mysql insert into table doesnt work

Question

I am trying to do the following insertion below. When I just take the string, MZ \\0\\0\\0\\0\\0\\0\\0 \\0\\0 \\0\\0\\0, and directly put it into the insert statement, it works. However, when i get it through my function and then try to insert, i get an empty set when select everything form that table.

   if($_FILES)//check if cookies set
{
    require_once 'DBLogin.php';
    $conn = new mysqli($hn, $un, $pw, $db);
    if($conn -> connect_error) die($conn->connect_error);
    $username = $_REQUEST['uname'];
    //echo "admin: ".$_SESSION['admin']."<br>";


        if (!preg_match("/^[a-zA-Z0-9]+$/", $_POST['mname']))
        {
            echo "Invalid malware name. Only Numbers and Letters allowed". "<br>";
            exit();
        }
        else if(!isset($_SESSION['check']) || !isset($_COOKIE['token']) ||$_SESSION['check'] !== hash('ripemd128', $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_COOKIE['token']))
        {
            echo "Need to login as Admin before can upload files.<br>";
            exit();
        }
        else
        {
            verifyAdmin($conn);
            $fileGood = checkFile($_FILES);
            $entry = getSection($fileGood);

            $entry = chooseSanitization($conn,$entry, $_FILES['file']['type']);
            //$entry = mysql_entities_fix_string($conn,$entry);



            if(checkExistence($conn, $_POST['mname'],$entry) === true)
            {
                echo "Malware sequence and/or name already in database. Please upload different name/sequence. <br>";
                exit();
            }

            $title = $_POST['mname'];


            $insertQuery = "Insert into malwarelist (malwareName, sequence) values ('$title','$entry')";

            //$insertQuery = "Insert into malwarelist (malwareName, sequence) values ('$title','MZ�\0\0\0\0\0\0\0��\0\0�\0\0\0')";
            $conn -> query($insertQuery);

            echo "Malware has been added! <br>";
        }
    $conn->close();
}

function chooseSanitization($connection,$string, $fileType)
{
    if ($fileType === 'text/plain')
    {
        return mysql_entities_fix_string($connection,$string);
    }
    else
    {
        return mysql_fix_string($connection,$string);
    }
}

function mysql_entities_fix_string($connection, $string)
{
    return htmlentities(mysql_fix_string($connection, $string));
}
function mysql_fix_string($connection, $string)
{
    if (get_magic_quotes_gpc()) $string = stripslashes($string);
    return $connection->real_escape_string($string);
}

If i try to do "Insert into malwarelist (malwareName, sequence) values ('$title','MZ \\0\\0\\0\\0\\0\\0\\0 \\0\\0 \\0\\0\\0')" it works, but if i try to do this: Insert into malwarelist (malwareName, sequence) values ('$title','$entry')". FYI, $entry is equal to MZ \\0\\0\\0\\0\\0\\0\\0 \\0\\0 \\0\\0\\0, but nothing is inserted. why?

Answer 1

You are passing variables title and entry directly as a string, you need to concatenate the variable using '.' operator Try with this, may this help You-

$insertQuery = "INSERT INTO malwarelist (malwareName, sequence) VALUES('".$_POST['mname'].'',''.$entry."')";
if ($conn->query($insertQuery) === TRUE) {
    echo "<br>New record successfully inserted  ".$_POST['mname'];
} else {
    echo "Error: " . $insertQuery. "<br>" . $conn->error;
}

If any of error occurs, comment that error to this answer

To change encoding run the MySQl query on your localhost

ALTER TABLE malwarelist MODIFY COLUMN sequence VARCHAR(255)  
CHARACTER SET utf8 COLLATE utf8mb4_general_ci NOT NULL;

or

ALTER TABLE malwarelist MODIFY COLUMN sequence VARCHAR(255)  
    CHARACTER SET utf8 COLLATE utf8mb4_unicode_ci NOT NULL;

Answer 2

It should like below only, you can't add where criteria in an insert statement.

Insert into malwarelist (malwareName, sequence) values ('$title','$entry')";