Member Avatar for sagisgirl

Hi all,

I've a problem with my insert sql..I didn'y know why.

here is my insert sql

$goodsDesc = $_POST['goodsDesc'];
$k8goodsQty = $_POST['k8goodsQty'];
$valuePerUnit = $_POST['valuePerUnit'];

$sql_k8goodsIn = "INSERT INTO k8_goodsin
                        (k8regID,goodsDesc,k8goodsQty,valuePerUnit)     
                        VALUES (
                        '".$k8regID."',
                        '".addslashes(strtoupper($goodsDesc[$y]))."',
                        '".$k8goodsQty[$y]."',
                        '".$valuePerUnit[$y]."')";

for goodsDesc the input is like this
goodsDesc = 2-1/2" suction pump

then in the database it reads like this
goodsDesc = 2-1/2\

why is it happen like that, I already use addslashes

please help me.

Edited by sagisgirl
  • 6 Contributors
  • 6 Replies
  • 318 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by diafol
Member Avatar for Kyle Wiering
Huge Disclaimer about security

The first, and most critical piece of information is that your query is vulnerable to an injection attack. In fact, your current problem is the equivalent to how an injection attack works.

Here's a not quite appreviated rundown of how PHP interacts with SQL. First, to run a query on SQL, you need a string in PHP select somevar from some table where table.col='value';. This works great. So we move to the next step of making the query dynamic and adding a variable. select somevar from sometable where table.col=$value;. This still seems fine, but in fact could be susceptible to an attack. For you see, the $value could really be ANY value. Let's say for example, $value = '2;drop sometable;'. Now, you run the full query as this: select somevar from sometable where table.col=2;drop sometable;. In your question, you are getting the value from a $_POST variable, meaning, anyone who can view the page can do anything to the database.

Security Suggestion

This would involve using something like the PDO driver, or the MYSQLi driver.

Examples for MySQLI
Examples for PDO

Converting to a Prepared Query will help to secure your application.

Specific variable issue

Now, finally, down to the exact issue:

  1. What is $y?
  2. What are you passing into $_POST['goodsDesc']?
Member Avatar for sagisgirl

just ignore the $y, I mistakently typed.sorry about that.

$_POST['goodsDesc'] is passing a varchar value, it's for user to describe the goods that they want to buy.

Member Avatar for nadiam

did u try it without addslashes?

$goodsDesc = mysql_real_escape_string($_POST['goodsDesc']);
$k8goodsQty = mysql_real_escape_string($_POST['k8goodsQty']);
$valuePerUnit = mysql_real_escape_string($_POST['valuePerUnit']);
$b = strtoupper($goodsDesc);
$sql_k8goodsIn = mysql_query("INSERT INTO k8_goodsin
                        (k8regID,goodsDesc,k8goodsQty,valuePerUnit)     
                        VALUES (
                        '$k8regID',
                        '$b',
                        '$k8goodsQty',
                        '$valuePerUnit')");

k8regid is an id i assume and if in the database it is auto-increment you don't need to have it there and just leave it blank

VALUES ('','$goodsDesc','$k8goodsQty','$valuePerUnit');
Edited by nadiam
Member Avatar for [NOPE]FOREVER

Try values with out "" and .

commented: my mum +0
commented: ffffff +0
Member Avatar for diafol

Before anybody else suggests anything, could you please read kwiering's post and stop stating things that put the OP at risk.

  • mysql IS DEAD - stop using it - choice of PDO or mysqli
  • use prepared statements and bind parameters

If I see mysql_real_escape_string again I think I'm going to scream. :(

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.