'ACCESS FORBIDDEN' message when adding record to DB with word 'echo' in record

General PHP Help
#1

Hello Everyone,

I came across a very strange problem today that I’ve never seen before and can’t figure out how to fix it, in part because searching for the problem is nearly impossible.

I have a database where beer names are stored for a client, and they tried to insert a beer name “Echo Puncher”. Each time they do it they get an ACCESS FORBIDDEN message because of the word echo. Is this a common problem or is there a setting I can change in the database to allow this php keyword to be uploaded as part of the string?

Any help you can provide would be great!
Thanks!

#2

It probably means you coded the sql statements wrong.

I am betting you used string concatenation or string interpolation and it is breaking things.

#3

Considering I have only a loose grasp on those terms it could definitely be the case. I am including the code that deals with the handling of the variable and inserting it into the DB, maybe someone sees something. I omitted anything that doesn’t deal with that particular variable for clarity.

[embed=425,349]
$beer = $_POST[‘beer’];

$beer = ucwords_specific( mb_strtolower($beer, ‘UTF-8’), “-’”);

mysql_query(“INSERT INTO $loc (brewery,beer,abv,style,cost,size,city,state,notes,filter,local) VALUES (’$brewery’,’$beer’,’$abv’,’$style’,’$cost’,’$size’,’$city’,’$state’,’$notes’,’$filter’,’$local’)”);
[/embed]

Should I be handling this variable differently?
I did notice I can add a record that is just ‘Echo’, when I use Echo followed by a space it does not.

Thanks in advance,
Drew

#4

You have much bigger problems. Your code is dangerous, obsolete, completely removed from current versions of Php and is vulnerable to an SQL Injection attack. If you haven’t been hacked yet, you will be. If you have this code on the net, take it down immediately.

You need to use PDO with Prepared Statements. Here is a tutorial to get you going. https://phpdelusions.net/pdo

#5

First and foremost, you need to update the code away from mysql functions. Use mysqli or pdo. Next, prepared statements. That will treat your values as values and not commands.

#6

Oh boy… another bonus size can of worms.

Luckily, this code is all behind a password protected directory for managerial use only. So at least I have that defense.
Round and round we go.

Thanks for the heads up though.

Sponsor our Newsletter | Privacy Policy | Terms of Service