Topic awaiting preservation: SQL query error? $Pages that link to <a href="https://ozoneasylum.com/backlink?for=26664" title="Pages that link to Topic awaiting preservation: SQL query error?" rel="nofollow" >Topic awaiting preservation: SQL query error?\$

Author	Thread
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 09-16-2005 04:00 I have a phpBB and am having a problem with a users login name. It is giving this error: code: Error in obtaining userdata DEBUG MODE SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'dwa'' at line 3 SELECT user_id, username, user_password, user_active, user_level FROM phpbb_users WHERE username = 'Crissy Be'dwa' Line : 100 File : login.php here is the code for the login.php that it said it was having an issue with. However, I can't help but think that the error is actually being caused from somewhere else. code: $sql = "SELECT user_id, username, user_password, user_active, user_level FROM " . USERS_TABLE . " WHERE username = '" . str_replace("\\'", "''", $username) . "'"; I can see what is causing the error but I am not sure what I can do about it. The " ' " in the last name of the user login is causing the problem. I tried to do the str_replace at the end of the line like it is at the first, but that didn't seem to do anything. Any ideas where I can look? Thanks in advance! Later, C:\
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 09-16-2005 04:09 hmmm....what about doing it like this? code: $sql = "SELCECT user_id, username, user_password, user_active, user_level FROM " . USERS_TABLE . "WHERE username = '" . str_replace('\'', '\'\'', $username) . "'"; found that here Later, C:\
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 09-16-2005 09:37 argh. You should use the appropriate function to escape query strings - either php->addslashes or php->mysql_real_escape_string - I'd prefer the later nowadays. Thing is, you're missing some 'evil' characters right away. (And on a side note: One should really filter newlines when putting anything into the header of emails. That means both subject and from. Otherwise nasty tricks can be played) So long, ->Tyberius Prime
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 09-16-2005 12:32 OK, forgive me if this is stupid or not, but can I just change this: code: $sql = "SELECT user_id, username, user_password, user_active, user_level FROM " . USERS_TABLE . " WHERE username = '" . str_replace("\\'", "''", $username) . "'"; to this : code: $sql = "SELECT user_id, username, user_password, user_active, user_level FROM " . USERS_TABLE . " WHERE username = "'" . mysql_real_escape_string($username) . "'"; what about what they also suggest: code: $sql = "SELECT user_id, username, user_password, user_active, user_level FROM " . USERS_TABLE . " WHERE username = "'" . quote_smart($_POST['$username']) . "'"; Just seems that there should be more to it but hey....I'm about 1/2 asleep still and probably should wait until later in the day Later, C:\ (Edited by CPrompt on 09-16-2005 12:34)
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 09-17-2005 00:19 go on the second - never heard about quote_smart, and I'd stick to the quoting especially for the database you're using.
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 09-17-2005 00:34 Thanks! I'll give it a go. Later, C:\
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 09-17-2005 15:01 thanks! worked like a charm! Later, C:\

Topic awaiting preservation: SQL query error?\$

Author

Thread

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 09-16-2005 04:00

I have a phpBB and am having a problem with a users login name.

It is giving this error:

code:

Error in obtaining userdata  DEBUG MODE  SQL Error : 1064 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server 
version for the right syntax to use near 

'dwa'' at line 3  

SELECT user_id, username, user_password, user_active, user_level FROM phpbb_users WHERE username = 'Crissy Be'dwa'  

Line : 100 File : login.php

here is the code for the login.php that it said it was having an issue with. However, I can't help but think that the error is actually being caused from somewhere else.

code:

$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = '" . str_replace("\\'", "''", $username) . "'";

I can see what is causing the error but I am not sure what I can do about it. The " ' " in the last name of the user login is causing the problem.
I tried to do the str_replace at the end of the line like it is at the first, but that didn't seem to do anything.

Any ideas where I can look?

Thanks in advance!

Later,

C:\

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 09-16-2005 04:09

hmmm....what about doing it like this?

code:

$sql = "SELCECT user_id, username, user_password, user_active, user_level FROM "
        . USERS_TABLE .
        "WHERE username = '" . str_replace('\'', '\'\'', $username) . "'";

found that here

Later,

C:\

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 09-16-2005 09:37

argh.
You should use the appropriate function to escape query strings - either php->addslashes or php->mysql_real_escape_string - I'd prefer the later nowadays.
Thing is, you're missing some 'evil' characters right away.

(And on a side note: One should really filter newlines when putting anything into the header of emails. That means both subject and from. Otherwise nasty tricks can be played)

So long,

->Tyberius Prime

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 09-16-2005 12:32

OK, forgive me if this is stupid or not, but can I just change this:

code:

$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = '" . str_replace("\\'", "''", $username) . "'";

to this :

code:

$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = "'" . mysql_real_escape_string($username) . "'";

what about what they also suggest:

code:

$sql = "SELECT user_id, username, user_password, user_active, user_level
			FROM " . USERS_TABLE . "
			WHERE username = "'" . quote_smart($_POST['$username']) . "'";

Just seems that there should be more to it but hey....I'm about 1/2 asleep still and probably should wait until later in the day

Later,

C:\

(Edited by CPrompt on 09-16-2005 12:34)

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 09-17-2005 00:19

go on the second - never heard about quote_smart, and I'd stick to the quoting especially for the database you're using.

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 09-17-2005 00:34

Thanks! I'll give it a go.

Later,

C:\

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 09-17-2005 15:01

thanks! worked like a charm!

Later,

C:\