0

Hi all,

I've a problem with my insert sql..I didn'y know why.

here is my insert sql

$goodsDesc = $_POST['goodsDesc'];
$k8goodsQty = $_POST['k8goodsQty'];
$valuePerUnit = $_POST['valuePerUnit'];

$sql_k8goodsIn = "INSERT INTO k8_goodsin
                        (k8regID,goodsDesc,k8goodsQty,valuePerUnit)     
                        VALUES (
                        '".$k8regID."',
                        '".addslashes(strtoupper($goodsDesc[$y]))."',
                        '".$k8goodsQty[$y]."',
                        '".$valuePerUnit[$y]."')";

for goodsDesc the input is like this
goodsDesc = 2-1/2" suction pump

then in the database it reads like this
goodsDesc = 2-1/2\

why is it happen like that, I already use addslashes

please help me.

Edited by sagisgirl

6
Contributors
6
Replies
44
Views
3 Years
Discussion Span
Last Post by diafol
1

Huge Disclaimer about security

The first, and most critical piece of information is that your query is vulnerable to an injection attack. In fact, your current problem is the equivalent to how an injection attack works.

Here's a not quite appreviated rundown of how PHP interacts with SQL. First, to run a query on SQL, you need a string in PHP select somevar from some table where table.col='value';. This works great. So we move to the next step of making the query dynamic and adding a variable. select somevar from sometable where table.col=$value;. This still seems fine, but in fact could be susceptible to an attack. For you see, the $value could really be ANY value. Let's say for example, $value = '2;drop sometable;'. Now, you run the full query as this: select somevar from sometable where table.col=2;drop sometable;. In your question, you are getting the value from a $_POST variable, meaning, anyone who can view the page can do anything to the database.

Security Suggestion

This would involve using something like the PDO driver, or the MYSQLi driver.

Examples for MySQLI
Examples for PDO

Converting to a Prepared Query will help to secure your application.

Specific variable issue

Now, finally, down to the exact issue:

  1. What is $y?
  2. What are you passing into $_POST['goodsDesc']?
0

just ignore the $y, I mistakently typed.sorry about that.

$_POST['goodsDesc'] is passing a varchar value, it's for user to describe the goods that they want to buy.

0

did u try it without addslashes?

$goodsDesc = mysql_real_escape_string($_POST['goodsDesc']);
$k8goodsQty = mysql_real_escape_string($_POST['k8goodsQty']);
$valuePerUnit = mysql_real_escape_string($_POST['valuePerUnit']);
$b = strtoupper($goodsDesc);
$sql_k8goodsIn = mysql_query("INSERT INTO k8_goodsin
                        (k8regID,goodsDesc,k8goodsQty,valuePerUnit)     
                        VALUES (
                        '$k8regID',
                        '$b',
                        '$k8goodsQty',
                        '$valuePerUnit')");

k8regid is an id i assume and if in the database it is auto-increment you don't need to have it there and just leave it blank

VALUES ('','$goodsDesc','$k8goodsQty','$valuePerUnit');

Edited by nadiam

0

Before anybody else suggests anything, could you please read kwiering's post and stop stating things that put the OP at risk.

  • mysql IS DEAD - stop using it - choice of PDO or mysqli
  • use prepared statements and bind parameters

If I see mysql_real_escape_string again I think I'm going to scream. :(

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.