Mudsaf Posted January 28, 2014 Share Posted January 28, 2014 Hello, i'm wondering how my single quote @ SQL-table can break my code. Example: Who's that? <-- Breaks code Example2: Whos tat? <-- Doesn't break code Tried below htmlspecialchars (with ent_quotes and without) htmlentities(-ll-) Link to comment Share on other sites More sharing options...
Don Jajo Posted January 29, 2014 Share Posted January 29, 2014 Well, that's just SQL Injection you hear about Leave htmlspecialchars and others like it for now, just use mysqli_real_escape_string('Your string'); Link to comment Share on other sites More sharing options...
Mudsaf Posted January 29, 2014 Author Share Posted January 29, 2014 (edited) But shouldn't prepared query prevent from SQL injections already? if ($stmt = $con->prepare("INSERT INTO <table> (<column1>, <column2>, <column3>) VALUES (?,?,?)")) { And the SQL-data just removes 1 table td codes. <td></td> Edited January 29, 2014 by Mudsaf Link to comment Share on other sites More sharing options...
Don Jajo Posted January 29, 2014 Share Posted January 29, 2014 Only if its PDO that prepared query solves SQL Injection i guess Which i don't know PDO that much Link to comment Share on other sites More sharing options...
thescientist Posted January 29, 2014 Share Posted January 29, 2014 what are you using? mysqli or PDO? that's kind of important. Link to comment Share on other sites More sharing options...
Ingolme Posted January 29, 2014 Share Posted January 29, 2014 If this is affecting the HTML, check the source code to see what's showing up on your page. Also, show the line of PHP code associated to this problem. I doubt SQL is related to this. Link to comment Share on other sites More sharing options...
Mudsaf Posted January 29, 2014 Author Share Posted January 29, 2014 I'm using MySQLi PHP receive if ($res_ginfo = $con->query("SELECT <column1>, <column2> FROM <table> WHERE <column1> = '" . $row['<data1>'] . "'")) {$rows = mysqli_num_rows($res_ginfo);if ($rows == 1) {$row_ginfo = $res_ginfo->fetch_assoc();echo "<td style='text-align:center;' class='co" . $count . "'><a href='" . $row_ginfo['<data2>'] . "' data-lightbox='" . $row['item'] . "'><img width='16' height='16' src='" . $row_ginfo['<data2>'] . "'></a></td>";} else {echo "<td style='text-align:center;' class='co$count'><form enctype='multipart/form-data' style='margin:0;' action='upimg.php' method='POST'><input type='hidden' value='" . $row['<data1>'] . "' name='item'><input type='file' name='image'><input type='submit' value='Upload'></form></td>";}} Error occurs on at if ($rows == 1) { echo td lines. It effects that much it just doesn't create TD tags and the table 5th column is empty at that line. However the bug is fixed if i add ' to SQL text instead of ', but the it will display /' on the td tag. Link to comment Share on other sites More sharing options...
Don E Posted January 29, 2014 Share Posted January 29, 2014 From what I understand and could be wrong, I am sure mysqli prepared statements prevent SQL injection as well like PDO prepared statements. Link to comment Share on other sites More sharing options...
Ingolme Posted January 29, 2014 Share Posted January 29, 2014 Check the outputted source code to see what's being printed there. Link to comment Share on other sites More sharing options...
