Trouble with $_POST data

**daGnutt** · Jul 1 '07, 01:25 PM

Re: Trouble with $_POST data

On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:

Hi all,
>
I am trying to send data from a form and insert it into a MSSQL DB.
>
When I submit the data I get: Warning: mssql_query()
[function.mssql-query]: message: The name "Todd" is not permitted in
this context. Valid expressions are constants, constant expressions, and
(in some contexts) variables. Column names are not permitted. (severity
15) in "Myfile"
>
If I don't use the POST data and write the query explicitly, it works.
>
Any help is appreciated.
>
Thanks,
Todd
>
WinXP SP2
MSSQL Express 2005
IIS 5.1
PHP 5.2.1
>
It's a basic form:
>
<body>
<form id="form1" name="form1" method="post" action="flextes t.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddr ess" type="text" id="emailaddres s" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</body>
>
And here is the MSSQL insert:
>
if( $_POST["emailaddre ss"] AND $_POST["username"])
{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>
$Result = mssql_query($Qu ery);
>
}

I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);

**Todd Michels** · Jul 1 '07, 01:35 PM

Re: Trouble with $_POST data

daGnutt wrote:

On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:

>Hi all,
>>
>I am trying to send data from a form and insert it into a MSSQL DB.
>>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant expressions, and
>(in some contexts) variables. Column names are not permitted. (severity
>15) in "Myfile"
>>
>If I don't use the POST data and write the query explicitly, it works.
>>
>Any help is appreciated.
>>
>Thanks,
>Todd
>>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>>
>It's a basic form:
>>
><body>
><form id="form1" name="form1" method="post" action="flextes t.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddr ess" type="text" id="emailaddres s" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>>
>And here is the MSSQL insert:
>>
>if( $_POST["emailaddre ss"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>
> $Result = mssql_query($Qu ery);
>>
>}

>
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>

Thanks for the suggestion, and you were close. This is the command that
actually worked.

$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddre ss"]);

Thanks again.

**Jerry Stuckle** · Jul 1 '07, 02:45 PM

Re: Trouble with $_POST data

daGnutt wrote:

On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:

>Hi all,
>>
>I am trying to send data from a form and insert it into a MSSQL DB.
>>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant expressions, and
>(in some contexts) variables. Column names are not permitted. (severity
>15) in "Myfile"
>>
>If I don't use the POST data and write the query explicitly, it works.
>>
>Any help is appreciated.
>>
>Thanks,
>Todd
>>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>>
>It's a basic form:
>>
><body>
><form id="form1" name="form1" method="post" action="flextes t.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddr ess" type="text" id="emailaddres s" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>>
>And here is the MSSQL insert:
>>
>if( $_POST["emailaddre ss"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>
> $Result = mssql_query($Qu ery);
>>
>}

>
I personally dont know mssql, but it mySQL, the error would lie in
that non-numerical entires must be surrounded by '"' so try
$Query = sprintf(INSERT INTO users (username, emailaddress)
VALUES(\"%s\", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>

Actually, using double quotes (") is a non-standard MySQL extension to
the SQL standard. It also will fail if MySQL is running in strict mode
and with most other databases.

Single quote (') is the correct delimiter for MySQL and standard SQL.
It should work with MSSQL, also.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Brendan Gillatt** · Jul 1 '07, 06:15 PM

Re: Trouble with $_POST data

On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <todd@nalamail. com>
wrote:

>Hi all,
>
>I am trying to send data from a form and insert it into a MSSQL DB.
>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant expressions, and
>(in some contexts) variables. Column names are not permitted. (severity
>15) in "Myfile"
>
>If I don't use the POST data and write the query explicitly, it works.
>
>Any help is appreciated.
>
>Thanks,
>Todd
>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>
>It's a basic form:
>
><body>
><form id="form1" name="form1" method="post" action="flextes t.php">
<label>User Name
<input name="username" type="text" id="username" />
</label>
<label>Email Address
<input name="emailaddr ess" type="text" id="emailaddres s" />
</label>
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
></form>
></body>
>
>And here is the MSSQL insert:
>
>if( $_POST["emailaddre ss"] AND $_POST["username"])
>{
//add the user
$Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>
$Result = mssql_query($Qu ery);
>}

You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.

NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.
--
Brendan Gillatt

Brendan Gillatt

https://www.brendangillatt.co.uk

GPG: 0x6E265E61

**Jerry Stuckle** · Jul 1 '07, 07:35 PM

Re: Trouble with $_POST data

Brendan Gillatt wrote:

On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <todd@nalamail. com>
wrote:
>

>Hi all,
>>
>I am trying to send data from a form and insert it into a MSSQL DB.
>>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant expressions, and
>(in some contexts) variables. Column names are not permitted. (severity
>15) in "Myfile"
>>
>If I don't use the POST data and write the query explicitly, it works.
>>
>Any help is appreciated.
>>
>Thanks,
>Todd
>>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>>
>It's a basic form:
>>
><body>
><form id="form1" name="form1" method="post" action="flextes t.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddr ess" type="text" id="emailaddres s" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>>
>And here is the MSSQL insert:
>>
>if( $_POST["emailaddre ss"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>
> $Result = mssql_query($Qu ery);
>}

>
You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.
>

That is incorrect PHP and will give a notice (if notices are turned on).

NB: Your code could have a SQL injection exploit if you Magic Quotes
is turned off on your PHP.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Norman Peelman** · Jul 1 '07, 11:05 PM

Re: Trouble with $_POST data

Todd Michels wrote:

daGnutt wrote:

>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:

>>Hi all,
>>>
>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>
>>When I submit the data I get: Warning: mssql_query()
>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>this context. Valid expressions are constants, constant expressions, and
>>(in some contexts) variables. Column names are not permitted. (severity
>>15) in "Myfile"
>>>
>>If I don't use the POST data and write the query explicitly, it works.
>>>
>>Any help is appreciated.
>>>
>>Thanks,
>>Todd
>>>
>>WinXP SP2
>>MSSQL Express 2005
>>IIS 5.1
>>PHP 5.2.1
>>>
>>It's a basic form:
>>>
>><body>
>><form id="form1" name="form1" method="post" action="flextes t.php">
>> <label>User Name
>> <input name="username" type="text" id="username" />
>> </label>
>> <label>Email Address
>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>> </label>
>> <p>
>> <input type="submit" name="Submit" value="Submit" />
>> </p>
>></form>
>></body>
>>>
>>And here is the MSSQL insert:
>>>
>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>{
>> //add the user
>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>
>> $Result = mssql_query($Qu ery);
>>>
>>}

>>
>I personally dont know mssql, but it mySQL, the error would lie in
>that non-numerical entires must be surrounded by '"' so try
> $Query = sprintf(INSERT INTO users (username, emailaddress)
>VALUES(\"%s\ ", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>>

>
Thanks for the suggestion, and you were close. This is the command that
actually worked.
>
$Query = sprintf('INSERT INTO users (username, emailaddress)
VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>
Thanks again.

If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:

$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";

but that's not accounting for the cleansing of variables.

Norm

**Rami Elomaa** · Jul 2 '07, 03:25 PM

Re: Trouble with $_POST data

Norman Peelman kirjoitti:

Todd Michels wrote:

>daGnutt wrote:

