Latest Announcemnent
New thread
Status
Not open for further replies.
I

iSmart

Active Member
120
2012
41
0
Hello,

I have a snippet of code that supposed to add 5 values to MySQL database, the problem is that it doesn't add the values to the correspond MySQL database.

PHP: 
<?php
$host="XXXXXX"; 
$username="XXXXX";
$password="XXXXXX"; 
$db_name="XXXXXX"; 

$con=mysql_connect($host, $username, $password)or die("cannot connect"); 

mysql_select_db($db_name)or die("cannot select DB");

$tutorialID = $_GET["tutorialID"];
$email= $_GET["email"];
$note= $_GET["note"];
$title= $_GET["title"];
$date= $_GET["date"];


$sql = "INSERT INTO `notes`(`tutorialID `, `email`, `note`, `title`, `date`) VALUES ('".$_GET['tutorialID']."','".$_GET['email']."','".$_GET['note']."','".$_GET['title']."','".$_GET['date']."')";

$result = mysql_query($sql);
if (!$result) {
	$json = array("result"=>"no");
}else
	$json = array("result"=>"ok");

header('Content-Type: application/json');
echo json_encode($json);
?>

The url of that php code is:
www.example.com/addNotes.php?tutori...MYEMAIL&note=MYNOTE&title=MYTITLE&date=MYDATE
Click to expand...


"notes" MySQL table:
eeeee.png


What's the problem?

Thanks in advance!
 
11 comments
You are directly passing user input into the query. Read up on sql injection and sanitizing user input, your script is a disaster waiting to happen.
also use PHP: mysql_error - Manual to figure out why it isn't getting added to your database.
Also it probably isn't working because you haven't specified the link in mysql select db function.
try mysql_select_db($db_name, $con)
 
Last edited:
filenuke said:
You are directly passing user input into the query. Read up on sql injection and sanitizing user input, your script is a disaster waiting to happen.
also use PHP: mysql_error - Manual to figure out why it isn't getting added to your database.
Also it probably isn't working because you haven't specified the link in mysql select db function.
try mysql_select_db($db_name, $con)
Click to expand...


Thanks

I have just used PHP: mysql_error - Manual and I've successfully solved my problem :)
btw, why you are telling me that this snippet of code is a disaster? i mean what the problem with it? Did you mean if the user input was not appropriate for the database field data type it will hurts the disc of the database? It actually works fine now anyway..

GoodLuck
 
Make sure you alter your code so you insert sanitised strings.

eg.
$tutorialID = $_GET["tutorialID"];

Sets $tutorialID, but in the insert doesn't use $tutorialID but the _GET request.



PHP: 
$tutorialID = mysql_real_escape_string($_GET["tutorialID"]);
$email= mysql_real_escape_string($_GET["email"]);
$note= mysql_real_escape_string($_GET["note"]);
$title= mysql_real_escape_string($_GET["title"]);
$date= mysql_real_escape_string($_GET["date"]);

In the MySQL_insert change all _GET requests to the sanitised strings

PHP: 
eg. change $_GET['tutorialID']  to $tutorialID


Maybe check all values are set before inserting them?
At least check they are set, or confirm each one eg. (is_numeric) for ID, regex to check email address, regex for date, etc
 
Last edited:
Gavo said:
Make sure you alter your code so you insert sanitised strings.

eg.
$tutorialID = $_GET["tutorialID"];

Sets $tutorialID, but in the insert doesn't use $tutorialID but the _GET request.



PHP: 
$tutorialID = mysql_real_escape_string($_GET["tutorialID"]);
$email= mysql_real_escape_string($_GET["email"]);
$note= mysql_real_escape_string($_GET["note"]);
$title= mysql_real_escape_string($_GET["title"]);
$date= mysql_real_escape_string($_GET["date"]);

In the MySQL_insert change all _GET requests to the sanitised strings

PHP: 
eg. change $_GET['tutorialID']  to $tutorialID


Maybe check all values are set before inserting them?
At least check they are set, or confirm each one eg. (is_numeric) for ID, regex to check email address, regex for date, etc
Click to expand...


@Gavo

Thanks for the help!
 
Status
Not open for further replies.
Back
Top