1
string myParameters = "serial=" + serial + "&command_id=" + cmd_id + "&successfullyExecuted=1&command_type=" + getCommandType(cmd) + "&answer=" + executeCommand(cmd);

using (WebClient wc22 = new WebClient())
{
wc22.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";

string HtmlResult = wc22.UploadString(URI, myParameters);
}

The getCommand(cmd) returns a very long string (about 1.70 MBytes). When I write it to a text file using File.WriteAllText("debug.txt"); I can see all the data. However, in my database, I see only a part of it. It is truncated.

My sql column type is "LONG TEXT"

Edit (result is holding what is going to be returned by executeCommand() ):

StringWriter stringw = new StringWriter();
Console.SetOut(stringw);

DriveInfo[] allDrives = DriveInfo.GetDrives();
foreach (DriveInfo d in allDrives)
{
DirSearch(d.Name, commandContent);  

}

result = stringw.ToString();
File.WriteAllText("debug.txt", result); // <-- This file contains full data

Database is MySQL and I'm looking at the data directly using phpMyAdmin

And here is the page I'm posting to :

 <?php 

if (isset($_POST['serial'])) {


//Include the database connection file
include "database_connection.php"; 
// prevent sql injection
$serial = mysql_real_escape_string(($_POST['serial']));

    if (isset($_POST['successfullyExecuted'],$_POST['command_id'],$_POST['command_type'],$_POST['answer'])) {
    $cmdID = mysql_real_escape_string($_POST['command_id']);
    $cmdType = mysql_real_escape_string($_POST['command_type']);
    $answer = mysql_real_escape_string($_POST['answer']);
    $executeSuccess = mysql_real_escape_string($_POST['successfullyExecuted']);
    if ("1" == $executeSuccess) {
       // TRUE : Command executed successfully 
       $q = "UPDATE `eu181976_kl`.`commands` SET `whether_executed` = 1,`answer_type` = '".$cmdType."',`answer` = '".$answer."' WHERE `commands`.`to_whom` = '".mysql_real_escape_string($serial)."' AND `commands`.`id` = '".mysql_real_escape_string($cmdID)."' ;";
       $updateNow = mysql_query($q);
    } else if ("0" == $executeSuccess) {
        // FALSE : There was an error executing the command
        $q = "UPDATE `eu181976_kl`.`commands` SET `whether_active` = 0,`answer_type` = '".$cmdType."' WHERE `commands`.`to_whom` = '".mysql_real_escape_string($serial)."' AND `commands`.`id` = '".mysql_real_escape_string($cmdID)."' ;";
        $updateNow = mysql_query($q);
    } else {
        // There was an error in the link
    echo "There was an error in query";

    }
    } else {
    //Check the database table for the logged in user information
    $q = "SELECT * FROM commands WHERE to_whom='".$serial."' AND whether_executed=0 AND whether_active=1 LIMIT 1";

    $ros=mysql_query($q);
    if (!mysql_num_rows($ros) > 0) {
    echo 'NULL';
    } else {
    while($row=mysql_fetch_array($ros))
    {
    echo $row['id'].':'.$row['cmd_text'];
    }
    }
    }


}


?>

EDIT: I'm not sure whether (&) could be the reason but the text is truncated there, whatever after that character is not inserted :

enter image description here

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Rafik Bari
  • 4,867
  • 18
  • 73
  • 123
  • 1
    And **what database** is it that you're using here??? – marc_s Jan 27 '14 at 21:22
  • Are you using mssql? If so I think the column needs to be a varchar(MAX) –  Jan 27 '14 at 21:23
  • 1
    Long Text sounds like a MySQL data type. There's a lot more information that can be provided, such as "how much of your data is truncated"? "What does the code that writes your data to the database look like"? I did consider the "query parameter bit", but I believe he's posting. – Curtis Rutland Jan 27 '14 at 21:25
  • 2
    you need to make that a `POST` request dude – Jonesopolis Jan 27 '14 at 21:25
  • 1
    @Jonesy, the [UploadString](http://msdn.microsoft.com/en-us/library/ms144236\(v=vs.110\).aspx) method uses POST – Curtis Rutland Jan 27 '14 at 21:26
  • 1
    I'd check on what canon is saying here, about the ampersand. But also, there's also the comment about how you're looking at the field in the database. Are you doing 'select length(myfield) from tablename', or just watching the output in the mysql front end? Makes a difference. – Xavier J Jan 27 '14 at 21:30
  • 1
    Without seeing the data written, the code that actually writes the data to the database or at least knowing how much data is truncated, there's not much we can do. It's entirely possible that he's performing a sql injection against himself and truncating the data that way, since we don't know what it looks like or if he's safely handling it on the other side. – Curtis Rutland Jan 27 '14 at 21:33
  • I don't see any DB related code in the post... Not sure why anything should showup in DB at all. – Alexei Levenkov Jan 27 '14 at 21:44

1 Answers1

1

Yes, the ampersand is your issue. I'd use UploadValues() in conjunction with a NameValueCollection to avoid any escaping issues (as detailed in this answer).

var data = new System.Collections.Specialized.NameValueCollection();
data["serial"] = serial;
data["command_id"] = cmd_id;
data["successfullyExecuted"] = "1";
data["command_type"] = getCommandType(cmd);
data["answer"] = executeCommand(cmd);

using (var wc = new System.Net.WebClient())
{
    wc.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
    wc.UploadValues(URI, "POST", data);
}
Community
  • 1
  • 1
canon
  • 40,609
  • 10
  • 73
  • 97