Re: mcrypt blob upload problem to MySQL
- From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
- Date: Thu, 31 Aug 2006 09:15:43 -0400
Sophisticado wrote:
Andy Hassall <andy@xxxxxxxxxxx> wrote in
news:4lnbf2hc4akvqm2955c6rb1mlsu1kbp1s4@xxxxxxx:
On Wed, 30 Aug 2006 11:21:47 -0500, Sophisticado <Sophsiticado> wrote:
I have a script in which I am collecting sensitive information via a form (METHOD=POST) and encrypting the posted variable (format = BLOB) using mcrypt, then saving it in a MySql table. Using my test script,everything works fine. Using my production scrypt, everything works fine for data posted with fewer than 8 characters. If I try to upload data longer than 8 characters, I get this error message:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'ióU¹
?¨C!ʼB', '01', '2004', NULL, '150')' at line 1
The characters ióU¹?¨C!ʼB' after "near" are the encrypted characters.
There does not seem to be any difference between the test and
production scrypts.
Here is the syntax I am using for saving the record:
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] ==
"myTable")) {
$insertSQL = sprintf("INSERT INTO myTable (`Date`, LastName, FirstName, EcryptedBlob) VALUES (%s, %s, %s, %s)",
GetSQLValueString($_POST['Date'], "text"),
GetSQLValueString($_POST['Lastname'], "text"),
GetSQLValueString($_POST['Firstname'], "text"),
GetSQLValueString($encrypted,"text"));
php v. 5.0.5
MySql v. 4.1.9
Where is "GetSQLValueString" defined?
Here is the function before the encryption at the top of the script:
function GetSQLValueString($theValue, $theType, $theDefinedValue = "",
$theNotDefinedValue = "") {
$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) :
$theValue;
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break; case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" :
"NULL"; break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue :
$theNotDefinedValue; break;
}
return $theValue;
}
Well, among other things, you should be using mysql_real_escape_string() on all text values before you insert/update the database.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.
- References:
- mcrypt blob upload problem to MySQL
- From: Sophisticado
- Re: mcrypt blob upload problem to MySQL
- From: Andy Hassall
- Re: mcrypt blob upload problem to MySQL
- From: Sophisticado
- mcrypt blob upload problem to MySQL
- Prev by Date: Re: connecting to a mssql database
- Next by Date: Re: newbie - add 15 to number in list
- Previous by thread: Re: mcrypt blob upload problem to MySQL
- Next by thread: dynamically populate drop-down list and dynamically include html file
- Index(es):
Relevant Pages
|
