deltahawk Posted February 27, 2013 Share Posted February 27, 2013 I just started learning PHP, I'm sorry if the following questions sounds "dumb". I'm trying to create a PHP script that will allow me to create new databases, pulling the name of the database to be created from a text input box on the same page. In this case, let's assume a connection to the database has been established via another PHP script on the same page, so I am already authenticated. This is the code I have <form action="example.php" method="POST"> <input type="text" name="name"> <?php // Create database $sql="CREATE DATABASE [insert name from input here]; if (mysqli_query($con,$sql)) { echo "Database [name] created successfully"; } else { echo "Error creating database: " . mysqli_error(); } ?> So, to be short and to the point, how can I get the input from "name" to [insert name from input here]? Your time and help is appreciated! Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/ Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 ... $_POST. A basic google search should have revealed plenty of tutorials. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415277 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 (edited) ... $_POST. A basic google search should have revealed plenty of tutorials. I've spent about half an hour on google trying to figure it out, which is why I resorted to signing up on this forum and asking. It might be obvious to you, but being that I've only been involved for PHP for such short time, I'm obviously missing something. Sorry for bothering you! And yes, I've tried $_POST. Edited February 27, 2013 by deltahawk Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415280 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 If you post what you've actually tried you might get more useful help. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415285 Share on other sites More sharing options...
teynon Posted February 27, 2013 Share Posted February 27, 2013 Two things: 1) http://www.whathaveyoutried.com 2) http://www.html-form-guide.com/php-form/php-form-tutorial.html Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415286 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 (edited) If you post what you've actually tried you might get more useful help. I'm stuck trying to figure out the correct method of calling the input from "name" <form action="example.php" method="POST"> <input type="text" name="name"> <input type="submit"> </form> into the create database query. // Create database $sql="CREATE DATABASE [input here]; if (mysqli_query($con,$sql)) { echo "Database [name] created successfully"; } else { echo "Error creating database: " . mysqli_error(); } ?> I've tried both $sql="CREATE DATABASE ($_POST['name'])"; and $sql="CREATE DATABASE ($_GET['name'])"; Edited February 27, 2013 by deltahawk Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415287 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 You said you tried using the $_POST array, and when I said post what you've tried, there's nothing there. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415289 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 You said you tried using the $_POST array, and when I said post what you've tried, there's nothing there. I've tried both $sql="CREATE DATABASE ($_POST['name'])"; and $sql="CREATE DATABASE ($_GET['name'])"; Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415290 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 http://php.net/manual/en/reserved.variables.post.php Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415291 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 And what happens when you use the post one? Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415292 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 And what happens when you use the post one? Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in drxtech/connect.php on line 25 Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415293 Share on other sites More sharing options...
teynon Posted February 27, 2013 Share Posted February 27, 2013 (edited) $sql="CREATE DATABASE ({$_POST['name']})"; This is a very bad idea though. Here's why: 1) Implying that the web user has permission to CREATE DATABASE, means that your MySQL permissions are not properly set up and is vulnerable to attack. 2) You are running a dangerous command from the webserver. 3) You are injecting user posted variables straight into mysql. You should consider using MySQLi or PDO or at the very minimum, validate the post variable and run mysql_real_escape_string Edited February 27, 2013 by teynon Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415294 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 Okay post the ACTUAL code for lines 23-27 or so. That's a basic syntax error. Your problem keeps changing. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415295 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 I don't think you need the () either. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415296 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 (edited) I don't think you need the () either. This is the entire code: <form action="example.php" method="POST"> <input type="text" name="name"> <input type="submit"> </form> <?php //connect $con=mysqli_connect("xxx","xxx","xxx!"); //check connection if (mysqli_connect_errno($con)) { echo "Connection Failed: " . mysqli_connect_error(); } else { echo "Connection Sucessful"; } // Create database $sql="CREATE DATABASE({$_POST['name']})"; if (mysqli_query($con,$sql)) { echo "Database my_db created successfully"; } else { echo "Error creating database: "; } ?> Edited February 27, 2013 by deltahawk Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415297 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 The syntax error was fixed using teynon's version. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415298 Share on other sites More sharing options...
teynon Posted February 27, 2013 Share Posted February 27, 2013 (edited) I see you are using 'mysqli_query" but, you should know that just because you ran mysqli_query instead of mysql_query does not make it more secure. You need to validate your input and use prepared statements. Edited February 27, 2013 by teynon Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415299 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 (edited) I see you are using 'mysqli_query" but, you should know that just because you ran mysqli_query instead of mysql_query does not make it more secure. You need to validate your input and use prepared statements. Thank you for letting me know. This is all internal facing, I'm using a dummy database server and right now my primary focus is to be able to make the PHP script work (which is what I am trying to learn). Edited February 27, 2013 by deltahawk Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415301 Share on other sites More sharing options...
Jessica Posted February 27, 2013 Share Posted February 27, 2013 Might as well start out learning PDO, even better Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415306 Share on other sites More sharing options...
deltahawk Posted February 27, 2013 Author Share Posted February 27, 2013 Might as well start out learning PDO, even better Thanks, I'll look into it. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415307 Share on other sites More sharing options...
Sanjib Sinha Posted February 27, 2013 Share Posted February 27, 2013 After learning php/mysql in object oriented style, i think specially for secured database operation you may consider using a good framework where ORM is used. You would get help of built in database classes. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415309 Share on other sites More sharing options...
Christian F. Posted February 27, 2013 Share Posted February 27, 2013 I don't see any advice of ORM doing anything but make the task, as outlined by the OP, more complicated and time consuming. While ORM is great for its use, this is not a case for it. deltahawk: If you're trying to learn PHP then I strongly recommend getting into the habit of validating input and escaping output right away. Even if this is an internally-facing application, it could still be attacked from the outside. Or be brought down by one unfortunate employee who just made a typo. CSRF is one such attack that could come from the outside, to attack the internal system, XSS attacks from the internal application can be used to attack all of the computers inside your company, and so forth. I doubt you'll want your application, and thus you yourself, being responsible for something like that. Security is not just for sites available online, after all. It is paramount for all applications, whether network-capable or not. Quote Link to comment https://forums.phpfreaks.com/topic/274995-creating-mysql-database-through-php-pulling-db-name-from-text-box/#findComment-1415352 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.