Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably)<div>
<br></div><div>if ($npaa>=200 && $nxxa>=200 && $npaa!=900 && $npaa!=911)</div><div><br></div><div>Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPANXXXX or 2XX2XXXX.</div>
<div><br></div><div>Thanks<br><br><div class="gmail_quote">On Sat, Jul 10, 2010 at 10:21 AM, bruce bruce <span dir="ltr"><<a href="mailto:bruceb444@gmail.com">bruceb444@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Thank you for the amazing reply. First few lines of your e-mail was EXACTLY getting me to where I made a mistake. I guess I didn't take the () and ' ' at their face value and was looking somewhere else for the problem.<div>
<br></div><div>For sanatizing you mean checking the numbers to make sure they are valid numbers and not alphabet or other charecters? or, are you pointing the fact that I am keeping mysql root password in plain .php file? I have done an include of a php file which has mysql root password and that is insert as an #incldue in the html file. So, if someone checks source for html can't see mysql root password. Even though root is user on mysql is to accept only from localhost.</div>
<div><br></div><div>I would really appreciate it if you can weigh in on it a bit.</div><div><br></div><div>Thanks,</div><div>Bruce<div><div></div><div class="h5"><br><br><div class="gmail_quote">On Sat, Jul 10, 2010 at 7:42 AM, Gerald A <span dir="ltr"><<a href="mailto:geraldablists@gmail.com" target="_blank">geraldablists@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Bruce,<br><br>First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL at that.<br><div style="display:inline">
</div><br>
Next, you seem to be accepting user input and not sanatizing it. DANGER WILL ROBINSON!!!<br>This is bad, because it leaves you open to something known as a "SQL injection attack".<br><br>Now, as to syntax:<br><br>
<div class="gmail_quote"><div>On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce <span dir="ltr"><<a href="mailto:bruceb444@gmail.com" target="_blank">bruceb444@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<br><div>I am making another module for Voicemail. I have three fields in a POST form that have to be connected together to make it a single 10 digit number but there is something wrong in my syntax probably.</div>
<div><br></div><div><br></div><div><div>$npaa = "('$_POST[anpa]')";</div><div>$nxxa = "('$_POST[anxx]')";</div><div>$blocka = "('$_POST[ablock]')";</div><div><br></div>
<div><b>$grplist = $npaa.$nxxa.$blocka;</b></div></div></blockquote></div><div><br>Ok, so suppose arpa=111, anxx=222 and ablock=3333.<br>grplist would then be ('111')('333')('4444'). <br><br></div>
<div><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<div>$sql="INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]')";</div>
<div>
</div><div><br></div><div><br></div><div>It seems that $grplist is the problem. Can someone please point what is wrong?</div><div><br></div><div>Error:</div><div><span style="font-family:'Times New Roman';font-size:medium">Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('333')('4444'),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at line 3</span></div>
</blockquote></div><div><br>Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok.<br><br>Let's write the line as SQL:<br>INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id,
ringing, pre_ring) VALUES ('0','ringall','0','0',('111')('333')('4444'),'0','0','','','0','0','Ring','0')";<br>
<br>Clear now? You are trying to insert the raw value --> ('111')('333')('4444') <-- into your database. This can't make any sense except as string, And this isn't one.<br><br>I think what you might have meant is to quote the _whole thing_ as a string, and not the individual pieces. Then:<br>
$grplist = "'(".$npaa.$nxxa.$blocka.")'";<br>and <br>$blocka = "($_POST[ablock])"; # and for all of them above<br><br>This would make the value '(111)(333)(4444)', which should work fine.<br>
<br>Now, if you really meant to add in the quotes, you'll have to "quote the quotes", which can be hard to do in good times.<br><br>Hope this helps,<br>Gerald.<br></div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>