I am inserting long text files into the database. There is 1 character (i do not know which one) i can not insert into the database. Which character do you think will cause the problem? i use this code to escape from injection. if (!get_magic_quotes_gpc()) { $title=addslashes($title); $links=addslashes($links); $description=addslashes($description); } $to_replace = array("\r\n","|","\n","\\r\\n","\\n"); PHP:
mysql_real_escape_string() has a bug i use (PHP 5.1.4) sometimes it coses some kind of error and insert fails. I prefer use addslashes....
There's no official bug which describes this problem? I've never heard of this either, nor had this problem before. http://bugs.php.net/search.php?sear...p_os=&phpver=&assign=&author_email=&bug_age=0 Might be an error in your code. mysql_real_escape_string() is safer than addslashes().
I changed it into $links.=$_POST['links'][$i]; $description=$_POST['description'][$i]; $type=$_POST['type']; if (!get_magic_quotes_gpc()) { $title=mysql_real_escape_string($title); $links=mysql_real_escape_string($links); $description=mysql_real_escape_string($description); } $to_replace = array("\r\n","|","\n","\\r\\n","\\n"); $title = str_replace($to_replace, " ", $title); $description = str_replace($to_replace, " ", $description); //echo $title . '<br/>'; $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; mysql_query($query); echo mysql_error(); PHP: But same problem. Is it right the way i use the code? thanks
No. mysql_real_escape_string() should always be applied (on anything non-numeric), regardless of get_magic_quotes_gpc(). In fact, if magic quotes are enabled, you should apply stipslashes() first, and then mysql_real_escape_string(). www.php.net/mysql_real_escape_string EDIT: And can you explain your "problem"? What happens?
It does not insert into database. I get this error: Service Temporarily Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
That looks more like a problem with your server, and not the script. However, you might want to try replacing this: mysql_query($query); PHP: With: mysql_query($query) OR die(mysql_error()); PHP: And see if you get a specific error.
no, it is not the server. if that character is not on the text it works fine. if that character is on the text I get that error. I am just going to try your code.
I get same error Service Temporarily Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
I used this. it did not work either. I do not know if the code is right. $links.=$_POST['links'][$i]; $description=$_POST['description'][$i]; $type=$_POST['type']; $title=stripslashes($title); $links=stripslashes($links); $description=stripslashes($description); $title=mysql_real_escape_string($title); $links=mysql_real_escape_string($links); $description=mysql_real_escape_string($description); $to_replace = array("\r\n","|","\n","\\r\\n","\\n"); $title = str_replace($to_replace, " ", $title); $description = str_replace($to_replace, " ", $description); //echo $title . '<br/>'; $query="INSERT INTO `filedetails` VALUES ('', '".$type."', '".$title."', '".$description."', '".$links."','0000000000')"; mysql_query($query); echo mysql_error(); PHP:
$to_replace = array("\r\n","|","\n","\\r\\n","\\n"); $links .= $_POST['links'][$i]; $description = str_replace($to_replace, " ",$_POST['description'][$i]); $title = str_replace($to_replace, " ", $title); $type = $_POST['type']; $query = "INSERT INTO `filedetails` VALUES ('', '".mysql_escape_string($type)."', '".mysql_escape_string($title)."', '".mysql_escape_string($description)."', '".mysql_escape_string($links)."','0000000000')"; mysql_query($query); echo 'MYSQL ERROR IS: '.mysql_error(); PHP: What is the output? Peace,
Edited Oh my god. I found the answer after 2 long days. When i try to add the word "wget " to database it does not work. I am so serious. When i try to add "wget " (there is a space after) it does not work. Thanks for your time. Output is still same. I do not get an error message. it says Service Temporarily Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. I am going to try adding one by one and see where the problem is
I read mysql_real_escape_string() has a vulnerability when it comes to * and _ characters. Does anyone have any mysql injection examples when it comes to the * and _ problem. What can be done to fix this hole in mysql_real_escape_string() Sincerely, Ryan