...

View Full Version : mysql quick question



slappyjaw
09-01-2009, 09:57 PM
Hello i just had a quick question what do you do in you when you have a reserved word entered into your mysql to be inserted into a database. i remember someone telling me to back slash it in. Could someone please give me an example. Thank you!:thumbsup:

_Aerospace_Eng_
09-01-2009, 10:06 PM
You just put back ticks around the column name. Not that hard.

$sql = "INSERT INTO `table`(`reservedword`,notreservedword) VALUES ('blah','blah2')";
You can put backticks around table names, and column names.

Although its better to just not use reserved words in the first place if you can avoid it.

slappyjaw
09-02-2009, 12:38 AM
OK thank, you its just that people are going to be inputting information and for one of my insert transactions it inputs the length of a movie file from ffmpeg and it says there's an error inputting the data. I think it is because the $length variable returns 00:00:00 or what ever length. what should i do about that? Thank you!:thumbsup:

_Aerospace_Eng_
09-02-2009, 03:07 AM
We need to see your code. Are you using mysql_real_escape_string?

slappyjaw
09-02-2009, 03:16 AM
this is my code
<?php include("../Connections/mysql.php");?>
<?php
if ($_POST['submit']){
$ffmpeg = "/usr/bin/ffmpeg";

$target_path = "/hsphere/local/home/rubygirl58/slappyjaw.com/videos/orig/";

$target_path = $target_path.basename($_FILES['uploadedfile']['name']);

$fileName = $_FILES['uploadedfile']['name'];

$ext = substr($fileName, strrpos($fileName, '.') + 1);

$newfilename = basename($fileName, $ext);

$newvideo = "/hsphere/local/home/rubygirl58/slappyjaw.com/videos/videos/".$newfilename."flv";

$image = "/hsphere/local/home/rubygirl58/slappyjaw.com/videos/thumbnails/".$newfilename;

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

exec($ffmpeg." -i ".$target_path." -ar 22050 -ab 32 -f flv -s 320x240 ".$newvideo);

exec($ffmpeg." -i ".$target_path." -an -ss 00:00:05 -r 1 -vframes 1 -y ".$image."jpg");

//get duration of video with ffmpeg.
////////////////////////////////////
$videofile = $target_path;
ob_start();
passthru("/usr/bin/ffmpeg -i \"{$videofile}\" 2>&1");
$duration = ob_get_contents();
ob_end_clean();

$search='/Duration: (.*?),/';
$duration=preg_match($search, $duration, $matches, PREG_OFFSET_CAPTURE, 3);
/////////////////////////////////////////////////////////////
//get the information that was gathered by the form to submit.

} else{
echo "There was an error uploading the file, please try again!";
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////// start input transaction //////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////

$desription = $_POST['description'];
$filename = basename($newvideo);
$length = $matches[1][0];
$title = $_POST['title'];
session_start();
$username = $_SESSION['kt_login_user'];
mysql_select_db($database_mysql, $mysql);
$sql = "INSERT INTO videos (description, filename, length, title, username) VALUES ({$desription}, {$filename}, {$length}, {$title}, {$username})";
mysql_query($sql) or die(mysql_error());
header("Location:http://www.slappyjaw.com/user_home.php");
} else {
header("Location:http://www.slappyjaw.com/video_upload.php");
}
?>

_Aerospace_Eng_
09-02-2009, 03:48 AM
You aren't doing anything to prevent mysql injection. Change this

$sql = "INSERT INTO videos (description, filename, length, title, username) VALUES ({$desription}, {$filename}, {$length}, {$title}, {$username})";

to this

$sql = "INSERT INTO videos (description, filename, length, title, username) VALUES ('$desription', '$filename', '$length', '$title', '$username')";

I suggest you read this tutorial.

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

slappyjaw
09-02-2009, 04:26 AM
thank you this is very helpful i am going to need to change stuff on my site cause of this. Thanks for the help



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum