PHP MySQL HELP, passing info trough a form and then inserting it into a MySql table

[LEg0]

hello, my name is paolo and im having trouble with some php mysql scripting...

im creating a website for a community and it should be editable by any webmaster or by anyone with no web developing training at all.

so i created several sections and each can be editable by admins (register/login system knows who is an admin and who is not).

so at the modifying part of each section I created a form like this:

<form method='POST' action='$rootAdress/index.php?sec=his&amp;mod=1&amp;c=1&amp;sql=1'>
<textarea rows='30' name='textoNuevo' cols='65'>$contenido</textarea>
<input type='submit' value='Enviar' class='submit'>
</form>

$contenido is the variable to edit for later be included at the sql table 'categorias'

$rootAdress is the adress of the domain. (if you are wondering what are the whole sec=his, mod=1,.. things... they are just variables at index.php that indicates which file to include...)

at the $rootAdress/index.php?sec=his&mod=1&c=1&sql=1 file i wrote this:

$textoNuevo = $_POST['textoNuevo'];

$query = "UPDATE categorias SET contenido='$textoNuevo' WHERE seccion = 'his'";
$doQuery = mysql_query($query)or die ('no se actualizó');

and this does not updates the 'contenido' value from table 'categorias'....

i did some tests and if i add this

$textoNuevo = $_POST['textoNuevo'];

echo($textoNuevo);

$query = "UPDATE categorias SET contenido='$textoNuevo' WHERE seccion = 'his'";
$doQuery = mysql_query($query)or die ('no se actualizó');

it shows the info wrote by the user at the initial textarea.... but it just wont update the database...

so i thought the query was not "well-wrote" so i tried this


$textoNuevo = $_POST['textoNuevo'];

$textoNuevo = 'hello world';

$query = "UPDATE categorias SET contenido='$textoNuevo' WHERE seccion = 'his'";
$doQuery = mysql_query($query)or die ('no se actualizó');

and this worked... the contenido value from table categorias stored the value hello world!

i just dont know what is going on.. i dont know if when the data "travels" trough POST method it changes or something... even though i tried to identify the type of variable the form posted... and it is string... and the contenido value from table categorias is a varchar with 99 length...

im pretty sure is something stupid and im just retard or something.. but i just didnt find out what is wrong.. please if any1 knows how to solve this answer me... oh, and sorry for my terrible english!!

hallo from colombia!
Paolo.

[moogle]

whats the actual data being sent? did you mysql_escape the string that is being posted? could be chars in the string causing the query not to work.

If you put hello world on the webpage and submit it does it work like that? If it does then it could be whatever data you were testing with was causing it to fail.

[TheAnimus]

Because some rubbishrubbishrubbishrubbish in HR who must have the arrogance of China to think they can censor the internet decided that people paid obscene saleries to be the best at their job, can't be trusted, i can't check this link:

http://unixwiz.net/techtips/sql-injection.html

basically PHP + MySQL (thou the latter has got better now) have some horrific design ideas from a bygone erea that you've fallen straight into.

you've not valadated your inputs.

[directhex]

always ask yourself "what if my input is '; DROP DATABASE;'"

[DavidM]

Agree with you directhex

[moogle]

always ask yourself "what if my input is '; DROP DATABASE;'"

But his code isn't working in the first place not because of sql injection, although everyone should protect against it.

[directhex]

But his code isn't working in the first place not because of sql injection, although everyone should protect against it.

i'd rather he fix protected code than protect fixed code

because it's so easy not to bother with step 2 of the latter, but step 2 of the former is forced

[TheAnimus]

if there is something hex + I are both in agreement on..... Thats quite some diametrically opposed consensus.

Also when debugging something the trick is to fix the little simple problems, that cause MAJOR sideeffects along the way. The simpler you make the problem 'line' the sooner you notice the problem.

[moogle]

i'd rather he fix protected code than protect fixed code

I'm confused whats protected and whats fixed?

If you mean you'd rather him secure his code by validating input, thats just fine but how is that a solution to his problem of the database not getting updated?

[directhex]

I'm confused whats protected and whats fixed?

validated & working, then

If you mean you'd rather him secure his code by validating input, thats just fine but how is that a solution to his problem of the database not getting updated?

if he isn't validating his inputs, i don't WANT to help get his database updating, and neither should he

[yamangman]

As others have said. You may consider using php's mysqli instead too if you're not too confident about verifying input.