0

The following is a report that I try to send to the database. The php code works fine I believe, as the row is created. But the reportdata column is always empty. the column type is varchar. Is it because the report begins with #? the following call creates a row but nothing in reportdata column. the auto increment id is given.

http://www.someaddress.com/savereport.php?reportdata=#98#1#4#14#3#48#8#88#04/06/2016%2008:05:54%20PM

If I change the report to basic text, it works. What's going on?

http://www.someaddress.com/savereport.php?reportdata=basictext

Here is the php code that does the stuff:

mysqli_set_charset($dbc, 'utf8');

$reportdata = mysqli_real_escape_string($dbc, $_GET['reportdata']);

$query = "INSERT INTO `onwordreports`(`reportdata`) VALUES ('$reportdata')";

$result = mysqli_query($dbc, $query) or trigger_error("Veri yükleme başarısız: " . mysqli_error($dbc));

echo $result;

mysqli_close($dbc);
Ugur
  • 312
  • 5
  • 15
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Apr 06 '16 at 17:18
  • Thanks for the warning.. It hurts my brain trying to do that, because I do not actually understand it. Unless someone would be so nice as to show how to actually convert my code into a safer one, I'll stay at risk. – Ugur Apr 09 '16 at 15:46

1 Answers1

1

I am going to agree with the warnings that this is a very bad way to handle this. Even with mysql_real_escape_string, you still have definite concerns for injection.

Since you're already using mysqli, switching to prepared statements is fairly trivial.

Now, with that said... I would simply do a echo ("$reportdata"); to see what value it's actually trying to insert. Take this value and run the query manually - do you get any errors? You can see how mysqli_real_escape_string is sanitizing the input and you can see if this breaks the query.

csyria
  • 190
  • 8
  • `INSERT INTO onwordreports (reportdata) VALUES (12);` The code works without the `#`, but the one below doesn't. Any ideas? `INSERT INTO onwordreports(reportdata) VALUES (#12)` – Ugur Apr 09 '16 at 15:41
  • What type of column are you trying to insert into? Varchar, int, etc? – csyria Apr 11 '16 at 15:30
  • Hi. I'm trying to insert into a varchar. – Ugur Apr 17 '16 at 14:51