>>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>>>Hi all,
>>>>
>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>
>>>When I submit the data I get: Warning: mssql_query()
>>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>>this context. Valid expressions are constants, constant expressions,
>>>and
>>>(in some contexts) variables. Column names are not permitted. (severity
>>>15) in "Myfile"
>>>>
>>>If I don't use the POST data and write the query explicitly, it works.
>>>>
>>>Any help is appreciated.
>>>>
>>>Thanks,
>>>Todd
>>>>
>>>WinXP SP2
>>>MSSQL Express 2005
>>>IIS 5.1
>>>PHP 5.2.1
>>>>
>>>It's a basic form:
>>>>
>>><body>
>>><form id="form1" name="form1" method="post" action="flextes t.php">
>>> <label>User Name
>>> <input name="username" type="text" id="username" />
>>> </label>
>>> <label>Email Address
>>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>>> </label>
>>> <p>
>>> <input type="submit" name="Submit" value="Submit" />
>>> </p>
>>></form>
>>></body>
>>>>
>>>And here is the MSSQL insert:
>>>>
>>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>>{
>>> //add the user
>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>>
>>> $Result = mssql_query($Qu ery);
>>>>
>>>}
>>>
>>I personally dont know mssql, but it mySQL, the error would lie in
>>that non-numerical entires must be surrounded by '"' so try
>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>VALUES(\"%s\" , \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>>>

>>
>Thanks for the suggestion, and you were close. This is the command
>that actually worked.
>>
>$Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES("%s", "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>>
>Thanks again.

>
If you aren't doing anything special with sprintf (if you don't
neccessarily need it) then the following works as expected:
>
$Query = "(INSERT INTO users (username, emailaddress)
VALUES('$_POST[username]', '$_POST[emailaddress]')";
>
but that's not accounting for the cleansing of variables.

I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.

--
Rami.Elomaa@gma il.com

"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze

**Rami Elomaa** · Jul 2 '07, 03:25 PM

Re: Trouble with $_POST data

Brendan Gillatt kirjoitti:

On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <todd@nalamail. com>
wrote:
>

>Hi all,
>>
>I am trying to send data from a form and insert it into a MSSQL DB.
>>
>When I submit the data I get: Warning: mssql_query()
>[function.mssql-query]: message: The name "Todd" is not permitted in
>this context. Valid expressions are constants, constant expressions, and
>(in some contexts) variables. Column names are not permitted. (severity
>15) in "Myfile"
>>
>If I don't use the POST data and write the query explicitly, it works.
>>
>Any help is appreciated.
>>
>Thanks,
>Todd
>>
>WinXP SP2
>MSSQL Express 2005
>IIS 5.1
>PHP 5.2.1
>>
>It's a basic form:
>>
><body>
><form id="form1" name="form1" method="post" action="flextes t.php">
> <label>User Name
> <input name="username" type="text" id="username" />
> </label>
> <label>Email Address
> <input name="emailaddr ess" type="text" id="emailaddres s" />
> </label>
> <p>
> <input type="submit" name="Submit" value="Submit" />
> </p>
></form>
></body>
>>
>And here is the MSSQL insert:
>>
>if( $_POST["emailaddre ss"] AND $_POST["username"])
>{
> //add the user
> $Query = sprintf('INSERT INTO users (username, emailaddress)
>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>
> $Result = mssql_query($Qu ery);
>}

>
You could try doing $_POST[username] (remove the quotes) and seeing if
that makes a difference.

It won't make a difference 'cos that's not the issue. And like Jerry
already said, it will make it even worse.

--
Rami.Elomaa@gma il.com

"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze

**Norman Peelman** · Jul 4 '07, 01:15 PM

Re: Trouble with $_POST data

Rami Elomaa wrote:

Norman Peelman kirjoitti:

>Todd Michels wrote:

