clippa Posted April 17, 2011 Share Posted April 17, 2011 Database Structure CREATE DATABASE `testdb` DEFAULT CHARSET latin1; USE `testdb`; CREATE TABLE `info` ( `fname` char(20), `lname` char(20), `address` varchar(30), `city` char(20), `country` char(10) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; PHP Update Script <?php $fname=$_POST['fname']; $lname=$_POST['lname']; $address=$_POST['address']; $country=$_POST['country']; $city=$_POST['city']; $conn = mysql_connect('localhost','root',"") or die('Error: ' .mysql_error()); $db = mysql_select_db('testdb', $conn); $query="INSERT INTO info(fname,lname,address,country,city)VALUES('$fname','$lname','$address','$country','$city')"; $results = mysql_query($query); if($results) { echo "Your data has been sent"; } else { echo "data not sent"; } ?> <html> <head> <title> </title> </head> <body> <a href = "first.html"> Back </a> </body> </html> PHP Retrieve Script <html> <body> <table border="1" cellspacing="0" cellpadding="0"> <tr> <td> First Name </td> <td> Last Name </td> <td> Address </td> <td> City </td> </tr> <?php $conn = mysql_connect("localhost","root"); $db = mysql_select_db('testdb', $conn); $query = "SELECT * FROM info "; $result = mysql_query($query); if (!$result) { echo "Problem with query " . $query . "<br/>"; // echo pg_last_error(); exit(); } while($myrow = mysql_fetch_array($result)) { //same $myrow[fname] in the orther td:D goodluck echo "<tr><td>".$myrow["fname"]."</td><td>".$myrow["lname"]."</td><td>".$myrow["address"]."</td><td>".$myrow["city"]."</td></tr>"; // printf ("<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>", $myrow['fname'], htmlspecialchars($myrow['lname']), htmlspecialchars($myrow['address']), htmlspecialchars($myrow['city']));htmlspecialchars($myrow['country'])); } ?> </table> </body> </html> MOD EDIT: . . . BBCode tags added. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 17, 2011 Share Posted April 17, 2011 Do you have a question related to that code? When posting code, please enclose it within the forum's . . . BBCode tags. Quote Link to comment Share on other sites More sharing options...
clippa Posted April 17, 2011 Author Share Posted April 17, 2011 No i just pasted it for those who need to know how to update and retrieve from a database im a php beginner and i was able to finally get this update and retrieve to work thats why i pasted it... I hope it is not against forum rules? And i have noted down the quotes thing thank you Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 17, 2011 Share Posted April 17, 2011 Perhaps you missed the sticky topic at the top of the forum titled THIS IS NOT A CODE REPOSITORY? Quote Link to comment Share on other sites More sharing options...
clippa Posted April 17, 2011 Author Share Posted April 17, 2011 Perhaps you missed the sticky topic at the top of the forum titled THIS IS NOT A CODE REPOSITORY? I guess i did and i am very sorry for my mistake thank you for pointing it out for me Quote Link to comment Share on other sites More sharing options...
aceph Posted April 18, 2011 Share Posted April 18, 2011 Nice, you shared the code. But there's a nightmare involved in it. There's a wide open door for SQL Injection attack, which could lead your system to death. You didn't enclose $fname, $lname ... into some kind of escaping. You should have done it this way: $fname=mysql_real_escape_string($_POST['fname']); $lname=mysql_real_escape_string($_POST['lname']); $address=mysql_real_escape_string($_POST['address']); $country=mysql_real_escape_string($_POST['country']); $city=mysql_real_escape_string($_POST['city']); Quote Link to comment Share on other sites More sharing options...
dougjohnson Posted May 11, 2011 Share Posted May 11, 2011 Or, better yet, you could use "Prepared" queries and not have to worry about user input at all: <?PHP $fname=$_POST['fname']; $lname=$_POST['lname']; $address=$_POST['address']; $country=$_POST['country']; $city=$_POST['city']; $connection = new mysqli('localhost', 'root', '', 'testdb'); $result = $connection->prepare("INSERT INTO info (fname,lname,address,country,city) VALUES (?, ?, ?, ?, ?)"); $result->bind_param("sssss", $fname, $lname, $address, $country, $city); $result->execute(); ?> [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.