Mudsaf Posted January 29, 2014 Author Share Posted January 29, 2014 (edited) <html><head><style>.co1 {background-color:#F1F1F1;padding:2 4 2 4;border:groove;border-width:thin;}.co0 {background-color:#DBDBDB;padding:2 4 2 4;border:groove;border-width:thin;}.toptd {font-weight:bold;border:groove;border-width:thin;padding:2 4 2 4;}a { text-decoration:none; }</style><script src="lightbox/js/jquery-1.10.2.min.js"></script><script src="lightbox/js/lightbox-2.6.min.js"></script><link href="lightbox/css/lightbox.css" rel="stylesheet" /></head><body><form action='/stash/index.php' method='GET'><input type='text' name='search'><input type='submit' value='Search'></form> <a href='additem.php' target='_BLANK'>Add item</a><table><tr><td class='toptd'>Page</td><td class='toptd'>Amount</td><td class='toptd'>Item</td><td class='toptd'>Update Date</td><td class='toptd'>Image</td></tr><tr><td class='co1'>100</td><td class='co1'>1</td><td class='co1'>Umbar's Blade Short Sword</td><td class='co1'>2014-01-29 00:41:50</td></tr><tr><td class='co0'>100</td><td class='co0'>1</td><td class='co0'>Magma Spike Gladius</td><td class='co0'>2014-01-28 23:07:06</td><td style='text-align:center;' class='co0'><a href='img/magma-spike-gladius.jpg' data-lightbox='Magma Spike Gladius'><img width='16' height='16' src='img/magma-spike-gladius.jpg'></a></td></tr><tr><td class='co1'>77</td><td class='co1'>1</td><td class='co1'>Skeleton Soul</td><td class='co1'>2014-01-28 22:43:50</td><td style='text-align:center;' class='co1'><a href='img/skeleton-soul.jpg' data-lightbox='Skeleton Soul'><img width='16' height='16' src='img/skeleton-soul.jpg'></a></td></tr><tr><td class='co0'>77</td><td class='co0'>2</td><td class='co0'>Hungry Dead Soul</td><td class='co0'>2014-01-28 22:36:53</td><td style='text-align:center;' class='co0'><a href='img/hungry-dead-soul.jpg' data-lightbox='Hungry Dead Soul'><img width='16' height='16' src='img/hungry-dead-soul.jpg'></a></td></tr><tr><td class='co1'>100</td><td class='co1'>1</td><td class='co1'>Shadow Slice Hatchet Hands</td><td class='co1'>2014-01-28 20:13:18</td><td style='text-align:center;' class='co1'><a href='img/shadow-slice.jpg' data-lightbox='Shadow Slice Hatchet Hands'><img width='16' height='16' src='img/shadow-slice.jpg'></a></td></tr><tr><td class='co0'>71</td><td class='co0'>10</td><td class='co0'>Ancient Decipherer</td><td class='co0'>2014-01-28 19:42:09</td><td style='text-align:center;' class='co0'><a href='img/ancient-decipherer.jpg' data-lightbox='Ancient Decipherer'><img width='16' height='16' src='img/ancient-decipherer.jpg'></a></td></tr><tr><td class='co1'>71</td><td class='co1'>8</td><td class='co1'>Ancient Scroll</td><td class='co1'>2014-01-28 19:41:27</td><td style='text-align:center;' class='co1'><a href='img/ancient-scroll.jpg' data-lightbox='Ancient Scroll'><img width='16' height='16' src='img/ancient-scroll.jpg'></a></td></tr><tr><td class='co0'>70</td><td class='co0'>11</td><td class='co0'>Dragonstone</td><td class='co0'>2014-01-28 19:22:59</td><td style='text-align:center;' class='co0'><a href='img/dragonstone.jpg' data-lightbox='Dragonstone'><img width='16' height='16' src='img/dragonstone.jpg'></a></td></tr></table></body></html> <td class='co1'>100</td><td class='co1'>1</td><td class='co1'>Umbar's Blade Short Sword</td><td class='co1'>2014-01-29 00:41:50</td><!-- Should have td here --></tr><tr> Edited January 29, 2014 by Mudsaf Link to comment Share on other sites More sharing options...
Mudsaf Posted February 3, 2014 Author Share Posted February 3, 2014 ^ Link to comment Share on other sites More sharing options...
Ingolme Posted February 3, 2014 Share Posted February 3, 2014 I don't see where there could be a problem there, aside from <td> elements not being in a table. The apostrophes aren't interfering with anything in the HTML you're showing. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now