>>daGnutt wrote:
>>>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>>>>Hi all,
>>>>>
>>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>
>>>>When I submit the data I get: Warning: mssql_query()
>>>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>>>this context. Valid expressions are constants, constant
>>>>expressions , and
>>>>(in some contexts) variables. Column names are not permitted.
>>>>(severity
>>>>15) in "Myfile"
>>>>>
>>>>If I don't use the POST data and write the query explicitly, it works.
>>>>>
>>>>Any help is appreciated.
>>>>>
>>>>Thanks,
>>>>Todd
>>>>>
>>>>WinXP SP2
>>>>MSSQL Express 2005
>>>>IIS 5.1
>>>>PHP 5.2.1
>>>>>
>>>>It's a basic form:
>>>>>
>>>><body>
>>>><form id="form1" name="form1" method="post" action="flextes t.php">
>>>> <label>User Name
>>>> <input name="username" type="text" id="username" />
>>>> </label>
>>>> <label>Email Address
>>>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>>>> </label>
>>>> <p>
>>>> <input type="submit" name="Submit" value="Submit" />
>>>> </p>
>>>></form>
>>>></body>
>>>>>
>>>>And here is the MSSQL insert:
>>>>>
>>>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>>>{
>>>> //add the user
>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>
>>>> $Result = mssql_query($Qu ery);
>>>>>
>>>>}
>>>>
>>>I personally dont know mssql, but it mySQL, the error would lie in
>>>that non-numerical entires must be surrounded by '"' so try
>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>VALUES(\"%s\ ", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>>>>
>>>
>>Thanks for the suggestion, and you were close. This is the command
>>that actually worked.
>>>
>>$Query = sprintf('INSERT INTO users (username, emailaddress)
>>VALUES("%s" , "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>>>
>>Thanks again.

>>
> If you aren't doing anything special with sprintf (if you don't
>neccessarily need it) then the following works as expected:
>>
>$Query = "(INSERT INTO users (username, emailaddress)
>VALUES('$_PO ST[username]', '$_POST[emailaddress]')";
>>
>but that's not accounting for the cleansing of variables.

>
I'll say it isn't! It's an SQL injection waiting to happen. Please don't
give this kind of advise even though you it works. Always keep in mind
good coding practise when giving advise. Never trust user data, that
means never hand it to database without checking the contents.
>

....as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.

....to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.

....to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.

If i'm ranting a bit then I apologize.

Norm

**Jerry Stuckle** · Jul 4 '07, 01:35 PM

Re: Trouble with $_POST data

Norman Peelman wrote:

Rami Elomaa wrote:

>Norman Peelman kirjoitti:

>>Todd Michels wrote:
>>>daGnutt wrote:
>>>>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>>>>>Hi all,
>>>>>>
>>>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>>
>>>>>When I submit the data I get: Warning: mssql_query()
>>>>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>>>>this context. Valid expressions are constants, constant
>>>>>expression s, and
>>>>>(in some contexts) variables. Column names are not permitted.
>>>>>(severit y
>>>>>15) in "Myfile"
>>>>>>
>>>>>If I don't use the POST data and write the query explicitly, it
>>>>>works.
>>>>>>
>>>>>Any help is appreciated.
>>>>>>
>>>>>Thanks,
>>>>>Todd
>>>>>>
>>>>>WinXP SP2
>>>>>MSSQL Express 2005
>>>>>IIS 5.1
>>>>>PHP 5.2.1
>>>>>>
>>>>>It's a basic form:
>>>>>>
>>>>><body>
>>>>><form id="form1" name="form1" method="post" action="flextes t.php">
>>>>> <label>User Name
>>>>> <input name="username" type="text" id="username" />
>>>>> </label>
>>>>> <label>Email Address
>>>>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>>>>> </label>
>>>>> <p>
>>>>> <input type="submit" name="Submit" value="Submit" />
>>>>> </p>
>>>>></form>
>>>>></body>
>>>>>>
>>>>>And here is the MSSQL insert:
>>>>>>
>>>>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>>>>{
>>>>> //add the user
>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>>
>>>>> $Result = mssql_query($Qu ery);
>>>>>>
>>>>>}
>>>>>
>>>>I personally dont know mssql, but it mySQL, the error would lie in
>>>>that non-numerical entires must be surrounded by '"' so try
>>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>>VALUES(\"%s \", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>
>>>>
>>>Thanks for the suggestion, and you were close. This is the command
>>>that actually worked.
>>>>
>>>$Query = sprintf('INSERT INTO users (username, emailaddress)
>>>VALUES("%s ", "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>>>>
>>>Thanks again.
>>>
>> If you aren't doing anything special with sprintf (if you don't
>>neccessaril y need it) then the following works as expected:
>>>
>>$Query = "(INSERT INTO users (username, emailaddress)
>>VALUES('$_POS T[username]', '$_POST[emailaddress]')";
>>>
>>but that's not accounting for the cleansing of variables.

