1

It sounds strange to me. I have a simple PHP script that inserts data into MYSQL table. Upon receiving the content from the client via AJAX the data is stored in a variable:

$content=$_POST['content']; 
$sql="insert into contents values('$content')";
mysql_query($sql);

The problem is that if the content contains a '&' symbol,the sub-string before & is stored in MYSQL and the rest of the string is discarded. If I try directly in MYSQL then it stores complete string containg & symbol.why?

Parveez Ahmed
  • 1,279
  • 4
  • 15
  • 28
  • 3
    I think your problem is the sql injection vulnerability. How about you use prepared statements instead? Also - note `mysql_` is deprecated, prefer mysqli or PDO instead. – Benjamin Gruenbaum Nov 03 '13 at 13:32
  • This is extremely unsafe! Use `mysqli` or `pdo` instead of `mysql_`. – Ofir Baruch Nov 03 '13 at 13:32
  • i used $content=mysql_real_escape_string($content) also, but it was in vain @BenjaminGruenbaum – Parveez Ahmed Nov 03 '13 at 13:35
  • 2
    @rosemary that's still an extremely fragile solution. [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – Benjamin Gruenbaum Nov 03 '13 at 13:37
  • i am using mysqli in some of my scripts.thank you for your solution @BenjaminGruenbaum – Parveez Ahmed Nov 03 '13 at 13:40
  • @rosemary this IS an answer below... hint hint... – Anthony Russell Nov 03 '13 at 13:44

2 Answers2

0

The problem is that mysql regocnizes '&' as AND. Check this out:

$content = mysql_real_escape_string($_POST['content']); 
$sql = "insert into contents (column) values('$content')";
mysql_query($sql);
aksu
  • 5,163
  • 5
  • 22
  • 38
-1

First off if this site is live take it down lol. This is classic sql injection vulnerability.

You need to be using mysqli now instead of mysql.

The way you use this is the same but it has this REALLY cool feature called 'real escape string'

What it does is parameterize the data before you pass it into the database

$content = $_POST['content']; 
$connection = new mysqli('ipaddress','username','password','database');
$content = $connection->real_escape_string($content);
$sql="insert into contents values('$content')";
$connection->query($sql);

This is a much safer way of passing in data

Anthony Russell
  • 9,445
  • 10
  • 53
  • 102