Sanitizing String Not Working

  • (3 Pages)
  • +
  • 1
  • 2
  • 3

38 Replies - 4353 Views - Last Post: 27 May 2011 - 06:59 AM Rate Topic: -----

#1 eZACKe   User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Sanitizing String Not Working

Posted 26 May 2011 - 09:24 AM

Here's the deal:

I have a form which the user fills out. When he submits, that data goes into the database. So obviously I have to sanitize these strings to prevent against SQL injection. I have a sanitizeString function I made that should completely sanitize the given string. It doesn't seem to be working though.

Here's the code that gets the value from the textbox and tries to sanitize it, then run the query:
$theCount = 1;
for($x = 0; $x < $numberAchievs; ++$x)
{
	 ${currentBox.$x} = $_POST['box0'.$theCount];// what the value of the box is after submitting
	 ++$theCount;
}

for($x = 0; $x < $numberAchievs; ++$x)
{
	// check if any are different, if so update
	if(${currentBox.$x} != ${box.$x})
	{
		${currentBox.$x} = sanitizeString(${currentBox.$x});// not sure if these are working
		$query = "UPDATE achievements set achievement ='${currentBox.$x}' WHERE email ='$email_token' AND achievement='${box.$x}'";
		queryMysql($query);
	}
}



And here is the sanitizeString function code which is in functions.php file, which is included at the top of the file where the stuff above is occuring:
function sanitizeString($var)
{
	$var = strip_tags($var);
	$var = htmlentities($var);
	$var = stripslashes($var);
	return mysql_real_escape_string($var);
}



This isn't working though.

As you may be able to tell from the code above, I have a variable amount of textboxes, thus a variable amount of string variables.

If I for example have 2 textboxes showing and I put the following into them
I'm here
me too

Both string I'm here and me too get entered into the database exactly as they are. Then, the next time I access the page with the form on it, those 2 boxes are already pre filled. The I'm here box only says "I" though.

Then, if I submit the form again, without modifying the boxes at all, I get this errror:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm here'' at line 1.

The "'" is what is messing it up. Should the "'" be eliminated with the escape_real... function? Not sure what is happening.

This post has been edited by eZACKe: 26 May 2011 - 09:28 AM


Is This A Good Question/Topic? 0
  • +

Replies To: Sanitizing String Not Working

#2 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Sanitizing String Not Working

Posted 26 May 2011 - 09:29 AM

use Prepared Statements, then you donít have to worry about SQL Injection or data related SQL Query string problems.
Was This Post Helpful? 1
  • +
  • -

#3 eZACKe   User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Sanitizing String Not Working

Posted 26 May 2011 - 09:43 AM

Thank you, I will look into that.

I don't seem to have any drinks or cookies around right now though, so that could be problematic. Also, as much as I like your contribution and will definitely look into it, my problem still lies in not understanding why what I did above doesn't work. I'd still like to figure that out.
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Sanitizing String Not Working

Posted 26 May 2011 - 09:49 AM

then the beloved first question, do you have error reporting and display enabled?
Was This Post Helpful? 1
  • +
  • -

#5 eZACKe   User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Sanitizing String Not Working

Posted 26 May 2011 - 09:52 AM

=/ I'm not sure.

Is that in php.ini? Errors get displayed all the time, I'm not sure if that's what you mean though.

In my php.ini:
error_reporting = E_ALL & ~E_DEPRECATED

This post has been edited by eZACKe: 26 May 2011 - 09:57 AM

Was This Post Helpful? 0
  • +
  • -

#6 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Sanitizing String Not Working

Posted 26 May 2011 - 10:13 AM

at least we can assume that there is an open MySQL connection Ö

the next step is var_dump( sanitizeString(${currentBox.$x}) );*




* - or use XDebug via DBGp (a.k.a. remote debugging)
Was This Post Helpful? 0
  • +
  • -

#7 eZACKe   User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Sanitizing String Not Working

Posted 26 May 2011 - 10:22 AM

Yes MySQL connection is made. All of this works great with any input that doesn't have special characters.

So add this here:
// check if any are different, if so update
	if(${currentBox.$x} != ${box.$x})
	{
	var_dump( sanitizeString(${currentBox.$x}) );
		${currentBox.$x} = sanitizeString(${currentBox.$x});// not sure if these are working
		$query = "UPDATE achievements set achievement ='${currentBox.$x}' WHERE email ='$email_token' AND achievement='${box.$x}'";
		queryMysql($query);
	}



I'm getting no output at all though.

