naike Posted October 16, 2010 Share Posted October 16, 2010 So, let me explain: <?php class MySqlDatabase { private $connection; function __construct() { $this->database_connect(); } public function database_connect() { $this->connection = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); if (!$this->connection) { die("Database connection failed: " . mysqli_error()); } } public function database_query($sql) { $query = mysqli_real_escape_string($sql, $this->connection); $result = mysqli_query($query, $this->connection); if(!$result) { die("Database query failed: " . mysqli_error()); } return $result; } public function database_close() { if (isset($this->connection)) { mysqli_close($this->connection); unset($this->connection); } } } ?> Take a look at the database_query() method. When I insert this into it from my index.php to test if it works: <?php $database = new MySqlDatabase(); $sql = "INSERT INTO `website`.`users` (`id`, `username`, `first_name`, `last_name`, `password`, `email`, `secret_question`, `secret_answer`, `create_time`) VALUES (NULL, 'joe', 'joe', 'doe', 'password123', 'myemail@email.com', 'Who am I?', 'myself', '2010-10-16 13:37:59');"; $database->database_query($sql); ?> Obviously the date and the password needs some working on (hashing and entering current time), but I get this error: Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in ...includes\classes.php on line 32 Warning: mysqli_query() expects parameter 1 to be mysqli, null given in ..includes\classes.php on line 33 Warning: mysqli_error() expects exactly 1 parameter, 0 given in ..includes\classes.php on line 35 Database query failed: I I'm giving it a mysql syntax, but it doesn't work, also I get no error message. Quote Link to comment Share on other sites More sharing options...
naike Posted October 16, 2010 Author Share Posted October 16, 2010 Okay I'm doubsle posting because I can't edit my post. (Why?) Just giving an update: <?php public function database_query($sql) { $query = mysqli_real_escape_string($this->connection, $sql); $result = mysqli_query($this->connection, $query); if(!$result) { die("Database query failed: " . mysqli_error($this->connection)); } return $result; } ?> Error: Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$sql' at line 1 Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 16, 2010 Share Posted October 16, 2010 echo $sql to see what is coming into the function. public function database_query($sql) { echo "function received: ".$sql."<br />\n"; // rest of function Quote Link to comment Share on other sites More sharing options...
naike Posted October 16, 2010 Author Share Posted October 16, 2010 echo $sql to see what is coming into the function. public function database_query($sql) { echo "function received: ".$sql."<br />\n"; // rest of function This is the function that goes in: <?php INSERT INTO users (id, username, first_name, last_name, password, email, secret_question, secret_answer, create_time) VALUES (NULL, 'joe', 'joe', 'doe', 'password123', 'myemail@email.com', 'Who am I?', 'myself', '2010-10-16 13:37:59'); ?> this is after processing $sql to be SQL ready: <?php INSERT INTO users (id, username, first_name, last_name, password, email, secret_question, secret_answer, create_time) VALUES (NULL, \'joe\', \'joe\', \'doe\', \'password123\', \'myemail@email.com\', \'Who am I?\', \'myself\', \'2010-10-16 13:37:59\'); ?> Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 16, 2010 Share Posted October 16, 2010 neither one of those snippets of PHP code would even compile. do you have error reporting turned on? i repeat my suggestion. add an echo inside the function to see what $sql is when it enters the function. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 16, 2010 Share Posted October 16, 2010 You don't apply mysqli_real_escape_string() the whole query string. You apply it to each piece of data that is put into the query. Quote Link to comment Share on other sites More sharing options...
naike Posted October 16, 2010 Author Share Posted October 16, 2010 I just added those php tags to make it clear. Anyway, I'll try to rewrite the function. So instead of applying that to the whole query I would instad have it like this: INSERT INTO users (password) VALUE ('$password'); and run $password through the escape string thing? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 16, 2010 Share Posted October 16, 2010 what i'm getting at is this error: Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$sql' at line 1 apparently, the code is trying to literally execute the string '$sql' Quote Link to comment Share on other sites More sharing options...
naike Posted October 16, 2010 Author Share Posted October 16, 2010 I thought it over, however I'm stuck now. I have a database object that controlls everything related to my database. So I want to include a method that adds the use to the database. <html> <form action="register/index.php" method="post"> Username: <input type="text" name="username" maxlength="20" value="<?php echo htmlentities($username); ?>" /><br /> First Name: <input type="text" name="first_name" maxlength="20" value="<?php echo htmlentities($first_name); ?>" /><br /> Last Name: <input type="text" name="laster_name" maxlength="20" value="<?php echo htmlentities($last_name); ?>" /><br /> Password: <input type="password" name="password" maxlength="30" value="<?php echo hash(sha512, $password); ?>" /><br /> Email: <input type="text" name="email" maxlength="30" value="<?php echo htmlentities($email); ?>" /><br /> Secret Question: <input type="text" name="secret_question" maxlength="35" value="<?php echo htmlentities($secret_question); ?>" /><br /> Secret Answer: <input type="text" name="secret_answer" maxlength="35" value="<?php echo htmlentities($secret_answer); ?>" /><br /> <input type="submit" name="" value="Submit" /> </form> </html> This is the form, the $_POST then gets submitted to register/index.php. inside index.php: <?php include_once $_SERVER['DOCUMENT_ROOT'] . "/includes/values.php"; include_once $_SERVER['DOCUMENT_ROOT'] . "/includes/functions.php"; include_once $_SERVER['DOCUMENT_ROOT'] . "/includes/classes.php"; ?> <?php $database = new MySqlDatabase(); $database->db_input_user($_POST); ?> Here is the method of the object MySqlDatabase: <?php public function db_input_user($array) { foreach ($array as $input => $value) { $result = mysqli_real_escape_string($this->connection, $value); mysqli_query($this-connect, "INSERT INTO users (username, first_name, last_name, password, email, secret_question, secret_answer, create_time) VALUES " . ($result, $result, $result, $result, $result, $result, $result)); } } ?> I know that copy pasting $result wont do any good, and I'm aware it's not working, and why, but I just finished the function so I can show it to you. Everything is wrong here, probably the way I'm approaching this too Can you suggest a way for me to send the submitted information to the database. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.