Jump to content

Submitting Info to Mysql issue

tenfoottrike

By tenfoottrike
in PHP Coding Help

Recommended Posts

tenfoottrike Newbie

tenfoottrike

Posted
Posted

ok so when i run this code i just get the echo back of Could not execute query the message on line 20 now i know what it's about but for the life of me i cant find the prob with it can some one take a look and tell me what im missing here im about to pull my hair out  :shrug:

 

<?php
if(session_start()){

	$id;
	$comname = $_POST['comname'];
	$fname = $_POST['fname'];
	$lname = $_POST['lname'];
	$phone = $_POST['phone'];
	$email = $_post['email'];
	$add = $_post['add'];
	$city = $_post['city'];
	$state = $_post['state'];
	$zip = $_post['zip'];
	$stuf = $_post['stuf'];


	$conn = @mysql_connect("localhost","root") or die("Could not connect to MYSQL");
	$rs = @mysql_select_db("database", $conn) or die("Could not connect to database");
	$sql = "INSERT INTO table  (id, comname, fname, lname, phone, email, add, city, state, zip, stuf) VALUES ('', '$comname', '$fname', '$lname', '$phone', '$email', '$add', '$city', '$state', '$zip', '$stuf')";
	$rs = mysql_query($sql, $conn) or die("Could not execute query");
	mysql_close();
	header("Location:site.php");
	}
else{
		die("fourm was not filled out right");
	}	
?>

Link to comment
https://forums.phpfreaks.com/topic/195040-submitting-info-to-mysql-issue/
Share on other sites
ialsoagree Newbie

ialsoagree

Posted
Posted

Warning, warning, warning! Danger Will Robinson family!

 

You're executing data in an SQL statement submitted directly by the user without any validating or escaping! Anyone can perform an SQL injection and potentially wipe tables, steal relevant information, and otherwise harm or gain access to your entire database!

 

Secondly, it's going to be much easier to diagnose your problem if you echo the mysql_error(). Also, keep in mind that due to your use of error supression, you don't actually know if you're connected to the database and have the appropriate database selected! You suppress errors in connecting or selecting the database, so there's no way to actually tell if it worked or not.

tenfoottrike Newbie

tenfoottrike

Posted
  • Author
Posted

Warning, warning, warning! Danger Will Robinson family!

 

You're executing data in an SQL statement submitted directly by the user without any validating or escaping! Anyone can perform an SQL injection and potentially wipe tables, steal relevant information, and otherwise harm or gain access to your entire database!

 

Secondly, it's going to be much easier to diagnose your problem if you echo the mysql_error(). Also, keep in mind that due to your use of error supression, you don't actually know if you're connected to the database and have the appropriate database selected! You suppress errors in connecting or selecting the database, so there's no way to actually tell if it worked or not.

thank you for the Warning but this is on a closed standalone computer so im not looking to make any more than that unless i want to do that to my self and i know it's connecting  to the database it's just not submitting it the table

ialsoagree Newbie

ialsoagree

Posted
Posted

Warning, warning, warning! Danger Will Robinson family!

 

You're executing data in an SQL statement submitted directly by the user without any validating or escaping! Anyone can perform an SQL injection and potentially wipe tables, steal relevant information, and otherwise harm or gain access to your entire database!

 

Secondly, it's going to be much easier to diagnose your problem if you echo the mysql_error(). Also, keep in mind that due to your use of error supression, you don't actually know if you're connected to the database and have the appropriate database selected! You suppress errors in connecting or selecting the database, so there's no way to actually tell if it worked or not.

thank you for the Warning but this is on a closed standalone computer so im not looking to make any more than that unless i want to do that to my self and i know it's connecting  to the database it's just not submitting it the table

 

Unless it's echoing some kind of confirmation, or it's working else where in the script, you actually can't know if it's working for sure. With error suppression on, there's no way to know or not unless you're confirming that it did in some other way within the script. When you encounter an error, you have to throw ALL assumptions to the wind. If you don't, you could be chasing your tail for hours when the problem is the very assumption you're making to begin with.

 

If you're familiar with proper validation for user data you want to use in SQL, then that's fine, if not though, this is the perfect opportunity to practice it. It is hugely important in PHP development and even if you only plan to work on small projects, rest assured you're still very susceptible to attack. Most malicious users don't target high profile systems because they're likely to get caught, instead, they target amateur systems likely not to have much security or be able to trace them. I've been associated with a few small projects (used only by a few hundred people) that were repeatedly targeted for malicious use and even lost the database on one or more occasions.

 

Finally, without a mysql_error(), this is a really difficult problem to help you with. Someone might be willing to take your code an run it for themselves, but if you want a fast response, you're going to have to supply the error description so that those not willing to run your code themselves can help you.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.