1

This problem has been happening across all my forms. If in a description, a user has the ampersand symbol in there, the page displays the INSERT statement with the values but doesn't proceed or send an email out.

For example:

"The quick brown fox jumps over the dog & the cat" will not work.

"The quick brown fox jumps over the dog and the cat" will work.

Insert statment on one of the pages:

$filename = $_GET['filename'];
$size = $_GET['filesize'];
$date = $_GET['filedate'];
$user = $loggedin_id;
$desc = mysqli_real_escape_string($dbc3, $_GET['desc']);
$type = $_GET['type'];
$ver = $_GET['ver'];
$rev = $_GET['rev'];
$sql = "SELECT lineup FROM cad_files WHERE job_num = $job_id AND file_type = '$type' ORDER BY date DESC LIMIT 1";
$result = mysqli_query($dbc3, $sql);
if(mysqli_num_rows($result) < 1){
    $prev_lineup = 0;
} else {
    $prev_file = mysqli_fetch_assoc($result);
    $prev_lineup = $prev_file['lineup'];
}
//$type = getcadtype($type);
$job_id = getjobid($job_num, $dbc3);
$sql = "INSERT INTO cad_files(job_num, user, file_name, file_type, version, revision, date, size, description) VALUES($job_id, '$user', '$filename', '$type', '$ver', '$rev', '$date', '$size', '$desc')";
// echo $sql;
mysqli_query($dbc3, $sql) or die(mysqli_error($dbc3));

$id = mysqli_insert_id($dbc3);

How can I resolve this issue ?

ERRORS:

Warning: simplexml_load_string(): Entity: line 9: parser error : xmlParseEntityRef: no name in /home/xxxxx/public_html/main/includes/mail2.php on line 15

Warning: simplexml_load_string(): <p>Description:<br /><b>Inserts 3a & 3b modified</b></p> in /home/xxxxx/public_html/main/includes/mail2.php on line 15

Warning: simplexml_load_string(): ^ in /home/xxxxxx/public_html/main/includes/mail2.php on line 15

Catchable fatal error: Argument 1 passed to simpleXMLToArray() must be an instance of SimpleXMLElement, boolean given, called in /home/xxxxxx/public_html/main/includes/mail2.php on line 15 and defined in /home/xxxxxx/public_html/main/includes/functions.php on line 354

MikeOscarEcho
  • 535
  • 2
  • 12
  • 27
  • 1
    possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Álvaro González Apr 21 '14 at 14:32
  • 1
    ALL the inputs should be secured before inserting into DB. if you want all values in your query: `$_GET = array_map('mysqli_real_escape_string', $_GET)` – Martijn Apr 21 '14 at 14:33
  • `mysqli_real_escape_string()` use this – Awlad Liton Apr 21 '14 at 14:33
  • @AwladLiton he does, but not everywhere. it would be much better to use PreparedStatements – Rogue Apr 21 '14 at 14:33
  • @AwladLiton It is used on description ? $desc = mysqli_real_escape_string($dbc3, $_GET['desc']); – MikeOscarEcho Apr 21 '14 at 14:34
  • use prepare statement yes that is true ... – Awlad Liton Apr 21 '14 at 14:34
  • @Martijn I use this after all the $_GETs ? And if you notice, its used already on description $desc = mysqli_real_escape_string($dbc3, $_GET['desc']); yet I'm still having problems with ampersand. – MikeOscarEcho Apr 21 '14 at 14:35
  • You add the array_map before you assign its values to the variables. Just echo your query and see **why** it faults instead of trying some weird fix :) – Martijn Apr 21 '14 at 14:38
  • Do you get an error message, if yes, what is it? – Vagabond Apr 21 '14 at 14:41
  • @Adarsh Yes multiple errors when it tries to send the email. I'll edit, refer to original post. – MikeOscarEcho Apr 21 '14 at 14:49
  • The interesting thing here is that he gets warning about the use of `simplexml_load_string` which doesn't appear in the code - I think that we didn't get the whole code – Yaron U. Apr 21 '14 at 14:53
  • @YaronU. So what do you think the problem is then? I think it has to do with the passed values before it gets to the email portion. That part works if I omit the ampersand... – MikeOscarEcho Apr 21 '14 at 15:00
  • @MikeOscarEcho it is quiet hard to see the problem like this - this is the kind of things that you should debug the code in order to get the line of the error - and then get more info. as others mentioned - you for sure have a SQL injection problem here – Yaron U. Apr 21 '14 at 15:03
  • Well I guess you have to show us a bit more of your code... esp. the lines which cause the error / bugs. – Vagabond Apr 21 '14 at 15:06
  • Solved it using htmlspecialchars() on $desc after escaping. Only issue is that it inserts it into table as "&". I guess this will have to do for now, I will secure the rest of the variables based on everyones recommendation. Thanks – MikeOscarEcho Apr 21 '14 at 15:14

2 Answers2

1

Because you are sending everything over the query string (HTTP GET) you should escape your variables before you send them to the server.

Use the javascript escape function to encode characters like that. You'll need to decode them on the server side as well.

Martijn
  • 15,791
  • 4
  • 36
  • 68
T McKeown
  • 12,971
  • 1
  • 25
  • 32
1

Solved it using htmlspecialchars() on $desc after escaping. 

$desc = mysqli_real_escape_string($dbc3, $_GET['desc']);
$desc = htmlspecialchars($desc);

Only issue is that it inserts it into table as "&" but this isn't really a problem as the page displays the "&" anyway. I guess this will have to do for now, I will secure the rest of the variables based on everyones recommendation.

MikeOscarEcho
  • 535
  • 2
  • 12
  • 27