1

It sounds strange to me. I have a simple PHP script that inserts data into MYSQL table. Upon receiving the content from the client via AJAX the data is stored in a variable:

$content=$_POST['content']; 
$sql="insert into contents values('$content')";
mysql_query($sql);

The problem is that if the content contains a '&' symbol,the sub-string before & is stored in MYSQL and the rest of the string is discarded. If I try directly in MYSQL then it stores complete string containg & symbol.why?

Parveez Ahmed
  • 1,325
  • 4
  • 17
  • 28
  • 3
    I think your problem is the sql injection vulnerability. How about you use prepared statements instead? Also - note `mysql_` is deprecated, prefer mysqli or PDO instead. – Benjamin Gruenbaum Nov 03 '13 at 13:32
  • This is extremely unsafe! Use `mysqli` or `pdo` instead of `mysql_`. – Ofir Baruch Nov 03 '13 at 13:32
  • i used $content=mysql_real_escape_string($content) also, but it was in vain @BenjaminGruenbaum – Parveez Ahmed Nov 03 '13 at 13:35
  • 2
    @rosemary that's still an extremely fragile solution. [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – Benjamin Gruenbaum Nov 03 '13 at 13:37
  • i am using mysqli in some of my scripts.thank you for your solution @BenjaminGruenbaum – Parveez Ahmed Nov 03 '13 at 13:40
  • @rosemary this IS an answer below... hint hint... – DotNetRussell Nov 03 '13 at 13:44

2 Answers2

0

The problem is that mysql regocnizes '&' as AND. Check this out:

$content = mysql_real_escape_string($_POST['content']); 
$sql = "insert into contents (column) values('$content')";
mysql_query($sql);
aksu
  • 5,221
  • 5
  • 24
  • 39
-1

First off if this site is live take it down lol. This is classic sql injection vulnerability.

You need to be using mysqli now instead of mysql.

The way you use this is the same but it has this REALLY cool feature called 'real escape string'

What it does is parameterize the data before you pass it into the database

$content = $_POST['content']; 
$connection = new mysqli('ipaddress','username','password','database');
$content = $connection->real_escape_string($content);
$sql="insert into contents values('$content')";
$connection->query($sql);

This is a much safer way of passing in data

DotNetRussell
  • 9,716
  • 10
  • 56
  • 111
  • 1
    Using `mysqli` is not what makes it safe. I use `mysql` and obstinately refuse to use anything else, because I know what an injection is and how to avoid it ;) – Niet the Dark Absol Nov 03 '13 at 13:40
  • I didn't say using mysqli makes it safe. I said using real escape string does – DotNetRussell Nov 03 '13 at 13:40
  • 2
    There is no reason for not using MySQLi with prepared statements. – ComFreek Nov 03 '13 at 13:41
  • And `mysql` has the exact same feature, it's nothing "REALLY cool" about `mysqli`. [`mysql_real_escape_string`](http://php.net/mysql-real-escape-string) – Niet the Dark Absol Nov 03 '13 at 13:41
  • Oh my it must be Sunday. The SO Nazis have nothing better to do than troll for ego boosts... – DotNetRussell Nov 03 '13 at 13:43
  • @NiettheDarkAbsol yes nothing REALLY cool about mysqli except that it's not deprecated and is still maintained code... – DotNetRussell Nov 03 '13 at 13:46
  • Niet used Troll! It's super-effective! Niet's EGO rose! ... yeah, no. – Niet the Dark Absol Nov 03 '13 at 13:46
  • @AMR MySQL_* library is just as secure as MySQLi, it just depends on your knowledge of SQL injection, it's pretty well summed up on the answer of a question I posted. http://stackoverflow.com/questions/14311686/properly-escaping-with-mysqli-query-over-prepared-statements – Daryl Gill Nov 03 '13 at 14:32