1

I have been running MAMP Pro (1.9.6.1) on a 2011 MacBook Pro for the last three years. PHP 5.2.17 / MySQL 5.5.9

I wrote a .php-driven site to store info about my radio show. It has run without any problems or any errors.

I have upgraded to a new MacBook Pro running MAMP Pro 3.0.7.3 - PHP 5.6.2 / MySQL 5.5.38. The scripts that were running solidly, without error, in the first set up are producing unexpected results in the second set-up.

I am 90% certain that this is due to how either .php or MySQL are handling single quotes / apostrophes in my new set up.

INSERT queries that feature ' characters aren't being successfully inserted into the database.

e.g

INSERT INTO song_info 
    (artist_id, title_id, composer_id, publisher_id, album_id,
     album_track, label_id, cat_no, format, howsent, song_rating,
     duration, intro, fade, year, medium, release_date, recommended,
     cymraeg)
VALUES
     ('2', '2', '2', '2', '2', '99', '2', 'voom001', 'album_track',
     'direct', '6', '3'01', '0'36', '2'50', '2015', 'vinyl',
     '2015-03-19', '0', '0')

The queries execute successfully if there are no ' characters within the values I want to insert into the database.

The queries with ' characters in the values I want to insert into the database execute successfully on the previous set-up.

The scripts are exactly the same.

I don't want to start changing the scripts - escaping the ' characters within the .php - because I'm pretty sure this is a config issue, I just don't know where / what to change.

These scripts run locally on the laptop. They're not accessible to anyone else, nor will they be.

So although I'm aware there are real security issues inherent in coding like this, I'll address those when I upgrade the (thousands of lines of) code in due course.

I need to quick temporary fix so that I can complete my work. Then I'll begin work on upgrading the code properly.

I'm using the mysql_ functions. Again, will upgrade to mysqli_ when I have an opportunity to do so.

Adam Thomas Walton
  • 11
  • 2
  • You've been running with SQL injection vulnerabilities for the last three years, and the scripts need changing. It isn't a configuration issue. What library are you using? mysql, mysqli or PDO/mysql? – halfer Mar 15 '15 at 15:02
  • Hi halfer - the only person who uses the scripts, locally on an un-networked laptop - is me, so security isn't an issue, and I would definitely be much more stringent if this site were accessible to others. I'm using mysql, for the moment. I will upgrade in due course, but need to get this up and running again ASAP. There are over 2000 lines of code, with numerous queries, which is why I'd prefer a quick fix, rather than the RTFM answer. Will RTFM (now!) to upgrade properly over coming weeks. Thank you for your help. – Adam Thomas Walton Mar 15 '15 at 15:11
  • There is no quick fix - only `mysql_real_escape_string()` - unless there is a common point in your code you happen to be passing query values through already. 2000 lines of code is not a lot - do a search in your IDE for `mysql_query` and repair each one in turn. – halfer Mar 15 '15 at 15:19
  • @Fred -ii- I'm reading through previous questions re: single quotes, but I'm not reading an explanation for why these scripts ran perfectly on my previous laptop but not on my new setup. That makes me wary to fiddle / upgrade until I know the cause. Thank you. – Adam Thomas Walton Mar 15 '15 at 15:23
  • @halfer Thank you very much. Do you know why it works fine on the older MAMP Pro set up? That's what made me think it might be a config issue. Very much appreciate your help. 2000 lines of code because it handles majority of the logistics related to my work. It has saved me many 100's of hours over the years. But I clearly need to bring the code up to date! – Adam Thomas Walton Mar 15 '15 at 15:26
  • *"INSERT queries that feature `'` characters aren't being successfully inserted into the database."* - `stripslashes()` - `mysql_real_escape_string()`. This is obviously coming from user input, so you need to escape the incoming data, either way. This isn't a config issue, it's an SQL issue. – Funk Forty Niner Mar 15 '15 at 15:28
  • It is possible your PHP 5.2 system was running [magic quotes](https://php.net/manual/en/security.magicquotes.php) - check your php.ini on your old machine to find out. This feature was eventually decided to be a bad idea, and has been deprecated and then removed from the language. – halfer Mar 15 '15 at 15:33
  • _"That makes me wary to fiddle"_ - the code is stored in a version control system, right? `:-)` – halfer Mar 15 '15 at 15:35

0 Answers0