1

When I run my code I'm facing the next 2 errors:

mysql_num_rows() expects parameter 1 to be resource, boolean

That happens at rare lines of the file. Rest of them works just fine.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't '' at line 1

Yes, Its vulnerable, I see. Its probably some weird charecters making up the issue, but I can really edit them, because I save the words to the db for md5ing them.

I assume mysql_real_escape_string will add some slashes which will give me another md5 value. So how can I not edit the datas and get the script secure at the same time?

require ("dbconnect.php");
$list = fopen("huge.txt","r");
//convert and save to db
while(!feof($list))
  {
  $word = fgets($list);

  //check if already in db.
  $check = mysql_query("SELECT id FROM `database` WHERE word='$word'") or 
  die(mysql_error());
  if (mysql_num_rows($check)==0)
     {
     //rest of the codes

I added die() just for me to see whats wrong.

Ofir Baruch
  • 10,323
  • 2
  • 26
  • 39
Kishor
  • 1,513
  • 2
  • 15
  • 25

1 Answers1

1

For question 1 you should simply, not pass any argument to the mysql_num_rows() if you only have one database connection.

For question 2, the escaped version should not produce a different hash as long as it has been saved to the database, and then pulled from the database again. Once an escaped string is saved to the database, the saved version effectively loses the escape characters. This is why you do not see "they\'re" for example, when you pull escaped values from the database.

Basically, when you initially create the hash, you should use a non-escaped version of the string for the hash input, then escape the plaintext version which can then be saved to the database. You can then pull the plaintext version from the database at any time, rehash, and it should create a matching hash value.

dqhendricks
  • 19,030
  • 11
  • 50
  • 83
  • Why did you tell me that I should hash the non-escaped version first? Can I escape the plaintext, save, it, pull it again and hash it? Both gives me the same hash as you said. Isnt it? – Kishor Mar 26 '12 at 17:40
  • @Kishor Yes, my only point was to not use the escaped version as an input for creating the hash. – dqhendricks Mar 26 '12 at 17:42
  • I still cant figure out whats the problem with that because you said both would be the same anyway..? Am I missing something? – Kishor Mar 26 '12 at 17:46
  • 1
    @Kishor when you escape "they're", it becomes "they\'re", which would screw up your hash, but once you save "they\'re" to the database, it is saved in the database as "they're", which will not screw up your hash. Once you pull the saved version from the database, it is no longer escaped. Does this make sense? – dqhendricks Mar 26 '12 at 17:52
  • Sorry for pinging you again, But can you please clear this up? I made the script to write the escaped string to the database, and I have no clue how to fetch it up by matching it with something. Any idea? – Kishor Mar 26 '12 at 18:11
  • Google mysql SELECT statements, and in particular the WHERE clause – dqhendricks Mar 26 '12 at 18:21
  • That was bit too harsh because I know using WHERE, but i dont know what to match it with, in this case. The data I give : they're << Can be vulnerable. The data when escaped : they/'re. Saved in the db : they're . If I try matching it with non escaped string, amnt I making the script vulnerable again? – Kishor Mar 26 '12 at 18:40
  • 1
    @Kishor you would escape data that goes into the WHERE clause as well. It is the same as escaping things that get saved. – dqhendricks Mar 26 '12 at 18:58