Second Life Forums Archive

Coburn Constantine

Registered User

Join date: 16 Jul 2008

Posts: 6

09-15-2008 21:49

Hey, i modified the tutorials on php and came up with the following codes. Its supposed to detect the name of the character who touched an object, send the name via URL to a database and search on the database using the character name given for a certain detail in the table.

Somehow i'm unable to access the database as it should and i get this error: unexpected character input etc.

Anyone can help me please? Thanks alot =)

[Second Life Script ]

key requestid;

default
{
touch_start(integer number)
{
//detect the name of character who touches the object
string who = llDetectedName(0);
llWhisper(0, "Someone touched me: " + who);

//send the variable Student_Game_Name to the URL
string wholist = "parameter1="+ who;
//llWhisper(0, "TEST: " + who);

requestid = llHTTPRequest("http://jetlim.3sedan.com/pet/checkpoint.php",
[HTTP_METHOD, "POST",
HTTP_MIMETYPE, "application/x-www-form-urlencoded"],
wholist);
//"parameter1=hello&parameter2=world"

;
}

http_response(key request_id, integer status, list metadata, string body)
{
if (request_id == requestid)
llWhisper(0, "Web server said: " + body);
}

}

[PHP Script]

<?php
$username = "jetlim";
$password = "jetlim";
$hostname = "localhost";

$dbh = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL"

;

$selected = mysql_select_db($username, $dbh)
or die("Could not select database"

;

$SL_student_name = $_POST["parameter1"];
$result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = '$SL_student_name' "

;

while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo "" . $row{'Points'} ."

";
}

mysql_close($dbh);

?>

Faust Vollmar

llSetAgentSanity(FALSE);

Join date: 3 Feb 2007

Posts: 87

09-15-2008 22:11

The immediate thing that strikes me with what little I know about HTTP Request...

From: someone

string wholist = "parameter1="+ who;

You should always llEscapeURL() your input. (in this case who) Unless I'm mistaken... I always see that input escaped...

Alicia Sautereau

if (!social) hide;

Join date: 20 Feb 2007

Posts: 3,125

09-15-2008 22:21

as said

string wholist = "parameter1="+ llEscapeURL(who);

second i`ve spotted an error in the php script wich should be:
$result = mysql_query('SELECT Points FROM StudentDetails WHERE Student_Game_Name = '.$SL_student_name);

I allways open and close a query with ' and when you need to insert a var, you need to include a dot . after the last '

the '. is a personal pref, you could also do:

$result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = $SL_student_name"

;

but having vars enclosed in "" makes a reading mess

edit: i normally use a database class, if you can give me 24 or so hours, i`m working on a http tutorial with the needed files, atm it`s abit of a chochop, just trying to find the time for it due to rl

Coburn Constantine

Registered User

Join date: 16 Jul 2008

Posts: 6

09-16-2008 01:20

heya thanks for helping, i've already made the changes to it but the error still exists: unexpected error in input: '\' (ASC||=92)... anyone could explain to me what could cause this?

Btw, because i am sending a name with a spacing into the URL as my paramter1...could this be the cause of my error?

Kahiro Watanabe

Registered User

Join date: 28 Sep 2007

Posts: 572

09-16-2008 10:54

Use net beans to debug your code, maybe it's just a syntax error.
Also use phpMyAdmin...if you have that in your host, to test the query, paste it in the databese query section, and it will throw an error telling you wich line is wrong.

_____________________

Jocko Domo japanese goods

[Blog]

Haruki Watanabe

llSLCrash(void);

Join date: 28 Mar 2007

Posts: 434

09-16-2008 12:14

ASCII 92 is a \ - try using the php-command «addslashes($string)» to your data you wanna store in the DB...

[edit]

when doing database-queries, I usually do it a little different than you (and alicia).

So this:

$SL_student_name = $_POST["parameter1"];
$result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = '$SL_student_name' "

;

is made into:

$SL_student_name = $_POST["parameter1"];
$result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = '".$SL_student_name."';"

;

Note the last part... This is because when you have special characters in your $whatever, that when you do them inline (i.e. ='$whatever' instead of ='".$whatever."'...) this can cause problems.
You have to type a few extra characters but I never had any problems with my queries using this technique.

Consider the following SQL-Statement:

SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'Haruki Watanabe';

This is what it looks like, when my name is passed with a string:

$SL_student_name = "Haruki Watanabe";

$sql = "SELECT Points FROM StudentDetails WHERE Student_Game_Name = '".$SL_student_name."';";

Now - to make this even worse, imagine you'd have to look for «Haruki Watanabe's house». This has an extra «'» in the string that's being sought for which would confuse the sql-engine since it thinks the string ends at the 2nd «'». Thus your sql-query would look like this:

SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'Haruki Watanabe' s house;

The «s house» would end up in the sql-statement, means, if you leave out the WHERE-condition, it'll end up being this:

SELECT Points FROM StudentDetails s house; // throws an error

That's when «addslashes»*comes in handy:

$SL_student_name = addslashes("Haruki Watanabe's house"

;

Now the content of $SL_student_name is «Haruki Watanabe\'s house» which makes it safe to use in an sql-statement.

$sql = "SELECT Points FROM StudentDetails WHERE Student_Game_Name = '".$SL_student_name."';";

On a sidenote: When someone tries to make an sql-injection, attacking your database, this technique is - alas, just a very tiny - countermeasure...

Your PHP-script waits for the parameter «parameter1» which will be filled by your SL-Script... now if anyone can «sniff» what your script does, they can figure out which parameters should be passed to your php-script and do the following:

parameter1=just-some-stuff' OR '1=1

NOW your SQL-Statement would end up being this:

SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'just-some-stuff' OR '1=1';

The above query will return ALL the entries in your table!

So when you use «addslashes» the sql-query would be:

SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'just-some-stuff\' OR \'1=1';

This won't return any results...

NEVER trust the variables that are being passed to your PHP-script NEVER-EVER!!!

Alicia Sautereau

if (!social) hide;

Join date: 20 Feb 2007

Posts: 3,125

09-16-2008 20:38

dropped 1 of the http handler versions i`m planning to make public on you with a sample script
as left in the IM, just finished the code with extensive list abuse for a more dynamic query buildup, next version will have a simpler handler as i like working from hard to easy lol?

Welcome to the Second Life Forums Archive

Database & Php

Database & Php
Coburn Constantine Registered User Join date: 16 Jul 2008 Posts: 6	09-15-2008 21:49 Hey, i modified the tutorials on php and came up with the following codes. Its supposed to detect the name of the character who touched an object, send the name via URL to a database and search on the database using the character name given for a certain detail in the table. Somehow i'm unable to access the database as it should and i get this error: unexpected character input etc. Anyone can help me please? Thanks alot =) [Second Life Script ] key requestid; default { touch_start(integer number) { //detect the name of character who touches the object string who = llDetectedName(0); llWhisper(0, "Someone touched me: " + who); //send the variable Student_Game_Name to the URL string wholist = "parameter1="+ who; //llWhisper(0, "TEST: " + who); requestid = llHTTPRequest("http://jetlim.3sedan.com/pet/checkpoint.php", [HTTP_METHOD, "POST", HTTP_MIMETYPE, "application/x-www-form-urlencoded"], wholist); //"parameter1=hello&parameter2=world"; } http_response(key request_id, integer status, list metadata, string body) { if (request_id == requestid) llWhisper(0, "Web server said: " + body); } } [PHP Script] <?php $username = "jetlim"; $password = "jetlim"; $hostname = "localhost"; $dbh = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL"; $selected = mysql_select_db($username, $dbh) or die("Could not select database"; $SL_student_name = $_POST["parameter1"]; $result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = '$SL_student_name' "; while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { echo "" . $row{'Points'} ." "; } mysql_close($dbh); ?>
Faust Vollmar llSetAgentSanity(FALSE); Join date: 3 Feb 2007 Posts: 87	09-15-2008 22:11 The immediate thing that strikes me with what little I know about HTTP Request... From: someone string wholist = "parameter1="+ who; You should always llEscapeURL() your input. (in this case who) Unless I'm mistaken... I always see that input escaped...
Alicia Sautereau if (!social) hide; Join date: 20 Feb 2007 Posts: 3,125	09-15-2008 22:21 as said string wholist = "parameter1="+ llEscapeURL(who); second i`ve spotted an error in the php script wich should be: $result = mysql_query('SELECT Points FROM StudentDetails WHERE Student_Game_Name = '.$SL_student_name); I allways open and close a query with ' and when you need to insert a var, you need to include a dot . after the last ' the '. is a personal pref, you could also do: $result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = $SL_student_name"; but having vars enclosed in "" makes a reading mess edit: i normally use a database class, if you can give me 24 or so hours, i`m working on a http tutorial with the needed files, atm it`s abit of a chochop, just trying to find the time for it due to rl
Coburn Constantine Registered User Join date: 16 Jul 2008 Posts: 6	09-16-2008 01:20 heya thanks for helping, i've already made the changes to it but the error still exists: unexpected error in input: '\' (ASC\|\|=92)... anyone could explain to me what could cause this? Btw, because i am sending a name with a spacing into the URL as my paramter1...could this be the cause of my error?
Kahiro Watanabe Registered User Join date: 28 Sep 2007 Posts: 572	09-16-2008 10:54 Use net beans to debug your code, maybe it's just a syntax error. Also use phpMyAdmin...if you have that in your host, to test the query, paste it in the databese query section, and it will throw an error telling you wich line is wrong. _____________________ Jocko Domo japanese goods [Blog]
Haruki Watanabe llSLCrash(void); Join date: 28 Mar 2007 Posts: 434	09-16-2008 12:14 ASCII 92 is a \ - try using the php-command «addslashes($string)» to your data you wanna store in the DB... [edit] when doing database-queries, I usually do it a little different than you (and alicia). So this: $SL_student_name = $_POST["parameter1"]; $result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = '$SL_student_name' "; is made into: $SL_student_name = $_POST["parameter1"]; $result = mysql_query("SELECT Points FROM StudentDetails WHERE Student_Game_Name = '".$SL_student_name."';"; Note the last part... This is because when you have special characters in your $whatever, that when you do them inline (i.e. ='$whatever' instead of ='".$whatever."'...) this can cause problems. You have to type a few extra characters but I never had any problems with my queries using this technique. Consider the following SQL-Statement: SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'Haruki Watanabe'; This is what it looks like, when my name is passed with a string: $SL_student_name = "Haruki Watanabe"; $sql = "SELECT Points FROM StudentDetails WHERE Student_Game_Name = '".$SL_student_name."';"; Now - to make this even worse, imagine you'd have to look for «Haruki Watanabe's house». This has an extra «'» in the string that's being sought for which would confuse the sql-engine since it thinks the string ends at the 2nd «'». Thus your sql-query would look like this: SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'Haruki Watanabe' s house; The «s house» would end up in the sql-statement, means, if you leave out the WHERE-condition, it'll end up being this: SELECT Points FROM StudentDetails s house; // throws an error That's when «addslashes»*comes in handy: $SL_student_name = addslashes("Haruki Watanabe's house"; Now the content of $SL_student_name is «Haruki Watanabe\'s house» which makes it safe to use in an sql-statement. $sql = "SELECT Points FROM StudentDetails WHERE Student_Game_Name = '".$SL_student_name."';"; On a sidenote: When someone tries to make an sql-injection, attacking your database, this technique is - alas, just a very tiny - countermeasure... Your PHP-script waits for the parameter «parameter1» which will be filled by your SL-Script... now if anyone can «sniff» what your script does, they can figure out which parameters should be passed to your php-script and do the following: parameter1=just-some-stuff' OR '1=1 NOW your SQL-Statement would end up being this: SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'just-some-stuff' OR '1=1'; The above query will return ALL the entries in your table! So when you use «addslashes» the sql-query would be: SELECT Points FROM StudentDetails WHERE Student_Game_Name = 'just-some-stuff\' OR \'1=1'; This won't return any results... NEVER trust the variables that are being passed to your PHP-script NEVER-EVER!!!
Alicia Sautereau if (!social) hide; Join date: 20 Feb 2007 Posts: 3,125	09-16-2008 20:38 dropped 1 of the http handler versions i`m planning to make public on you with a sample script as left in the IM, just finished the code with extensive list abuse for a more dynamic query buildup, next version will have a simpler handler as i like working from hard to easy lol?