This post has been edited by eZACKe: 26 May 2011 - 10:23 AM

Was This Post Helpful? 0
  • +
  • -

#8 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Sanitizing String Not Working

Posted 26 May 2011 - 10:24 AM

move line 4 to the top, the condition might just fail
Was This Post Helpful? 0
  • +
  • -

#9 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3837
  • View blog
  • Posts: 13,997
  • Joined: 08-August 08

Re: Sanitizing String Not Working

Posted 26 May 2011 - 10:27 AM

This:
<?php
$numberAchievs = 1;
$_POST['box01']= "I'm working.";
$currentBox = "box0";
$theCount = 1;
for($x = 0; $x < $numberAchievs; ++$x)
{
	 ${currentBox.$x} = $_POST['box0'.$theCount];// what the value of the box is after submitting
	 ++$theCount;
}

for($x = 0; $x < $numberAchievs; ++$x)
{
	// check if any are different, if so update
	if(${currentBox.$x} != ${box.$x})
	{
		${currentBox.$x} = sanitizeString(${currentBox.$x});// not sure if these are working
		$query = "UPDATE achievements set achievement ='${currentBox.$x}' WHERE email ='$email_token' AND achievement='${box.$x}'";
		echo $query;
		//queryMysql($query);
	}
}

function sanitizeString($var)
{
	$var = strip_tags($var);
	$var = htmlentities($var);
	$var = stripslashes($var);
	return mysql_real_escape_string($var);
}
?>

produces this output for me:
UPDATE achievements set achievement ='I\'m working.' WHERE email ='' AND achievement=''


My guess is that $numberAchievs is not set.
Was This Post Helpful? 0
  • +
  • -

#10 eZACKe   User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Sanitizing String Not Working

Posted 26 May 2011 - 10:48 AM

Well that was part of the problem. My sanitizeString method is actually working. The real problem is occurring when I try to put give this sanitized string to a value of a text box, here:

Here I get the value from the database, and sanitize it again:
$row = mysql_fetch_row($result);
	${box.$x} = $row[1];// value of box before submitting
	echo ${box.$x} . " !!!!!!!!!!!!!!<br />";
	${box.$x} = sanitizeString(${box.$x});
	echo ${box.$x} . " !!!!!!!!!!!!!!<br />";



The first echo prints I'm here.
The next one prints I\'m here.
This is correct.

Then another file uses this value for displaying a text box:
<input type='text' name='box0$count' value='${box.$j}'



So that value should be I\'m here. It seems it's not escaping the character in this case, because all that's going into this text box is:
I\

Is there a way to escape special characters in the value field?
Was This Post Helpful? 0
  • +
  • -

#11 eZACKe   User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Sanitizing String Not Working

Posted 26 May 2011 - 10:59 AM

Found a near solution to my problem by doing this:
<input type='text' name='box0$count' value="${box.$j}" /><br />;



That's just using double quotes instead.

Now the only problem I'm being faced with is:
In the text boxes it's showing the strings with the \ in it.

For example if I entered: You're awesome.
In the textbox after submitting it shows You\'re awesome.

A small price to pay, but still I don't like it. Is there a way to like hide a certain character in a string? Or anyone know a solution to having it now display \'s in a text box?

Thanks

This post has been edited by eZACKe: 26 May 2011 - 11:00 AM

Was This Post Helpful? 0
  • +
  • -

#12 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Sanitizing String Not Working

Posted 26 May 2011 - 11:02 AM

define('HTML_TEXTBOX', '<input type="text" name="box0%d" value="%s">');
echo sprintf(HTML_TEXTBOX, $count, ${box.$j});


I prefer double quotes in the HTML anyways.

This post has been edited by Dormilich: 26 May 2011 - 11:05 AM

Was This Post Helpful? 0
  • +
  • -

#13 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3837
  • View blog
  • Posts: 13,997
  • Joined: 08-August 08

Re: Sanitizing String Not Working

Posted 26 May 2011 - 11:03 AM

You could use:
http://php.net/manua...tmlentities.php
but learning PDO would be a whole lot easier than dealing with all of this.
Was This Post Helpful? 1
  • +
  • -

#14 eZACKe   User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Sanitizing String Not Working

Posted 26 May 2011 - 11:24 AM

I think I'm going with PDO, this is out of hand.
Was This Post Helpful? 0
  • +
  • -

#15 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Sanitizing String Not Working

Posted 26 May 2011 - 11:25 AM

we have a good deal of PDO tutorials here at D.I.C. Ö and you can always ask Mr. PDO (if heís around).
Was This Post Helpful? 0
  • +
  • -

  • (3 Pages)
  • +
  • 1
  • 2
  • 3