bitit.it Posted August 9, 2019 Posted August 9, 2019 i must put a slash before type ' otherwise i have a SQL error
stefan1959 Posted August 9, 2019 Posted August 9, 2019 I get the same 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'test')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('2', '1', 'test'test') Steve
kgtee Posted August 10, 2019 Posted August 10, 2019 This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below. More info: https://www.php.net/manual/en/security.magicquotes.php
stefan1959 Posted August 10, 2019 Posted August 10, 2019 1 hour ago, kgtee said: This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below. More info: https://www.php.net/manual/en/security.magicquotes.php I'm running 7.2 Server Information Server OS: Linux 3.10.0-957.27.2.el7.x86_64 Database: MySQL 5.5.60-MariaDB Server Date: 2019-08-10 13:47:49 +1000 AEST Database Date: 2019-08-10 13:47:49 HTTP Server: Apache/2.4.6 PHP Version: 7.2.10 (Zend: 3.2.0)
kgtee Posted August 10, 2019 Posted August 10, 2019 @stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible.
stefan1959 Posted August 10, 2019 Posted August 10, 2019 I'm running a VPS soI'm running the server myself, its not hosted. I check the php.ini, no magic quote. Would CE v1 even run on php5.4?
stefan1959 Posted August 10, 2019 Posted August 10, 2019 Ok, I fixed the error, maybe the line needs a review? Line 55 of /admin/reviews.php from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); tep_db_input() seems to fix error. Steve
bitit.it Posted August 10, 2019 Author Posted August 10, 2019 3 hours ago, kgtee said: @stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible. magic quote isn't safely is deprecate from a lot of years Enrico
bitit.it Posted August 10, 2019 Author Posted August 10, 2019 2 hours ago, stefan1959 said: Ok, I fixed the error, maybe the line needs a review? Line 55 of /admin/reviews.php from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); tep_db_input() seems to fix error. Steve i'll try it. i'm not so expert of oscommerce code but i believe is only two solutions or use "prepare" but i never used it with mysqli only in PDO , or we must cleaning the string by dangers types usually i use addslash or htmlspecialchars; In this way if danger also for SQL injection . Enrico
stefan1959 Posted August 10, 2019 Posted August 10, 2019 Only one solution, sorry that should have a read from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");to tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php I'm no expert either so maybe i can be corrected Steve
♥JcMagpie Posted August 10, 2019 Posted August 10, 2019 Just tested on Phoenix 1.0.1.4 running on php 7.3 and it shows no SQL issues works fine, no errors logged.
bitit.it Posted August 10, 2019 Author Posted August 10, 2019 26 minutes ago, stefan1959 said: Only one solution, sorry that should have a read from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");to tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php I'm no expert either so maybe i can be corrected Steve Yes, thank you seem work properly Enrico
stefan1959 Posted August 10, 2019 Posted August 10, 2019 I get a error a add that text with tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...') Too much for me to work out why. Is there a way for me to view what being put into $review Steve
♥JcMagpie Posted August 10, 2019 Posted August 10, 2019 23 minutes ago, stefan1959 said: Is there a way for me to view what being put into $review I belive $review is simply an array of the review text from you database. So if you check you db it should show you what text is in each review.
kgtee Posted August 10, 2019 Posted August 10, 2019 26 minutes ago, stefan1959 said: I get a error a add that text with tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...') Too much for me to work out why. Is there a way for me to view what being put into $review Steve Is this error coming from the file on the shop side?
stefan1959 Posted August 10, 2019 Posted August 10, 2019 Not shop side, only in the admin section. I can write the same text fine in the shop side. Updating text works fine on admin side too. Steve
ArtcoInc Posted August 10, 2019 Posted August 10, 2019 6 hours ago, stefan1959 said: I get a error a add that text with tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...') Too much for me to work out why. Is there a way for me to view what being put into $review Steve What this is saying is ... you are inserting data into the table reviews_description. The data to be inserted is surrounded by single quotes. Unfortunately, the code thinks that the apostrophe in the word it's is the end of the data, and doesn't know what to do with the remaining 's the best ...' Now, how to solve this ... I don't know. M
♥raiwa Posted August 10, 2019 Posted August 10, 2019 8 hours ago, stefan1959 said: Only one solution, sorry that should have a read from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");to tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php I'm no expert either so maybe i can be corrected Steve this solution should do it About Me: http://www.oscommerce.com/forums/user/249059-raiwa/ Need help? How To Get The Help You Need Is your version of osC up to date? You'll find the latest osC community version CE Phoenix here. Public Phoenix Change Log Cheat Set on Google Sheets
ArtcoInc Posted August 10, 2019 Posted August 10, 2019 @burt Do we need to post this in the Phoenix bug list thread?
burt Posted August 10, 2019 Posted August 10, 2019 Github -> Issues If someone wants to raise it as an issue I'll get around to it at some point.
ruden Posted August 10, 2019 Posted August 10, 2019 fix escape string https://github.com/gburton/CE-Phoenix/pull/777/commits/830a9e9e6525993fafa16ab83cacb6297ad751a1
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.