php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #37990 no mysql_error() after stripcslashes($query)
Submitted: 2006-07-02 19:52 UTC Modified: 2006-07-02 20:17 UTC
From: anandsamyo at yahoo dot gr Assigned:
Status: Not a bug Package: MySQL related
PHP Version: 5.1.5CVS OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2006-07-02 19:52 UTC] anandsamyo at yahoo dot gr 
Description:
------------
If I POST any $query with (') from querydb.html
ex. $query="update subscribers set name='theo' where..."

it will be received by querydb.php like 
$query = $_POST[query]="update subscribers set name=\'theo\' where..."

and then stripcslashes($query)="update subscribers set name='theo' where..."

If the query is not correct 
(ex: ...("updata subscribers set name='theo' where...")
It will not be executed and there will be no 
return of mysql_error().

But----------------------------------------------------------
If I pull out of the code of (querydb.php) the line 
$query =  stripcslashes($query);
then the query of course is not correct and will not be executes 
(ex: ..."update subscribers set name=\'theo\' where...")
but
this code RETURNS the mysql_error().


Reproduce code:
---------------
//----------------------------------------------------
CREATE TABLE `subscribers` (
  `username` varchar(10) NOT NULL default '',
  `password` varchar(10) NOT NULL default '',
  PRIMARY KEY  (`username`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=218 ;
//querydb.html----------------------------------------------------
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
</head>
<body>
<table border='0' bgcolor='#eeeeee' width='850' style='font-family: Verdana, Arial; font-size: 8pt;' cellspacing='0' cellpadding='2'>
<tr><td width='850'align='left' bgcolor='#f1f1f1' style='font-family: Verdana Arial; font-size: 8pt; color: #f00000' ></td><tr>
<form name='querydb' action='querydb.php' method='POST' > 
<tr><td width='850' ><textarea rows='7' name='query' cols='103' >$query</textarea></td></tr>
<tr><td width='850' align='center' ><input type='submit' value='SUBMIT' style='font-family: Verdana, Arial; font-size: 8px; ' name='submit'></td></tr>
</form>
</table>
</body>
</html>
//querydb.php---------------------------------------------------
<?php
	$conn = mysql_connect ("localhost", "user", "pass") or die ('I cannot connect to the database because: ' . mysql_error());
	mysql_select_db ("autosgr_autosdb"); 
	$query = "$_POST[query]";
	$query =  stripcslashes($query);
	mysql_query($query, $conn)or die(mysql_error());
?>
//-------------------------------------------------------------


Expected result:
----------------
I expect to see the mysql_error() when I POST a wrong query.


Actual result:
--------------
$query =  stripcslashes($query);
this line is neccessary but in case I post the wrong query I do not get a report of mysql_error() back.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-02 20:17 UTC] tony2001@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 23:00:01 2025 UTC