From: Alexander Schunk on
Hello,

i have a problem with php and mysql when inserting strings into a database.

I have the following syntax:

$sqlinsert = "INSERT INTO werte ('benutzername', 'passwort', 'name',
'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
VALUES('$_POST['benutzername']', '$_POST['passwort']',
'$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
'$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
'$_POST['email']')";

I want to read entries from an HTML form into a database.

When to use backticks in MySQL and what is this syntax: " '

I am getting an unexpected T_STRING .... error.

I am using php, mysql with xampp on windows xp.

In php.ini i have turned register_globals = on.

thank you.

yours sincerly
Alexander
From: "Warren Vail" on
You have just done two things that make your site vulnerable to hacks.

Register globals means that someone can load a copy of your form to their
machine, modify it to include variables that you use internally like
$user_type = "admin" (or whatever) and post their form to your site, and
even though user_type wasn't on your form, your program has no idea that it
came from his.

Second is the hack known as SQL injection, sticking a "); in a form control
and adding the following text;

update user_table set password=MD5("my password");

this will change all user passwords to his value.

Best way I know of to protect against this is wrap the form references in
putting together your sql query with the function;

mysql_real_escape_string();

this should properly escape all sensitive characters and prevent visitors
from using sql injection to do something different that your code was
supposed to do.

My 2 cents,

Warren Vail
Vail Systems Technology

-----Original Message-----
From: Alexander Schunk [mailto:aschunk(a)gmail.com]
Sent: Thursday, April 22, 2010 10:34 PM
To: php-windows(a)lists.php.net
Subject: [PHP-WIN] Problem with php and MySQL: inserting strings into
database

Hello,

i have a problem with php and mysql when inserting strings into a database.

I have the following syntax:

$sqlinsert = "INSERT INTO werte ('benutzername', 'passwort', 'name',
'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
VALUES('$_POST['benutzername']', '$_POST['passwort']',
'$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
'$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
'$_POST['email']')";

I want to read entries from an HTML form into a database.

When to use backticks in MySQL and what is this syntax: " '

I am getting an unexpected T_STRING .... error.

I am using php, mysql with xampp on windows xp.

In php.ini i have turned register_globals = on.

thank you.

yours sincerly
Alexander

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php