Division by Zero problem in PHP

hm9 · August 6, 2010, 8:36pm

I have an input field that should perform auto complete whenever a user types an entry. the entries will be looked up on the database and then returned on the input field as the user types in. everytime I type an entry on the input field I keep getting an error message: Warning division by Zero in. The culprit in the code is this part: if(strlen($queryString) > 0) { and while ($row = mysql_fetch_array($result)).

The php code below is that part that checks that the user types an entry and then performs the look up:

Any idea how to solve the issue?

thanks in advance


<?php	

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die                      
// db connection stuff


if(isset($_POST['queryString'])) { 
    $queryString = $_POST['queryString'];   
    if(strlen($queryString) > 0) { 



$sql = 'SELECT *   FROM my table  WHERE destination LIKE  '%$queryString%' ' ;

$result = mysql_query($sql);
while ($row = mysql_fetch_array($result))
{	
<li onclick="fill('<?php echo $row[destination]; ?>');"><?php echo $row[destination]; ?></li>
?>

rpkamp · August 7, 2010, 6:37pm

[B]mysql_[/B]real_escape_string

hm9 · August 7, 2010, 6:15pm

may be spoken too soon.
There is another problem with sql injection. In order to avoid the sql injection, I added the escape string bit, but it doesn t like it. I get the following error message:

call to undefined function in escape string for the following part of the code:


$queryString = real_escape_string($_POST['queryString']);

Have I missed anything?

thanks

hm9 · August 7, 2010, 5:38pm

Thanks.
The addition of the quotes solved the problem



$sql = "SELECT * FROM mytable WHERE destination LIKE '%$queryString%' LIMIT 10";

hm9 · August 12, 2010, 12:02pm

Thanks got the point

Paul_Wilkins · August 10, 2010, 11:18pm

Yes, absoutely.

Typically the best results are obtained when you remove magic quotes as soon as possible, and use mysql_real_escape_string as late as possible.

Paul_Wilkins · August 12, 2010, 1:15am

There are two issues:

Consider what happens when ‘queryString’ is not available from $_POST. In that situation, the $queryString variable will still be undefined.

To deal with that, set $queryString to an empty string just before the if statement.


$queryString = '';
if(isset($_POST['queryString'])) { 
    $queryString = $_POST['queryString'];
}

The command real_escape_string doesn’t exist. It is mysql_real_escape_string that should be used instead. You should only use it at the last possible moment, as is shown in the example on its documentation page.

Here is an appropriate way to do it.


$sql = sprintf(
    "SELECT * FROM my table WHERE destination LIKE '&#37;s' ",
    mysql_real_escape_string('%' . $queryString . '%')
);

You could also do it like this, where $queryString is set up before the database command:


$queryString = '%' . $queryString . '%';
$sql = sprintf(
    "SELECT * FROM my table WHERE destination LIKE '%s' ",
    mysql_real_escape_string($queryString)
);

Or even like this, where it’s all done within sprintf itself, where sprintf converts the double percentages to a single percentage:


$sql = sprintf(
    "SELECT * FROM my table WHERE destination LIKE '%%%s%%' ",
    mysql_real_escape_string($queryString)
);

prajapati · August 12, 2010, 12:37pm

I am sure you are still getting that error message. Isn’t it?
Because you calling real_escape_string() instead of mysql_real_escape_string()

Paul_Wilkins · August 6, 2010, 11:42pm

Look at the single quotes. There are four of them.

The first quote delimits the start of the string, which is okay.
The second quote ends the string, when instead you need to represent the quote within the overall string, instead of saying that you want to close the string.

The simplest change you can make to make your original code work, but does not protect your database any better, is to delimit the string with doublequotes:


$sql = "SELECT * FROM my table WHERE destination LIKE '%$queryString%' ";

The best solution though is to use sprintf, which the php.net website uses in its examples. See Example 2 at http://php.net/manual/en/function.mysql-query.php


$sql = sprintf(
    "SELECT * FROM my table WHERE destination LIKE '%s' ",
    mysql_real_escape_string('%' . $queryString . '%')
);

RNEL · August 6, 2010, 8:52pm

kindly show us more of your codes, i think it’s not somewhere on the code you provided

hm9 · August 10, 2010, 3:05pm

pmw57: Do I still use the real_escape_string bit to avoid sql injection? this bit still doesn’t work

Please clarify

hm9 · August 11, 2010, 7:02pm

Thanks. I have done it this way but it does nt work:



if (get_magic_quotes_gpc()) {    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);    while (list($key, $val) = each($process)) {        foreach ($val as $k => $v) {            unset($process[$key][$k]);            if (is_array($v)) {                $process[$key][stripslashes($k)] = $v;                $process[] = &$process[$key][stripslashes($k)];            } else {                $process[$key][stripslashes($k)] = stripslashes($v);            }        }    }    unset($process);}


if(isset($_POST['queryString'])) { 

$queryString = real_escape_string($_POST['queryString']);
}

Can you advise what is the correct format?

thanks

rpkamp · August 8, 2010, 1:04am

Nothing prevents you from doing that, or am I missing something?
Although I do agree your approach is better is mine

Paul_Wilkins · August 8, 2010, 12:38am

I don’t think that it’s a good idea though to tie disabling magic quotes to the mysql_real_escape_string function, because there are situations where you should disable magic quotes without the mysql_real_escape_string function being involved.

You could just automatically remove magic quotes. The code for it is on the disabling magic quotes web page, which is useful when you do not have the full control to disable magic quotes on the server.


<?php
if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}
?>

Paul_Wilkins · August 8, 2010, 12:09am

Also, the values from $_POST might already be being escaped before you get your hands on them, with something called magic quotes.

If magic quotes are being used, here is what happens:

[list=1][]O’Brian - typed in on the web page
[]O\'Brian - in $_POST thanks to magic quotes
[*]O\\\'Brian - after mysql_real_escape_string[/list]

Why use mysql_real_escape_string when magic quotes are already being used? Because over time it was realised that magic quotes only provides partial protection.

There are two ways to deal with this issue. One is to disable magic quotes on your web server.

If you cannot disable magic quotes, you can strip the slashes from the variable instead.


$queryString = $_POST['queryString'];
if (get_magic_quotes_gpc()) {
    $queryString = stripslashes($querystring);
}
$queryString = mysql_real_escape_string($queryString);

[list=1][]O’Brian - typed in on the web page
[]O\'Brian - in $_POST thanks to magic quotes
[]O’Brian - after stripslashes
[]O\'Brian - after mysql_real_escape_string[/list]

So you end up with the properly escaped string.

rpkamp · August 8, 2010, 12:16am

Or you could create a function that calls mysql_real_escape_string but before it does that tests for magic_quotes, and than call that function instead of testing for magic_quotes and calling mysql_real_escape_string each time separately:


function my_real_escape_string($string)
{
   if (get_magic_quotes_gpc())
     $string = stripslashes($string);
   return mysql_real_escape_string($string);
}