#1
  1. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Posts
    701
    Rep Power
    96

    Query saving # character


    I have a form with a text field that the user types something, presses the Save button and it saves the data in a table.

    If the field contains a # the data will not save.

    I tried the following functions:
    addslashes,

    htmlentities

    urlencode

    but as soon as I enter a # it doesn't save.

    How do I treat the # character to save in a mysql query?
    Evan
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    This is a serious problem. If the queries break on certain input, that means they're vulnerable to SQL injection attacks. In this case, you've obviously injected a comment. An attacker could use the same bug to read sensitive data or even take over the server.

    You need to learn how to properly access a MySQL database with PHP.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Posts
    701
    Rep Power
    96
    So, how would you save the following three characters in a mysql table?

    ###
    Evan
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    I don't think you understood my post.

    The "#" stuff is irrelevant. This is a much more serious problem caused by incorrect database code. I gave you a link with a detailed explanation of how to access a database correctly. It might be a good idea to read it.

    I repeat: If your queries crash depending on the user input (the exact characters are irrelevant), that's very, very wrong. It means that the user input affects the queries, which is the last thing you want on a server.

    If you don't believe me, you're free to wait until somebody proves it to you. I wouldn't recommend that, though.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    While it may not be entirely clear that Jacques1 is trying to help you, you are not being entirely clear with your question. (At least to me).

    You start your question with two lines, the second of which says if the user enters a # the data will not save (sic)

    Then you deliberately try to force that character into your db. I'm confused - you don't want the user to be able to enter a # sign as data or you do?

    You might also show us some code (altho Jacques1 will not like it!) so that we may see what you are doing. Kinda hard to debug if we can't see what you are trying , ya know?

IMN logo majestic logo threadwatch logo seochat tools logo