>>
>I'll say it isn't! It's an SQL injection waiting to happen. Please
>don't give this kind of advise even though you it works. Always keep
>in mind good coding practise when giving advise. Never trust user
>data, that means never hand it to database without checking the contents.
>>

>
...as you can read by the quote above I said that it doesn't account for
the cleansing of variables. The OP didn't ask about SQL injections, he
asked why his query was failing. What does sprintf() do to prevent SQL
injections? Nothing that I can see. I answered the question at hand with
perfectly legal PHP code.
>
...to the OP, you should always run your $_POST/$_GET/$_REQUEST
variables through a 'cleaning' function to sanitize (remove/prevent)
unwanted characters. Carefully crafted input could be used to do damage
to your data.
>
...to Rami, I appreciate your input but think you went off the deep end
just a bit. The problem here is that people get upset when a reply is
made to a question without listing all the dependencies of the answer. I
still think the PHP newsgroups need a FAQ. I know there are alot of
forums/info to be found by googling but maybe too much... often the info
seems to be intermingled with a lot of crap.
>
If i'm ranting a bit then I apologize.
>
Norm

Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.

It never hurts to go a little beyond the question - especially when
security is at stake.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Norman Peelman** · Jul 5 '07, 01:45 AM

Re: Trouble with $_POST data

Jerry Stuckle wrote:

Norman Peelman wrote:

>Rami Elomaa wrote:

>>Norman Peelman kirjoitti:
>>>Todd Michels wrote:
>>>>daGnutt wrote:
>>>>>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>>>>>>Hi all,
>>>>>>>
>>>>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>>>
>>>>>>When I submit the data I get: Warning: mssql_query()
>>>>>>[function.mssql-query]: message: The name "Todd" is not permitted in
>>>>>>this context. Valid expressions are constants, constant
>>>>>>expressio ns, and
>>>>>>(in some contexts) variables. Column names are not permitted.
>>>>>>(severi ty
>>>>>>15) in "Myfile"
>>>>>>>
>>>>>>If I don't use the POST data and write the query explicitly, it
>>>>>>works.
>>>>>>>
>>>>>>Any help is appreciated.
>>>>>>>
>>>>>>Thanks,
>>>>>>Todd
>>>>>>>
>>>>>>WinXP SP2
>>>>>>MSSQL Express 2005
>>>>>>IIS 5.1
>>>>>>PHP 5.2.1
>>>>>>>
>>>>>>It's a basic form:
>>>>>>>
>>>>>><body>
>>>>>><form id="form1" name="form1" method="post" action="flextes t.php">
>>>>>> <label>User Name
>>>>>> <input name="username" type="text" id="username" />
>>>>>> </label>
>>>>>> <label>Email Address
>>>>>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>>>>>> </label>
>>>>>> <p>
>>>>>> <input type="submit" name="Submit" value="Submit" />
>>>>>> </p>
>>>>>></form>
>>>>>></body>
>>>>>>>
>>>>>>And here is the MSSQL insert:
>>>>>>>
>>>>>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>>>>>{
>>>>>> //add the user
>>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>>>
>>>>>> $Result = mssql_query($Qu ery);
>>>>>>>
>>>>>>}
>>>>>>
>>>>>I personally dont know mssql, but it mySQL, the error would lie in
>>>>>that non-numerical entires must be surrounded by '"' so try
>>>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>>>VALUES(\"% s\", \"%s\")', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>>
>>>>>
>>>>Thanks for the suggestion, and you were close. This is the command
>>>>that actually worked.
>>>>>
>>>>$Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>VALUES("%s" , "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>
>>>>Thanks again.
>>>>
>>> If you aren't doing anything special with sprintf (if you don't
>>>neccessari ly need it) then the following works as expected:
>>>>
>>>$Query = "(INSERT INTO users (username, emailaddress)
>>>VALUES('$_PO ST[username]', '$_POST[emailaddress]')";
>>>>
>>>but that's not accounting for the cleansing of variables.
>>>
>>I'll say it isn't! It's an SQL injection waiting to happen. Please
>>don't give this kind of advise even though you it works. Always keep
>>in mind good coding practise when giving advise. Never trust user
>>data, that means never hand it to database without checking the
>>contents.
>>>

