Closed Thread Icon

Topic awaiting preservation: SQL query error? (Page 1 of 1) Pages that link to <a href="http://ozoneasylum.com/backlink?for=26664" title="Pages that link to Topic awaiting preservation: SQL query error? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: SQL query error? <span class="small">(Page 1 of 1)</span>\

 
CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 09-16-2005 04:00

I have a phpBB and am having a problem with a users login name.

It is giving this error:

code:
Error in obtaining userdata  DEBUG MODE  SQL Error : 1064 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server 
version for the right syntax to use near 

'dwa'' at line 3  

SELECT user_id, username, user_password, user_active, user_level FROM phpbb_users WHERE username = 'Crissy Be'dwa'  

Line : 100 File : login.php



here is the code for the login.php that it said it was having an issue with. However, I can't help but think that the error is actually being caused from somewhere else.

code:
$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = '" . str_replace("\\'", "''", $username) . "'";




I can see what is causing the error but I am not sure what I can do about it. The " ' " in the last name of the user login is causing the problem.
I tried to do the str_replace at the end of the line like it is at the first, but that didn't seem to do anything.

Any ideas where I can look?

Thanks in advance!

Later,

C:\

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 09-16-2005 04:09

hmmm....what about doing it like this?

code:
$sql = "SELCECT user_id, username, user_password, user_active, user_level FROM "
        . USERS_TABLE .
        "WHERE username = '" . str_replace('\'', '\'\'', $username) . "'";




found that here

Later,

C:\

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 09-16-2005 09:37

argh.
You should use the appropriate function to escape query strings - either php->addslashes or php->mysql_real_escape_string - I'd prefer the later nowadays.
Thing is, you're missing some 'evil' characters right away.

(And on a side note: One should really filter newlines when putting anything into the header of emails. That means both subject and from. Otherwise nasty tricks can be played)

So long,

->Tyberius Prime

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 09-16-2005 12:32

OK, forgive me if this is stupid or not, but can I just change this:

code:
$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = '" . str_replace("\\'", "''", $username) . "'";




to this :

code:
$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = "'" . mysql_real_escape_string($username) . "'";



what about what they also suggest:

code:
$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = "'" . quote_smart($_POST['$username']) . "'";




Just seems that there should be more to it but hey....I'm about 1/2 asleep still and probably should wait until later in the day

Later,

C:\



(Edited by CPrompt on 09-16-2005 12:34)

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 09-17-2005 00:19

go on the second - never heard about quote_smart, and I'd stick to the quoting especially for the database you're using.

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 09-17-2005 00:34

Thanks! I'll give it a go.

Later,

C:\

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 09-17-2005 15:01

thanks! worked like a charm!

Later,

C:\

« BackwardsOnwards »

Show Forum Drop Down Menu