-2

I have a form processed with PHP. It contains a field for Notes about the client job. The problem is that if there is a ' within in the notes - such as it's, O'Reilly, that's etc, it escapes the string in the database, so I have all of the notes up until it encounters the ' then that's the end of the notes.

I realise there are things like mysqli_ and PDO, but it's the busy season at the moment and I could just do with quickly fixing this before doing a complete update/overhaul in January.

Any idea why it isn't working? Code included. It doesn't matter where I put the mysql_real_escape_string(), it doesn't work anywhere.

FYI: The table column is TEXT. And there are a couple of other fields hence the foreach

// SELECTS AND CONNECTS TO SERVER/DB
include_once('config/db.inc.php');


// CONVERT ALL $_POST['name'] to $name and clean/prep for mysql insertion
foreach($_POST as $key => $value ) {    
       $$key = mysql_real_escape_string($value); 
       }


// UPDATE CLIENT JOB NOTES
$query = "UPDATE client_list SET bookingNotes='$bookingNotes' WHERE id='$CID'";
         mysql_query($query, $conn) or die(mysql_error());

TIA

Edit for the responses below:

$bookingNotes and $CID are define by the form variables $_POST['bookingNotes'] and $_POST['CID'] where the foreach essentially removes the "_POST" part. (that's the whole $$key = $value part)

As mentioned, I appreciate mysqli_ and PDO but am currently unable to learn, update and implement those system wide at the moment. This runs locally and my current version of PHP 5.4.1 supports the function. I understand PDO is better, but for now that is not an option so please don't belittle me with "do it properly" or "learn how to code". That isn't the issue at hand.

I know what's happening and where and why - mysql is treating the ' as and end of the string. But I don't know why it's happening when I believe the function should escape the ' and allow it into the database.

To surmise, this is what happens.

"Today is very grey and it's raining" is entered into the form as $bookingNotes. The script then inputs that into the TEXT column of the database. But what appears in the database is;

"Today is very grey and it"

TIA and Thanks for the responses so far.

Biomech
  • 37
  • 1
  • 6
  • 1
    Where are $bookingNotes and $CID defined, they seems to not take values from the looped array values – Royal Bg Aug 07 '13 at 14:55
  • 1
    which php version are you using? original mysql extension is depreciated from php 5.5.x versions. – Nishant Aug 07 '13 at 14:55
  • Maybe this is wrong? --> `$$key` – Black Sheep Aug 07 '13 at 14:57
  • You should use MySQLi or PDO with prepared statements instead of mysql_, they have been deprecated. –  Aug 07 '13 at 14:59
  • Maybe key should not be assigned to value at all – Royal Bg Aug 07 '13 at 14:59
  • Maybe the entire string is in your db, but you are not escaping it properly when you display it - and it is truncated as you output? – Cups Aug 07 '13 at 15:05
  • I just tested `mysql_real_escape_string("O'Reilly, that's");` in PHP 5.2.17, 5.3.14 and 5.4.4 and it worked as expected in all of them. Have you tried logging the `$_POST` array and checking the values? – Joe Aug 07 '13 at 15:05
  • Have you got `magic_quotes_gpc` enabled? – Fra H Aug 07 '13 at 15:12
  • That code should work as is. **Debug it.** `var_dump` every relevant variable at every step to see whether its value is as you expect it to be. If you don't know what it's supposed to be, post the relevant details here. Make sure error reporting is enabled and that you're checking for errors. – deceze Aug 07 '13 at 16:35

5 Answers5

2

Are you sure the problem is on the writing end? Your code looks like it should work. (Well, for some value of work, you don't want to have a field <input name='conn' value='haha'>. Anyway, you seem to understand the problems with the code well enough.)

I assume that what you see is not SQL-injection but HTML injection:

<input name='bookingNotes' value='<?php=$bookingNotes?>'>

try escaping that with

<input name='bookingNotes' value='<?php=htmlspecialchars($bookingNotes, ENT_QUOTES)?>'>

to avoid the problem.

sba
  • 1,829
  • 19
  • 27
  • Correct, I forgot to tell it to escape the quotes. Editing. – sba Aug 07 '13 at 15:32
  • It's not an injection issue per se, it's that when data goes into the database, it stops when it reaches a '. So inputting "Today is grey and it's raining" is stored in the database as "Today is grey and it" – Biomech Aug 07 '13 at 16:21
  • Have you actually verified that the value is not written correctly? If you `echo` the `$query` and then run that query on the DB manually, what do you get? – sba Aug 08 '13 at 11:09
0

I tried it and it seems okay

$_POST['name'] = "1'";
$_POST['age'] = '2';/* 
$_POST[] = '3';
$_POST[] = '3'; */
foreach($_POST as $key => $value ) {    
    $$key = mysql_real_escape_string($value); 
    echo $$key;

}

The result I got was : 1\' - which is correct

Julian
  • 781
  • 1
  • 11
  • 32
  • 1
    The problem is that I have the variable $_POST['bookingNotes'] which contains - let's say "Today it's raining". This is sent to processing script which turns $_POST['bookingNotes'] into just $bookingNotes and then inserts the contents into the TEXT column in the database. What ends up in the database is "Today it". And everything after the ' is missing. – Biomech Aug 07 '13 at 16:20
  • Yes, that's what i thought may have caused the break to occur. Another way you could overcome is by adding, stripslash and addslashes. I haven't tested using those method but it should work too. – Julian Aug 08 '13 at 13:11
0

Thank you to everyone with helpful input.

It's fixed now, I honestly don't know how.

I removed the '' on the SQL statement (WHERE bookingNotes='bookingNotes') to force an error.

I also checked (echoed) the contents of $bookingNotes, which was the POST data AFTER mysql_real_escape_string() and it had the full string with apostrophes escaped (slashed)

I removed the echo, put the SQL back, and it all worked as it should / as expected.

I backed up the script before I started working, I have since compared the "new" working one with the original one that failed and they are exactly the same, no missing characters or extra/missing whitespace, exactly the same. o_O

So I don't know what happened there!

Thanks for the input anyway.

Biomech
  • 37
  • 1
  • 6
-1

Try changing this

$$key = mysql_real_escape_string($value);

INTO

$key = mysql_real_escape_string($value);

Julian
  • 781
  • 1
  • 11
  • 32
-1

First, mysql_real_escape_string() always works. If some your code doesn't - well, it's your code.

Second, but most important: NEVER run a code like this

foreach($_POST as $key => $value ) {    
    $$key = // whatever.
}

it is actually a hole in security, worse than any other.

Finally, it is extremely unclear from your extremely vague explanation, but I guess it's HTML form where you get your "end of notes". Anyway, you have to fix the very place where it happens, not blame a function you were running long time ago

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Thank you for the input, could you explain WHY it's a hole in security? I'm not "blaming" the function at all, I'm trying to find out why it isn't working, I know WHERE it's happening and WHY it's happening - mysql see's the "'" and treats that as the end of the string. What I don't know is why that ' isn't being escaped when using a function that I believe is supposed to escape it. – Biomech Aug 07 '13 at 16:23