1

I have a form with PHP that saves a variable to a MySQL database. That form worked on a VPS, but when trying it on another VPS it gives an error when trying to write to the database when the field contains a ' character. So the same PHP code works on 1 VPS when the field contains a ' character, but not on the other VPS.

Here it works: http://www.zoekmachineoptimalisatie.us/test.php and here (it's the other VPS) it gives an error: http://www.onzebruidsfotograaf.nl/test.php

My form:

<?php
$hostname = "localhost"; //host name
$dbname   = "xxxxxxxx"; //database name
$username = "xxxxxxxx"; //username you use to login to php my admin
$password = "xxxxxxxx"; //password you use to login
$conn     = new MySQLi($hostname, $username, $password, $dbname);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Untitled Document</title>
</head>
<body>
<?php
if (isset($_POST['Submit'])) { //if the submit button is clicked

    $title  = $_POST['updatetitle'];
    $bookid = 1;
    $update = "UPDATE test SET Title='$title' WHERE BookID = " . $bookid;

    $conn->query($update) or die("Cannot update"); //update or error
}
?>


<?php
$bookid = 1;
$sql    = "SELECT * FROM test WHERE BookID = '" . $bookid . "'";
$result = $conn->query($sql) or die(mysql_error());
$query = getenv(QUERY_STRING);
parse_str($query);
?>

<h2>Update Record <?php echo $bookid;?></h2>

<form action="" method="post">
    <?php

    while ($row = $result->fetch_assoc()) {
        ?>

        <textarea name="updatetitle" cols="100" rows="30"><?php echo $row['Title']; ?></textarea>

        <table border="0" cellspacing="10">

            <tr>
                <td><INPUT TYPE="Submit" VALUE="Update the Record" NAME="Submit"></td>
            </tr>
        </table>
        <?php
    }
    ?>
</form>

<?php
if ($update) { //if the update worked

    echo "<b>Update successful!</b>";

}
?>
</body>
</html>
Mark Davidson
  • 5,503
  • 5
  • 35
  • 54
Dimitri Visser
  • 155
  • 2
  • 12
  • Do not use `query` when variables are involved with the SQL statement. Use `prepare`(, `bind`) and `execute`. See http://php.net/mysqli.prepare – hakre Dec 17 '12 at 15:53
  • It's called [SQL injection](http://bobby-tables.com), and you should learn about it before you go any farther with this code. – Marc B Dec 17 '12 at 16:01

2 Answers2

1

An unescaped quote in your query will produce a syntax error. Instead of building the SQL fully your own, make use of SQL variables for your PHP variables with a Prepared Statement:

if (isset($_POST['Submit'])) { //if the submit button is clicked

    $title  = $_POST['updatetitle'];
    $bookid = 1;

    $update = $conn->prepare('UPDATE test SET Title = ? WHERE BookID = ?;');
    $update->bind_param('sd', $title, $bookid);
    $update->execute();
}

One of your servers has Magic Quotes enabled and the other doesn't. Magic Quotes is now considered undesirable and is deprecated, it automatically escapes input. You should turn off Magic Quotes and use a parameterised query/prepared statement instead - then there is no need to escape anything and it prevents SQL Injection.

Paramterised queries are supported by the MySQLi and PDO APIs.

hakre
  • 193,403
  • 52
  • 435
  • 836
MrCode
  • 63,975
  • 10
  • 90
  • 112
  • Thank you both for your help! The problem was Magic Quotes which was disabled in one of the VPS'es... I will try to find a solution, after reading about SQL injection ;) – Dimitri Visser Dec 17 '12 at 15:35
0

because the single quote breaks the query statement. In order to prevent from it or from SQL Injection you need to use PDO or MySQLI extension. For more infor, see the article below

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492