Re: Syntax error on concatenated SQL string.

Mechphisto wrote:
On Apr 29, 7:14 pm, Jerry Stuckle <jstuck...@xxxxxxxxxxxxx> wrote:
Mechphisto wrote:
Ah karp, nevermind.
I found the missing bracket.
I was thinking it may be a problem with PHP stopping reading the
string at some point and thus acting like it was missing everything
after where it stopped...but no, it was an actual missing bracket I
over and over and overlooked.
Sorry,
Liam
Good. Sometimes they can be very difficult to find. A syntax-aware
editor (I use Crimson Editor on Windows and vim on Linux) helps a lot.

One other comment - you need to ensure you validate your data and use
mysql_real_escape_string() on strings. As it is written, your code is
ripe for SQL injection (google for it - it can be very insidious in the
wrong hands!).


Oh no no, I take SQL injection very seriously!
Every one of those SESSION variables are created with lines like this:
$_SESSION['txt_name'] = mysql_real_escape_string(field_sanitize($_POST
['txt_name'],2,2));
and that "field_sanitize" is a home-grown function which checks the
string for any suspicious characters or HTML or encoding or slashes.

No, I realized recently after setting the Web site up to e-mail me
whenever anyone tried to add something to the end of the site's URL
and subsequently getting dozens of emails a day showing _GET SQL
injection attempts that SQL injection was a serious deal!

Thanks for the reminder. :)
Liam

That's good.

As a personal preference - I wouldn't call mysql_real_escape_string() until I'm ready to insert the data into the database. You might want the unescaped data, for instance (i.e. what happens if you have the name O'Malley'?). And on the off chance you change the connection collation (i.e. multi-lingual site), you'll want mysql_real_escape_string() to be using the correct collation.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

Relevant Pages

  • Re: Syntax error on concatenated SQL string.
    ... I found the missing bracket. ... editor (I use Crimson Editor on Windows and vim on Linux) helps a lot. ... I take SQL injection very seriously! ... string for any suspicious characters or HTML or encoding or slashes. ...
    (comp.lang.php)
  • Re: Form login
    ... Aren't you only leaving yourself open for sql injection if you don't ... make sure that certain characters aren't in the string before you ... allow them into your sql string. ... This email account is my spam trap so I ...
    (microsoft.public.inetserver.asp.db)
  • Re: Regular Expression help C#
    ... I have a method that basically parses any string sent to it to ensure ... I have my pattern started, but I cannot seem to figure how to only ... you should never have to worry about SQL injection. ... the problem is, that there are more keywords that you could ever take into account, especially if you take database independency into account. ...
    (microsoft.public.dotnet.general)
  • Re: Another form of SQL injection
    ... It allows query parameters to be binded and ... $name = "tom' UNION blah blah blah" ... another form of SQL injection might in the form of... ... is as a string ... ...
    (comp.lang.php)
  • Re: Speeding up in-line queries
    ... Astra wrote: ... difference in a loop that's building a huge string. ... The real problem is the possibility of SQL Injection: ... This email account is my spam trap so I ...
    (microsoft.public.inetserver.asp.db)