0

I have a simple form with a textarea that when submitted updates rows in my database! I want my user to be able to enter single quotes into it but for some reason is not getting parsed! This is what I have as my parsing file..

<?php
$sql = "SELECT * FROM testimonials WHERE id='$pid'"; 

      $pid = $_POST['pid'];
      $testtitle = htmlentities($_POST['ts_tt']);
      $testbody = htmlentities($_POST['ts_tb']);
      $compowner = htmlentities($_POST['ts_co']);
      $ownertitle = htmlentities($_POST['ts_ot']);
      $compname = htmlentities($_POST['ts_cn']);
      $compwebsite = htmlentities($_POST['ts_cw']);

      include_once "../php_includes/db_conx.php";

      $sql = "UPDATE testimonials SET testtitle='$testtitle', testbody='$testbody', compowner='$compowner', ownertitle='$ownertitle', compname='$compname', compwebsite='$compwebsite' WHERE id='$pid'";

      if (!mysql_query($sql, $connection)){
          die('Error: ' . mysql_error());
  }
  echo 'Testimonial has been Edited successfully. <br /><br /><a href="admin/">Click Here</a>';
  exit();
?>

Any Ideas all! Many thanks - Phillip

Phillip Dews
  • 51
  • 10

3 Answers3

2

Use 

addslashes

available in php. This escapes special characters.

chandresh_cool
  • 11,753
  • 3
  • 30
  • 45
2

use mysql_real_escape_string($textareadata) in query... it will work...

dpkdn
  • 61
  • 2
2

First off if your environment allows it you should divorce yourself from mysql_ functions. They are deprecated and will not be available in the next release of PHP. You should switch to either PDO or mysqli.

Here is more information on why you shouldn't use mysql_* function.

Secondly, you are accepting user input and not escaping it to safely be inserted into the database. In this case it just caused your query to fail but if someone where to have a little technical know how they could have done any number of things to erase or change data in your database. This is called an SQL Injection and is one of the more common ways that websites get hacked.

There is two main points where your script can use a little more guarded treatment. The first is this one. 

$sql = "SELECT * FROM testimonials WHERE id='$pid'";

It should be 

$sql = "SELECT * FROM testimonials WHERE id='".mysql_real_escape_string($pid)."'";

The second is 

$sql = "UPDATE testimonials SET testtitle='$testtitle', testbody='$testbody', compowner='$compowner', ownertitle='$ownertitle', compname='$compname', compwebsite='$compwebsite' WHERE id='$pid'";

Which should be 

$sql = "UPDATE testimonials SET testtitle='".mysql_real_escape_string($testtitle)."', testbody='".mysql_real_escape_string($testbody)."', compowner='".mysql_real_escape_string($compowner)."', ownertitle='".mysql_real_escape_string($ownertitle)."', compname='".mysql_real_escape_string($compname)."', compwebsite='".mysql_real_escape_string($compwebsite)."' WHERE id='".mysql_real_escape_string($pid)."'";

Note you may also find that you have to move the database connection include up before your first call to mysql_real_escape_string.

To describe more on how this exploit can happen lets take your first query as assume you are getting pid from a text field. 

$sql = "SELECT * FROM testimonials WHERE id='$pid'";

Me being an evil hacker can simply type in 

0'; update testimonials set testbody = '<script>window.location.href="http://www.compeditors-website.com";</script>';

And what will get sent to your database is.

SELECT * FROM testimonials WHERE id='0'; update testimonials set testbody = '<script>window.location.href="http://www.competitors-website.com";</script>';

And now when anyone goes to your testimonials page they will be redirected to your competitors website.

Community
  • 1
  • 1
Orangepill
  • 24,500
  • 3
  • 42
  • 63