Single quote at SQL table breaks HTML

[Mudsaf]

Hello, i'm wondering how my single quote @ SQL-table can break my code.

 

Example: Who's that? <-- Breaks code

Example2: Whos tat? <-- Doesn't break code

 

Tried below

 

htmlspecialchars (with ent_quotes and without)

htmlentities(-ll-)

[Don Jajo]

Well, that's just SQL Injection you hear about

 

Leave htmlspecialchars and others like it for now, just use

mysqli_real_escape_string('Your string');

[Mudsaf]

But shouldn't prepared query prevent from SQL injections already?

if ($stmt = $con->prepare("INSERT INTO <table> (<column1>, <column2>, <column3>) VALUES (?,?,?)")) {

And the SQL-data just removes 1 table td codes.

<td></td>

Edited January 29, 2014 by Mudsaf

[Don Jajo]

Only if its PDO that prepared query solves SQL Injection i guess

Which i don't know PDO that much

[thescientist]

what are you using? mysqli or PDO? that's kind of important.

[Ingolme]

If this is affecting the HTML, check the source code to see what's showing up on your page. Also, show the line of PHP code associated to this problem. I doubt SQL is related to this.

[Mudsaf]

I'm using MySQLi

 

PHP receive

if ($res_ginfo = $con->query("SELECT <column1>, <column2> FROM <table> WHERE <column1> = '" . $row['<data1>'] . "'")) {$rows = mysqli_num_rows($res_ginfo);if ($rows == 1) {$row_ginfo = $res_ginfo->fetch_assoc();echo "<td style='text-align:center;' class='co" . $count . "'><a href='" . $row_ginfo['<data2>'] . "' data-lightbox='" . $row['item'] . "'><img width='16' height='16' src='" . $row_ginfo['<data2>'] . "'></a></td>";} else {echo "<td style='text-align:center;' class='co$count'><form enctype='multipart/form-data' style='margin:0;' action='upimg.php' method='POST'><input type='hidden' value='" . $row['<data1>'] . "' name='item'><input type='file' name='image'><input type='submit' value='Upload'></form></td>";}}

Error occurs on at if ($rows == 1) { echo td lines.

 

It effects that much it just doesn't create TD tags and the table 5th column is empty at that line.

 

However the bug is fixed if i add ' to SQL text instead of ', but the it will display /' on the td tag.

[Don E]

From what I understand and could be wrong, I am sure mysqli prepared statements prevent SQL injection as well like PDO prepared statements.

[Ingolme]

Check the outputted source code to see what's being printed there.

[Mudsaf]

<html><head><style>.co1 {background-color:#F1F1F1;padding:2 4 2 4;border:groove;border-width:thin;}.co0 {background-color:#DBDBDB;padding:2 4 2 4;border:groove;border-width:thin;}.toptd {font-weight:bold;border:groove;border-width:thin;padding:2 4 2 4;}a { text-decoration:none; }</style><script src="lightbox/js/jquery-1.10.2.min.js"></script><script src="lightbox/js/lightbox-2.6.min.js"></script><link href="lightbox/css/lightbox.css" rel="stylesheet" /></head><body><form action='/stash/index.php' method='GET'><input type='text' name='search'><input type='submit' value='Search'></form> <a href='additem.php' target='_BLANK'>Add item</a><table><tr><td class='toptd'>Page</td><td class='toptd'>Amount</td><td class='toptd'>Item</td><td class='toptd'>Update Date</td><td class='toptd'>Image</td></tr><tr><td class='co1'>100</td><td class='co1'>1</td><td class='co1'>Umbar's Blade Short Sword</td><td class='co1'>2014-01-29 00:41:50</td></tr><tr><td class='co0'>100</td><td class='co0'>1</td><td class='co0'>Magma Spike Gladius</td><td class='co0'>2014-01-28 23:07:06</td><td style='text-align:center;' class='co0'><a href='img/magma-spike-gladius.jpg' data-lightbox='Magma Spike Gladius'><img width='16' height='16' src='img/magma-spike-gladius.jpg'></a></td></tr><tr><td class='co1'>77</td><td class='co1'>1</td><td class='co1'>Skeleton Soul</td><td class='co1'>2014-01-28 22:43:50</td><td style='text-align:center;' class='co1'><a href='img/skeleton-soul.jpg' data-lightbox='Skeleton Soul'><img width='16' height='16' src='img/skeleton-soul.jpg'></a></td></tr><tr><td class='co0'>77</td><td class='co0'>2</td><td class='co0'>Hungry Dead Soul</td><td class='co0'>2014-01-28 22:36:53</td><td style='text-align:center;' class='co0'><a href='img/hungry-dead-soul.jpg' data-lightbox='Hungry Dead Soul'><img width='16' height='16' src='img/hungry-dead-soul.jpg'></a></td></tr><tr><td class='co1'>100</td><td class='co1'>1</td><td class='co1'>Shadow Slice Hatchet Hands</td><td class='co1'>2014-01-28 20:13:18</td><td style='text-align:center;' class='co1'><a href='img/shadow-slice.jpg' data-lightbox='Shadow Slice Hatchet Hands'><img width='16' height='16' src='img/shadow-slice.jpg'></a></td></tr><tr><td class='co0'>71</td><td class='co0'>10</td><td class='co0'>Ancient Decipherer</td><td class='co0'>2014-01-28 19:42:09</td><td style='text-align:center;' class='co0'><a href='img/ancient-decipherer.jpg' data-lightbox='Ancient Decipherer'><img width='16' height='16' src='img/ancient-decipherer.jpg'></a></td></tr><tr><td class='co1'>71</td><td class='co1'>8</td><td class='co1'>Ancient Scroll</td><td class='co1'>2014-01-28 19:41:27</td><td style='text-align:center;' class='co1'><a href='img/ancient-scroll.jpg' data-lightbox='Ancient Scroll'><img width='16' height='16' src='img/ancient-scroll.jpg'></a></td></tr><tr><td class='co0'>70</td><td class='co0'>11</td><td class='co0'>Dragonstone</td><td class='co0'>2014-01-28 19:22:59</td><td style='text-align:center;' class='co0'><a href='img/dragonstone.jpg' data-lightbox='Dragonstone'><img width='16' height='16' src='img/dragonstone.jpg'></a></td></tr></table></body></html>

<td class='co1'>100</td><td class='co1'>1</td><td class='co1'>Umbar's Blade Short Sword</td><td class='co1'>2014-01-29 00:41:50</td><!-- Should have td here --></tr><tr>

Edited January 29, 2014 by Mudsaf

[Mudsaf]

^

[Ingolme]

I don't see where there could be a problem there, aside from <td> elements not being in a table. The apostrophes aren't interfering with anything in the HTML you're showing.