Problem with php and MySQL: inserting strings into database

Hello,

i have a problem with php and mysql when inserting strings into a database.

I have the following syntax:

$sqlinsert =3D "INSERT INTO werte ('benutzername', 'passwort', 'name',
'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
VALUES('$_POST['benutzername']', '$_POST['passwort']',
'$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
'$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
'$_POST['email']')";

I want to read entries from an HTML form into a database.

When to use backticks in MySQL and what is this syntax: " '

I am getting an unexpected T_STRING .... error.

I am using php, mysql with xampp on windows xp.

In php.ini i have turned register_globals =3D on.

thank you.

yours sincerly
Alexander

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Problem with php and MySQL: inserting strings into database

You have just done two things that make your site vulnerable to hacks.

Register globals means that someone can load a copy of your form to =
their
machine, modify it to include variables that you use internally like
$user_type =3D "admin" (or whatever) and post their form to your site, =
and
even though user_type wasn't on your form, your program has no idea that =
it
came from his.

Second is the hack known as SQL injection, sticking a "); in a form =
control
and adding the following text;

update user_table set password=3DMD5("my password");

this will change all user passwords to his value.

Best way I know of to protect against this is wrap the form references =
in
putting together your sql query with the function;

mysql_real_escape_string();

this should properly escape all sensitive characters and prevent =
visitors
from using sql injection to do something different that your code was
supposed to do.

My 2 cents,

Warren Vail
Vail Systems Technology

-----Original Message-----
From: Alexander Schunk [mailto:aschunk@gmail.com]=20
Sent: Thursday, April 22, 2010 10:34 PM
To: php-windows@lists.php.net
Subject: [PHP-WIN] Problem with php and MySQL: inserting strings into
database

Hello,

i have a problem with php and mysql when inserting strings into a =
database.

I have the following syntax:

$sqlinsert =3D "INSERT INTO werte ('benutzername', 'passwort', 'name',
'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
VALUES('$_POST['benutzername']', '$_POST['passwort']',
'$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
'$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
'$_POST['email']')";

I want to read entries from an HTML form into a database.

When to use backticks in MySQL and what is this syntax: " '

I am getting an unexpected T_STRING .... error.

I am using php, mysql with xampp on windows xp.

In php.ini i have turned register_globals =3D on.

thank you.

yours sincerly
Alexander

--=20
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Problem with php and MySQL: inserting strings intodatabase

Apart from Warren's excellent advice, the source of your problem is
things like this:

'$_POST['vorname']'

How is PHP supposed to know that this is nested parentheses? You should
have done it like this:

"$_POST['vorname']"

Though of course, follow Warren's advice, and don't do it like this at
all ;-)

Toby

On 4/23/2010 6:34 AM, Alexander Schunk wrote:
> Hello,
>
> i have a problem with php and mysql when inserting strings into a database.
>
> I have the following syntax:
>
> $sqlinsert = "INSERT INTO werte ('benutzername', 'passwort', 'name',
> 'vorname', 'Geburtsdatum', 'strasse', 'plz', 'ort', 'email')
> VALUES('$_POST['benutzername']', '$_POST['passwort']',
> '$_POST['name']', '$_POST['vorname']', '$_POST['Geburtsdatum']',
> '$_POST['straße']', '$_POST['plz']', '$_POST['ort']',
> '$_POST['email']')";
>
> I am getting an unexpected T_STRING .... error.
>
>


--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php