Re: [PHP] _GET('name') truncates

I'll let everyone else do the "why the hell are you doing this? security blah blah! bad practice blah blah!" type stuff.. I'm sure there will be plenty.

One reason this may be happening is, depending on your browser, there's a limit to the number of characters you can have in a URL.

That seems to be cutting off around 900 characters. That's a lot to put into a URL.

If you're really intent on setting up a PHP powered web page to test SQL statements, I might recommend using a web form either using input type=text or textarea form elements and a POST method instead of GET.

If you don't have control over the server but do everything remotely, you might consider seeing if there's a phpMyAdmin set up with your hosting service that you can use for database management/queries/etc.

If it's a localish database, you can still use phpMyAdmin, but might also have the option of setting up an ODBC connection and using a program like WinSQL or Navicat to connect and do queries and maintenance.

If you have more specific questions about any of this, feel free to ask.

-TG



= = = Original message = = =

Hi all,

I've written a php script, called test.php, consisting of the following
statements:

<?php
error_reporting(E_ALL);
$query = $_GET['sql'];
echo $query;
?>
Using the script with 'small' values for the parameter sql works fine.
Although, using the script with the sql query as specified below

http://localhost/test.php?sql="SELECT orders_id, customers_id,
customers_name, customers_company, customers_street_address,
customers_suburb, customers_city, customers_postcode, customers_state,
customers_country, customers_telephone, customers_email_address,
customers_address_format_id, delivery_name, delivery_company,
delivery_street_address, delivery_suburb, delivery_city, delivery_postcode,
delivery_state, delivery_country, delivery_address_format_id, billing_name,
billing_company, billing_street_address, billing_suburb, billing_city,
billing_postcode, billing_state, billing_country, billing_address_format_id,
payment_method, cc_type, cc_owner, cc_number, cc_expires, last_modified,
date_purchased, orders_status, orders_date_finished, currency,
currency_value FROM orders where ((date_purchased >= 18991230 and
last_modified is null) or last_modified >= 18991230 ) and orders_status in
(1,2,3) and ((date_purchased <= 20071201203454 and last_modified is null) or
last_modified <= 20071201203454 ) and orders_id = 2 order by
date_purchased"

results in the following:

\"SELECT orders_id, customers_id, customers_name, customers_company,
customers_street_address, customers_suburb, customers_city,
customers_postcode, customers_state, customers_country, customers_telephone,
customers_email_address, customers_address_format_id, delivery_name,
delivery_company, delivery_street_address, delivery_suburb, delivery_city,
delivery_postcode, delivery_state, delivery_country,
delivery_address_format_id, billing_name, billing_company,
billing_street_address, billing_suburb, billing_city, billing_postcode,
billing_state, billing_country, billing_address_format_id, payment_method,
cc_type, cc_owner, cc_number, cc_expires, last_modified, date_purchased,
orders_status, orders_date_finished, currency, currency_value FROM orders
where ((date_purchased >= 18991230 and last_modified is null) or
last_modified >= 18991230 ) and orders_status in (1,2,3) and%2~n~

I do not understand why the value of the sql parameter is truncated. Any
help is appreciated!!

Thanks in advance!



__________________________________________________ _________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

At 3:11 PM -0500 2/5/07, <tg-php@gryffyndevelopment.com> wrote:
>That seems to be cutting off around 900 characters. That's a lot to
>put into a URL.

That figure varies. I did some testing on one of my servers and the
cut off was somewhere around 7000 characters. However, I don't
recommend the practice.

Cheers,

tedd


--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

On Mon, February 5, 2007 2:11 pm, tg-php@gryffyndevelopment.com wrote:
> If you're really intent on setting up a PHP powered web page to test
> SQL statements, I might recommend using a web form either using input
> type=text or textarea form elements and a POST method instead of GET.

I belive the minimum compliant POST size is... 4096 bytes???

The HTTP spec upped this every version release, it seems like, so I
could never keep track.

*MOST* servers are way more lenient on the POST size limit than GET,
though, in my experience of servers that enforce a limit.

I believe Apahce mod_security may have such a limit -- Actually, that
won't even let you pass in something that looks like a whole SQL query
in the first place, which is a PITA if you want a back-end admin page
with a simple POST form to replace the phpMyAdmin bloatware. :-(

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?