[RESOLVED] Mystery bug

zzz

I have a simple form element that drives me nuts. Here's the code:

<input type='radio' name='gender' value='M'"; 
	if ($usr->act_gender == 'M') { echo " checked"; } echo "> Male
&nbsp;&nbsp;&nbsp;&nbsp;
<input type='radio' name='gender' value='F'"; 
	if ($usr->act_gender == 'F') { echo " checked"; } echo "> Female

When the form submitted it should

("UPDATE act_details
SET ... gender=".$_POST['gender'].", ...
WHERE ID = '".$user."' LIMIT 1")

But I keep getting the following error:

SQL/DB Error -- [Unknown column 'M' in 'field list']

Even Thought I have such a field in my db table. CHAR(1)

Can't seem to figure what's causing this error.

bodzan

About the error you're getting try this:

("UPDATE act_details
SET ... gender='".$_POST['gender']."', ...
WHERE ID = '".$user."' LIMIT 1")

Notice the single quotes around value of the gender... I cannot tell whether it will help with your error, but please do try to use it...

Second: safety of your code - there isn't one if you're using it like you showed us...
Bad user can create a form by himself and add values to gender field like he wants to - like:

''; DELETE TABLE;

or whatever like that to screw up your database...

I strongly suggest you predict the possible values your POST variable should have and act accordingly:

if(isset($_POST['gender'])){
     if($_POST['gender']=="M"){
          $gender = "M";
     }
     else if($_POST['gender']=="F"){
          $gender = "F";          

     }
     else{
          $gender = "M";
     }
}

This way you will prevent SQL injection attack that can be very serious for your application...

khendar

You are missing the single quotes around the value that you are trying to insert.

zzz

Yes, I am glad you brought up security. I am a bit paranoid about it. I'll look into it in more details. Thanks.

The absence of single quotes was the problem. :o

zzz

Re: security. What do I do if it's a free form entry, i.e. text field or textarea?

bodzan

...you would do the same thing if you want your entries to only be two or three things that you can predict (in that case you wouldn't use those but rather radio buttons), BUT either way you would have to check whether the string you are getting is a string you want too have there...

Whitelist approach is to assume that everything user submuted is bad data untill proven otherwise... So I would suggest you do something like:

$var = htmlentities($_POST['var']);
$var = strislashes($var);
$var = mysql_real_escape_string($var);

That way whatever is submited to you by the user is created safe for your database so you would be fairly safe as for your forms are concerned...

Repeat that for EVERY field of your database no matter they are radio buttons, hidden fields or whatever and you're cool...

I don't pretend to be master of all security issues, but these simple steps are recommended by PHP Security Consortium in their guide... Read it entirelly so you can grasp what can be done to prevent some very dangerous things that can happen to your sites no matter whether you run Ecommerce site or simple Blog...

zzz

In your example, if someone types in the name, say O'Connor, shouldn't I do addslashes instead? I can do stripslashed on the output.

Just for a testing purposes I have plugged some hacker example code from http://ha.ckers.org/xss.html and got pretty interesting outcome, that freaked me out a bit. So I have promptly downloaded and implemented this class: http://cyberai.com/inputfilter/ on my site.