#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    4
    Rep Power
    0

    Problem with single quote in psql.


    I have a problem at my website. I am using a <form> from the html so that the user can insert values to my psql database via php.
    The problem is that when the user types a single quote " ' " on the text field the INSERT INTO is not working and this value is not submitting to my database.
    In order to take the value from the text field im using the $_POST.
    Anyone can help me ?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,936
    Rep Power
    1045
    Hi,

    never insert raw values into query strings. This allows users to manipulate your queries and fetch or change critical data (see SQL injections).

    So be glad that you stumbled upon this security hole and not some script kiddie.

    You really need to start thinking about security. Instead of dumping variables into query strings, use prepared statements (parameterized queries). Those are available through the new PDO interface or pg_prepare(). I'm pretty sure you have the same problem with your HTML (which makes the site vulnerable to JavaScript injections). Any variable must be escaped using htmlentities() before you output it.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    4
    Rep Power
    0
    Thanks a lot for your response.
    I would like to mention that security is not something i should worry for this project.
    I am using this command to insert the values to the database :
    "$query = "INSERT INTO Movie VALUES ('$_POST[title]','$_POST[year]','$_POST[rating]','$_POST[votes]' )";" .
    Could you tell me how i can modify it in order to take the title "abc'd" for example ?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,936
    Rep Power
    1045
    Originally Posted by mastrakis
    I would like to mention that security is not something i should worry for this project.
    Well, if you don't like the term "security", you might as well call it "correctness". Inserting raw values into query strings is technically wrong, because it breaks down as soon as the user inputs certain characters (as you just experienced).



    Originally Posted by mastrakis
    Could you tell me how i can modify it in order to take the title "abc'd" for example ?
    I gave you two links with the exact functions (the manual also includes examples).

    A third possibility would be to escape every value by hand using pg_escape_string(), but that's ugly, tedious and error-prone. Only do that if you've already written thousands of lines and you cannot replace all your database code now -- or if you simply don't care about code quality.

IMN logo majestic logo threadwatch logo seochat tools logo