>>
>...as you can read by the quote above I said that it doesn't account
>for the cleansing of variables. The OP didn't ask about SQL
>injections, he asked why his query was failing. What does sprintf() do
>to prevent SQL injections? Nothing that I can see. I answered the
>question at hand with perfectly legal PHP code.
>>
>...to the OP, you should always run your $_POST/$_GET/$_REQUEST
>variables through a 'cleaning' function to sanitize (remove/prevent)
>unwanted characters. Carefully crafted input could be used to do
>damage to your data.
>>
>...to Rami, I appreciate your input but think you went off the deep
>end just a bit. The problem here is that people get upset when a reply
>is made to a question without listing all the dependencies of the
>answer. I still think the PHP newsgroups need a FAQ. I know there are
>alot of forums/info to be found by googling but maybe too much...
>often the info seems to be intermingled with a lot of crap.
>>
> If i'm ranting a bit then I apologize.
>>
>Norm

>
Sorry, I agree with Rami. You're answer was correct, but it didn't go
far enough. Obviously from his question the op was not aware of the
possibilities of SQL injection. It would be a favor to him (and
everyone else who reads this thread) to mention it.
>
It never hurts to go a little beyond the question - especially when
security is at stake.
>

Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.

Norm

**Jerry Stuckle** · Jul 5 '07, 02:15 AM

Re: Trouble with $_POST data

Norman Peelman wrote:

Jerry Stuckle wrote:

>Norman Peelman wrote:

