <input type="submit" name="runUpdate" value="Run Update"> </form> </p> <?php if (isset($_POST['runUpdate'])) { updateRecords(); }; ?> <!--END :: Run report and update records --> Here are the function details: <?php function updateRecords() { // START :: Query to replace matches mysql_query("UPDATE orig_codes_1a AS a JOIN old_and_new_codes_1a AS b ON concat(a.orig_code_1, a.orig_code_2) = concat(b.old_code_1, b.old_code_2) SET a.orig_code_1 = b.new_code_1, a.orig_code_2 = b.new_code_2") or die(mysql_error()); // END :: Query to replace matches echo "<p><table border='1' cellpadding='3' width='100%'>"; echo "<tr> <th>Updated Code 1</th> <th>Updated Code 2</th> </tr>"; // START :: While loop - keeps getting the next row until there are no more to get while($row = mysql_fetch_array($result)) { //START :: If to find matching criteria class it w/ bg color if ($row['orig_code_1'] < '10000') { $changedClass = "changedClassCSS"; } else { $changedClass = ""; }; //END :: If to find matching criteria class it w/ bg color //START :: Print out the contents of each row into a table echo "<tr><td class=\"$changedClass\">"; echo $row['orig_code_1']; echo "</td><td class=\"$changedClass\">"; echo $row['orig_code_2']; echo "</td>"; } echo "</table></p>"; //END :: Print out the contents of each row into a table // START // //echo "$tableOutput"; // END // }; ?> I'm getting this error: Notice: Undefined variable: result in C:\wamp\www\php_practice\apps\records_updater_2\functions.php on line 27 Warning: mysql_fetch_array() expects parameter 1 to be resource, null given in C:\wamp\www\php_practice\apps\records_updater_2\functions.php on line 27 Now what I don't understand is 1) This script works fine (even though the $result is not defined) when all of the code is in one file not being called as a function. And 2) Why the hell would it work as in number 1?? Please please please tell me what I am doing wrong here! This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } Hello and thanks in advance for the input. I a fully functioning form. I am validating the input and successfully inserting the input into the mysql database. Now I am trying to escape the data by adding the basic line of code: $name = mysql_real_escape_string($_POST['name']); The input is successful but the mysql_database for name field is empty. If I remove the above line of code and just input the value for $name (without escape) the update works great. So the question is obvious for the above. Why? hey guys, just wondering, is it advisable to use mysql_real_escape_string() with <select> boxes, i know the web designer will always set the values for options within select boxes, therefore there shouldn't be any danger, but then i found such js code as: Code: [Select] javascript:document.body.contentEditable='true'; document.designMode='on'; void 0 (this allows the user of any site to edit content on the users end) so with something like the above, is it at all possible for a user to alter the option values within a select box and successfully submit the altered form? thanks Is it correct to use mysql_real_escape_string() function on every query that i wonna insert or search ? I have fields like TEXT(dectription of article), VARCHAR(name of article) and more like that, and is there correct to use mysql_real_escape_string for all fields when query is INSERT ? Hello All, Wondering if someone can help. I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet: if(!get_magic_quotes_gpc()){ $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_REQUEST = array_map('mysql_real_escape_string', $_REQUEST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so: <?php $msg = ""; if(isset($_POST['Submit'])){ $total = $_POST['total']; $news_ids = $_POST['nws_id']; foreach($news_ids as $id){ mysql_query("DELETE FROM news WHERE news_id='$id'"); } $msg = count($news_ids) . " News Item(s) deleted!"; } $result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;"); $num = mysql_num_rows($result); $n = 0; ?> Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this? Anyone plese help me understand? Thanks Code: [Select] $update = "UPDATE model SET name = '$name', age = '$age', height = '" . mysql_real_escape_string($height) . "', hair = '$hair', bust = '$bust', waist = '$waist', hips = '$hips' ......... WHERE id = '$id' "; $rsUpdate = mysql_query($update); After reading the manual at php.net on this function, I should be inserting the mysql_real_escape_string for each variable, correct? Right now I just have it for $height. The reason I'm asking is because I have 28 columns in this table and want to make sure I'm using this function properly as it seems like a tedious process and messy code. Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting. Code: [Select] if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } $n=mysql_real_escape_string($_POST['uname']); $p=mysql_real_escape_string($_POST['upass']); include('config.php'); $query="select * from country where uname='$n' and pw='$p'"; $result=mysql_query($query); Good morning,
I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator.
// insert into database I just red few tutorials about mysql_real_escape_string. Could someone check if this is correct? <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $db); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $name = mysql_real_escape_string($_POST['name'], $db); $email = mysql_real_escape_string($_POST['email'], $db); $id = mysql_real_escape_string($_POST['id'], $db); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> I have a form that allows users to submit to a database and for security reasons I am using mysql_real_scape_string on all of their input values. However this means that if the user puts something in speech marks such as "hello" It will then show up in the database as \"hello\" This means that whenever I fetch anything from the database it will have slashes in which doesn't look good. How do other people get round this problem. When I fetch something from my database should I do a string replace and just delete these slashes or is there a better method? Thanks for any help. What is wrong with the injection preventer (array function) seen below:
//injection prevention
if (isset($_GET)){
if (!is_array($_POST)){
foreach( $_POST as $key => $value){
$_POST["$key"]=mysql_real_escape_string($value) ;
}
} else {//here
while (is_array($key)){
foreach( $_POST as $key => $value){
$_POST["$key"]=mysql_real_escape_string($value) ;
echo $key;
}
}
}
Hi, I have an HTML Area on an admin section of my site. The HTML gets submitted to a MySQL database, but gets parsed using mysql_real_escape_string. The problem i have just noticed, is that upon every edit, it gets parsed again, and again. Here is the code: Code: [Select] $updatequery = "UPDATE zen_blog SET content = '" . mysql_real_escape_string($htmlcontent) . "', active=$activate WHERE id = $updateid"; $doupdate = $db->Execute($updatequery); Here is the result: Quote <h2 class=\\"\\\\\\"\\\\\\\\\\\\\\"page_title\\\\\\\\\\\\\\"\\\\\\"\\"> Is it possible to only use it where its needed? Thanks! Joe Hi all, I use mysql_real_escape_string on user inputs before using them in a MySQL query. However, some of my queries use arrays or imploded arrays, for example a query of the form: SELECT .. FROM .. WHERE .. IN .. It seems like in these cases I can't use mysql_real_escape_string, am I correct in thinking this? If so, what can I use instead to ensure the best possible security against SQL injections? Thanks! |
|||||||