[asterisk-users] PHP can't insert - Can someone please help
bruce bruce
bruceb444 at gmail.com
Sat Jul 10 10:12:18 CDT 2010
Further to my last post, I added this to santize. I also created a new mysql
user with access to only findmefollow portion of the asterisk table for
limited access and assigned only two simultaneous connections with only 10
changes queries per hour (as I know that no more queries will be put through
probably)
if ($npaa>=200 && $nxxa>=200 && $npaa!=900 && $npaa!=911)
Should that suffice against SQL injections? The if condition changes the
string to number so it removes the chance of people adding
other characters and it also sticks to format NPANXXXX or 2XX2XXXX.
Thanks
On Sat, Jul 10, 2010 at 10:21 AM, bruce bruce <bruceb444 at gmail.com> wrote:
> Thank you for the amazing reply. First few lines of your e-mail was EXACTLY
> getting me to where I made a mistake. I guess I didn't take the () and ' '
> at their face value and was looking somewhere else for the problem.
>
> For sanatizing you mean checking the numbers to make sure they are valid
> numbers and not alphabet or other charecters? or, are you pointing the fact
> that I am keeping mysql root password in plain .php file? I have done an
> include of a php file which has mysql root password and that is insert as an
> #incldue in the html file. So, if someone checks source for html can't see
> mysql root password. Even though root is user on mysql is to accept only
> from localhost.
>
> I would really appreciate it if you can weigh in on it a bit.
>
> Thanks,
> Bruce
>
>
> On Sat, Jul 10, 2010 at 7:42 AM, Gerald A <geraldablists at gmail.com> wrote:
>
>> Hi Bruce,
>>
>> First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL
>> at that.
>>
>> Next, you seem to be accepting user input and not sanatizing it. DANGER
>> WILL ROBINSON!!!
>> This is bad, because it leaves you open to something known as a "SQL
>> injection attack".
>>
>> Now, as to syntax:
>>
>> On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce <bruceb444 at gmail.com>wrote:
>>
>>>
>>> I am making another module for Voicemail. I have three fields in a POST
>>> form that have to be connected together to make it a single 10 digit number
>>> but there is something wrong in my syntax probably.
>>>
>>>
>>> $npaa = "('$_POST[anpa]')";
>>> $nxxa = "('$_POST[anxx]')";
>>> $blocka = "('$_POST[ablock]')";
>>>
>>> *$grplist = $npaa.$nxxa.$blocka;*
>>>
>>
>> Ok, so suppose arpa=111, anxx=222 and ablock=3333.
>> grplist would then be ('111')('333')('4444').
>>
>> $sql="INSERT INTO findmefollow(grpnum, strategy, grptime, grppre,
>>> grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id,
>>> ringing, pre_ring)
>>> VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]')";
>>>
>>>
>>> It seems that $grplist is the problem. Can someone please point what is
>>> wrong?
>>>
>>> Error:
>>> Error: You have an error in your SQL syntax; check the manual that
>>> corresponds to your MySQL server version for the right syntax to use near
>>> '('333')('4444'),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at
>>> line 3
>>>
>>
>> Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok.
>>
>> Let's write the line as SQL:
>> INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
>> annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
>> pre_ring)
>> VALUES ('0','ringall','0','0',('111')('333')('4444'),'0','0','','','0','0','Ring','0')";
>>
>> Clear now? You are trying to insert the raw value -->
>> ('111')('333')('4444') <-- into your database. This can't make any sense
>> except as string, And this isn't one.
>>
>> I think what you might have meant is to quote the _whole thing_ as a
>> string, and not the individual pieces. Then:
>> $grplist = "'(".$npaa.$nxxa.$blocka.")'";
>> and
>> $blocka = "($_POST[ablock])"; # and for all of them above
>>
>> This would make the value '(111)(333)(4444)', which should work fine.
>>
>> Now, if you really meant to add in the quotes, you'll have to "quote the
>> quotes", which can be hard to do in good times.
>>
>> Hope this helps,
>> Gerald.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100710/0ffb7d49/attachment.htm
More information about the asterisk-users
mailing list