vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Mysql burping with " symbols (https://vborg.vbsupport.ru/showthread.php?t=105152)

Cyricx 01-12-2006 04:22 PM
Mysql burping with " symbols
 
Hopefully someone can help me out before I lose my hair ;)

I've got this insert string and unfortunately when a " is used in the newtitle it stops the query then.

For example if you put asd"fgh it'll only put asd into the database and ignore the rest.

Here is the query I'm using

Code:
  $db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
  (
  newtitle,
  attacker,
  victim,
  attackerid,
  victimid
  ) VALUES (
  '". $db->escape_string($_POST['newtitle'])."',
  '" . $db->escape_string($_POST['attacker']) . "',
  '" . $db->escape_string($_POST['victim']) . "',
  '" . $db->escape_string($vbulletin->userinfo['userid']) . "',
  '" . $db->escape_string($_POST['victimid']) . "'
  )");
Any ideas? :(

Hellcat 01-12-2006 04:35 PM
You might have to escape the string.

Example: asd"fgh would be asd\"fgh (note the additional \ ).
That way the SQL server "knows" the " are part of the text and not the end of it.

You can use the PHP function addslashes() to do this.

First escape your string with addslashes() and then use that result in the query.
Should do the trick :)

Cyricx 01-12-2006 04:44 PM
Hmm I tried this

Code:
$_POST['newtitle'] = addslashes($_POST['newtitle']);
$db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
(
newtitle,
attacker,
victim,
attackerid,
victimid
) VALUES (
'" . $db->escape_string($_POST['newtitle'])."',
'" . $db->escape_string($_POST['attacker']) . "',
'" . $db->escape_string($_POST['victim']) . "',
'" . $db->escape_string($vbulletin->userinfo['userid']) . "',
'" . $db->escape_string($_POST['victimid']) . "'
)");
and

Code:
$_POST['newtitle'] = addslashes($_POST['newtitle']);
$db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
(
newtitle,
attacker,
victim,
attackerid,
victimid
) VALUES (
'".$_POST['newtitle']."',
'" . $db->escape_string($_POST['attacker']) . "',
'" . $db->escape_string($_POST['victim']) . "',
'" . $db->escape_string($vbulletin->userinfo['userid']) . "',
'" . $db->escape_string($_POST['victimid']) . "'
)");
No luck with either :(

Course, i've also tried using

'" . addslashes($_POST['newtitle'])."',

in the db query too and no luck :(

I kinda stumble around til it works so I may be completely misunderstanding you hehe.

Hellcat 01-12-2006 05:04 PM
Hmm....
Maybe try not to put the new value into the $_POST global, but rather into a local variable.
Like $newtitle = addslashes($_POST['newtitle']); and using $newtitle in the query.

If that doesn't work I'm out of ideas as well for the moment....

Cyricx 01-12-2006 05:09 PM
Bugger, no good :(

I even converted the code over to the gpc stuff and tried add slashes and escape, then tried just add slashes, then just escape :(

Code:
      $vbulletin->input->clean_array_gpc('p', array(
        'victimid'  => TYPE_INT,
        'victim' => TYPE_STR,
        'attacker' => TYPE_STR,
        'newtitle'    => TYPE_STR,
    ));
  $newpreslashedtitle =& $vbulletin->GPC['newtitle'];
  $newslashedtitle = addslashes($newpreslashedtitle);
  $db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
  (
  newtitle,
  attacker,
  victim,
  attackerid,
  victimid
  ) VALUES (
  '" . $db->escape_string($newslashedtitle) . "',
  '" . $db->escape_string($vbulletin->GPC['attacker']) . "',
  '" . $db->escape_string($vbulletin->GPC['victim']) . "',
  '" . $db->escape_string($vbulletin->userinfo['userid']) . "',
  '" . $db->escape_string($vbulletin->GPC['victimid']) . "'
  )");
And it will still only grab the characters before the " and stops there :(

Man sooo close :(

Thanks anyway Hellcat :(

I'm gonna go dig through some more files.


All times are GMT. The time now is 03:18 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01062 seconds
  • Memory Usage 1,722KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_code_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (5)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete