[asterisk-users] PHP can't insert - Can someone please help

Sat Jul 10 09:21:05 CDT 2010

Thank you for the amazing reply. First few lines of your e-mail was EXACTLY
getting me to where I made a mistake. I guess I didn't take the () and ' '
at their face value and was looking somewhere else for the problem.

For sanatizing you mean checking the numbers to make sure they are valid
numbers and not alphabet or other charecters? or, are you pointing the fact
that I am keeping mysql root password in plain .php file? I have done an
include of a php file which has mysql root password and that is insert as an
#incldue in the html file. So, if someone checks source for html can't see
mysql root password. Even though root is user on mysql is to accept only
from localhost.

I would really appreciate it if you can weigh in on it a bit.

Thanks,
Bruce

On Sat, Jul 10, 2010 at 7:42 AM, Gerald A <geraldablists at gmail.com> wrote:

> Hi Bruce,
>
> First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL at
> that.
>
> Next, you seem to be accepting user input and not sanatizing it. DANGER
> WILL ROBINSON!!!
> This is bad, because it leaves you open to something known as a "SQL
> injection attack".
>
> Now, as to syntax:
>
> On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce <bruceb444 at gmail.com> wrote:
>
>>
>> I am making another module for Voicemail. I have three fields in a POST
>> form that have to be connected together to make it a single 10 digit number
>> but there is something wrong in my syntax probably.
>>
>>
>> $npaa = "('$_POST[anpa]')";
>> $nxxa = "('$_POST[anxx]')";
>> $blocka = "('$_POST[ablock]')";
>>
>> *$grplist = $npaa.$nxxa.$blocka;*
>>
>
> Ok, so suppose arpa=111, anxx=222 and ablock=3333.
> grplist would then be ('111')('333')('4444').
>
>  $sql="INSERT INTO findmefollow(grpnum, strategy, grptime, grppre,
>> grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id,
>> ringing, pre_ring)
>> VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]')";
>>
>>
>> It seems that $grplist is the problem. Can someone please point what is
>> wrong?
>>
>> Error:
>> Error: You have an error in your SQL syntax; check the manual that
>> corresponds to your MySQL server version for the right syntax to use near
>> '('333')('4444'),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at
>> line 3
>>
>
> Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok.
>
> Let's write the line as SQL:
> INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
> annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
> pre_ring)
> VALUES ('0','ringall','0','0',('111')('333')('4444'),'0','0','','','0','0','Ring','0')";
>
> Clear now? You are trying to insert the raw value -->
> ('111')('333')('4444') <-- into your database. This can't make any sense
> except as string, And this isn't one.
>
> I think what you might have meant is to quote the _whole thing_ as a
> string, and not the individual pieces. Then:
> $grplist = "'(".$npaa.$nxxa.$blocka.")'";
> and
> $blocka = "($_POST[ablock])";  # and for all of them above
>
> This would make the value '(111)(333)(4444)', which should work fine.
>
> Now, if you really meant to add in the quotes, you'll have to "quote the
> quotes", which can be hard to do in good times.
>
> Hope this helps,
> Gerald.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100710/1b72fd5f/attachment.htm 