danelkayam
-
Posts
2 -
Joined
-
Last visited
Never
Posts posted by danelkayam
-
-
You also want to use the escape_string function. That script is really prone to sql injection.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
Petition Script Help
in PHP Coding Help
Posted
Main Page which displays signatures and terms:
[code]<html>
<head>
<title>Petition Against *Insert What the petition is against, here*</title>
</head>
<body>
To the *Insert whom the petition is supposed to affect*,
<p>*Insert terms of petition here*
<br>Click <a href="sign.php">Here</a> to sign the petition
</body>
<?
// Connection Info
$host = "*Insert host name here*";
$username = "*Insert username here*";
$password = "*Insert password here*";
// Connecting to the host (Adapted so users won't see unsightly errors they don't understand \\
$connect = mysql_connect("$host" , "$username" , "$password") OR DIE("The site is currently down, please try again later");
// Selecting the database
@mysql_select_db('petitionscript') OR DIE('The site is currently down, please try again later');
$first=$Post_['f_name'];
$last=$Post_['l_name'];
$email=$Post_['email'];
// Showing all signatures
$query = "Select * FROM signature";
$result=mysql_query($query);
$num=mysql_numrows($result);
mysql_close();
echo "<b><center>$num Signature(s)</center></b>";
$i=0;
while ($i < $num){
$FirstName=mysql_result($result,$i,"FirstName");
$LastName=mysql_result($result,$i,"LastName");
$Email=mysql_result($result,$i,"Email");
$TSDate=mysql_result($result,$i,"TSDate");
echo "<br>First Name:<b>$FirstName</b>";
echo "<br>Last Name:<b>$LastName</b>";
echo "<br>E-mail:<b>$Email</b>";
echo "<br>Time of signature:<b>$TSDate</b>";
$i++;
}
?>[/code]
The sign.php file which allows the user to sign the petition(this is where I get my error):
[code]
<?
if ($_GET['check'] == TRUE) {
// Connection Info
$host = "*host name here*";
$username = "*user name here*";
$password = "*password here*";
// Connecting to the host
$connect=mysql_connect("$host" , "$username" , "$password") OR DIE("The site is currently down, please try again later");
// Selecting the database
@mysql_select_db('petitionscript') OR DIE('The site is currently down, please try again later');
// inserting information (escape_string to prevent query injections)
$query = "INSERT INTO signature (FirstName, LastName, Email, TSDate) VALUES ('". mysql_real_escape_string($_GET['f_name']) ."', '". mysql_real_escape_string($_GET['l_name']) ."', '". mysql_real_escape_string($_GET['email']) ."', '". time() ."')";
mysql_query($query) or die(mysql_error());
mysql_close($connect);
}else{
?>
<html>
<head>
<title>Signing the petition</title>
</head>
<body>
<FORM action="sign.php" method="GET">
<INPUT type="text" name="f_name" value="First Name" ><br>
<INPUT type="text" name="l_name" value="Last Name"><br>
<INPUT type="text" name="email" value="E-mail Address"><br>
<INPUT type="submit" value="Submit">
<INPUT type="hidden" name="check" value="TRUE">
</body>
</html>
<?
}
?>
[/code]
Another note, when I try replacing the line:
[code]<FORM action="sign.php" method="GET">[/code]
With:
[code]<FORM action="<?php echo $_SERVER['PHP_SELF']; ?>" method="GET">
[/code]I still get the same problem.