>>Rami Elomaa wrote:
>>>Norman Peelman kirjoitti:
>>>>Todd Michels wrote:
>>>>>daGnutt wrote:
>>>>>>On 1 Juli, 14:26, Todd Michels <t...@nalamail. comwrote:
>>>>>>>Hi all,
>>>>>>>>
>>>>>>>I am trying to send data from a form and insert it into a MSSQL DB.
>>>>>>>>
>>>>>>>When I submit the data I get: Warning: mssql_query()
>>>>>>>[function.mssql-query]: message: The name "Todd" is not
>>>>>>>permitte d in
>>>>>>>this context. Valid expressions are constants, constant
>>>>>>>expressi ons, and
>>>>>>>(in some contexts) variables. Column names are not permitted.
>>>>>>>(severit y
>>>>>>>15) in "Myfile"
>>>>>>>>
>>>>>>>If I don't use the POST data and write the query explicitly, it
>>>>>>>works.
>>>>>>>>
>>>>>>>Any help is appreciated.
>>>>>>>>
>>>>>>>Thanks ,
>>>>>>>Todd
>>>>>>>>
>>>>>>>WinXP SP2
>>>>>>>MSSQL Express 2005
>>>>>>>IIS 5.1
>>>>>>>PHP 5.2.1
>>>>>>>>
>>>>>>>It's a basic form:
>>>>>>>>
>>>>>>><body>
>>>>>>><form id="form1" name="form1" method="post" action="flextes t.php">
>>>>>>> <label>User Name
>>>>>>> <input name="username" type="text" id="username" />
>>>>>>> </label>
>>>>>>> <label>Email Address
>>>>>>> <input name="emailaddr ess" type="text" id="emailaddres s" />
>>>>>>> </label>
>>>>>>> <p>
>>>>>>> <input type="submit" name="Submit" value="Submit" />
>>>>>>> </p>
>>>>>>></form>
>>>>>>></body>
>>>>>>>>
>>>>>>>And here is the MSSQL insert:
>>>>>>>>
>>>>>>>if( $_POST["emailaddre ss"] AND $_POST["username"])
>>>>>>>{
>>>>>>> //add the user
>>>>>>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>>>VALUES (%s, %s)', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>>>>
>>>>>>> $Result = mssql_query($Qu ery);
>>>>>>>>
>>>>>>>}
>>>>>>>
>>>>>>I personally dont know mssql, but it mySQL, the error would lie in
>>>>>>that non-numerical entires must be surrounded by '"' so try
>>>>>> $Query = sprintf(INSERT INTO users (username, emailaddress)
>>>>>>VALUES(\" %s\", \"%s\")', $_POST["username"],
>>>>>>$_POST["emailaddre ss"]);
>>>>>>>
>>>>>>
>>>>>Thanks for the suggestion, and you were close. This is the
>>>>>command that actually worked.
>>>>>>
>>>>>$Query = sprintf('INSERT INTO users (username, emailaddress)
>>>>>VALUES("%s ", "%s")', $_POST["username"], $_POST["emailaddre ss"]);
>>>>>>
>>>>>Thanks again.
>>>>>
>>>> If you aren't doing anything special with sprintf (if you don't
>>>>neccessaril y need it) then the following works as expected:
>>>>>
>>>>$Query = "(INSERT INTO users (username, emailaddress)
>>>>VALUES('$_P OST[username]', '$_POST[emailaddress]')";
>>>>>
>>>>but that's not accounting for the cleansing of variables.
>>>>
>>>I'll say it isn't! It's an SQL injection waiting to happen. Please
>>>don't give this kind of advise even though you it works. Always keep
>>>in mind good coding practise when giving advise. Never trust user
>>>data, that means never hand it to database without checking the
>>>contents.
>>>>
>>>
>>...as you can read by the quote above I said that it doesn't account
>>for the cleansing of variables. The OP didn't ask about SQL
>>injections, he asked why his query was failing. What does sprintf()
>>do to prevent SQL injections? Nothing that I can see. I answered the
>>question at hand with perfectly legal PHP code.
>>>
>>...to the OP, you should always run your $_POST/$_GET/$_REQUEST
>>variables through a 'cleaning' function to sanitize (remove/prevent)
>>unwanted characters. Carefully crafted input could be used to do
>>damage to your data.
>>>
>>...to Rami, I appreciate your input but think you went off the deep
>>end just a bit. The problem here is that people get upset when a
>>reply is made to a question without listing all the dependencies of
>>the answer. I still think the PHP newsgroups need a FAQ. I know there
>>are alot of forums/info to be found by googling but maybe too much...
>>often the info seems to be intermingled with a lot of crap.
>>>
>> If i'm ranting a bit then I apologize.
>>>
>>Norm

>>
>Sorry, I agree with Rami. You're answer was correct, but it didn't go
>far enough. Obviously from his question the op was not aware of the
>possibilitie s of SQL injection. It would be a favor to him (and
>everyone else who reads this thread) to mention it.
>>
>It never hurts to go a little beyond the question - especially when
>security is at stake.
>>

>
Jerry,
I understand where your coming from and you and Rami are right. I
think the thing that gets me is only one reply to this thread touches on
SQL injection/variable cleansing. My reply is no different than yours,
Ramis' or anyone else at this point. Every reply but one is about
getting the quotes right but I get told not to give advice. In fact,
neither one of Ramis' or your replies give the OP any advice on the
matter i'm being scorned for. In fact, at least I somewhat mentioned it
although I didn't use the phrase 'SQL Injection'. All in all I just
can't figure out why my post was singled out as a problem.
>
Norm

Well, first of all, I wasn't replying to the op. I was just correcting
an incorrect response, which had to do with single vs. double quote syntax.

If I had been replying to the op I would have mentioned sql injection.

As for why your post was singled out - probably because your post was
the most complete and correct of the responses, and you only mentioned
cleansing variables in passing. But I don't know for sure.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Trouble with $_POST data

Trouble with $_POST data

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment