Jump to content

Creating mySQL Database through PHP, pulling DB name from text box?


Recommended Posts

I just started learning PHP, I'm sorry if the following questions sounds "dumb".

I'm trying to create a PHP script that will allow me to create new databases, pulling the name of the database to be created from a text input box on the same page.

In this case, let's assume a connection to the database has been established via another PHP script on the same page, so I am already authenticated.

This is the code I have

 

<form action="example.php" method="POST">
<input type="text" name="name">

<?php

// Create database
$sql="CREATE DATABASE [insert name from input here];
if (mysqli_query($con,$sql))
{
echo "Database [name] created successfully";
}
else
{
echo "Error creating database: " . mysqli_error();
}
?>
 

 

So, to be short and to the point, how can I get the input from "name" to [insert name from input here]?

Your time and help is appreciated!

...

 

$_POST. A basic google search should have revealed plenty of tutorials.

I've spent about half an hour on google trying to figure it out, which is why I resorted to signing up on this forum and asking.

 

It might be obvious to you, but being that I've only been involved for PHP for such short time, I'm obviously missing something.

 

Sorry for bothering you!

 

And yes, I've tried $_POST.

Edited by deltahawk

If you post what you've actually tried you might get more useful help.

I'm stuck trying to figure out the correct method of calling the input from "name"

 

<form action="example.php" method="POST">

<input type="text" name="name">

<input type="submit">

</form>

 

into the create database query.

 

// Create database

$sql="CREATE DATABASE [input here];

if (mysqli_query($con,$sql))

{

echo "Database [name] created successfully";

}

else

{

echo "Error creating database: " . mysqli_error();

}

?>

 

I've tried both

 

$sql="CREATE DATABASE ($_POST['name'])";

 

and

 

$sql="CREATE DATABASE ($_GET['name'])";

Edited by deltahawk

You said you tried using the $_POST array, and when I said post what you've tried, there's nothing there.

 

I've tried both

 

$sql="CREATE DATABASE ($_POST['name'])";

 

and

 

$sql="CREATE DATABASE ($_GET['name'])";

$sql="CREATE DATABASE ({$_POST['name']})";

 

This is a very bad idea though.

 

Here's why:

1) Implying that the web user has permission to CREATE DATABASE, means that your MySQL permissions are not properly set up and is vulnerable to attack.

2) You are running a dangerous command from the webserver.

3) You are injecting user posted variables straight into mysql. You should consider using MySQLi or PDO or at the very minimum, validate the post variable and run mysql_real_escape_string

Edited by teynon

I don't think you need the () either.

This is the entire code:

 

 

<form action="example.php" method="POST">
<input type="text" name="name">
<input type="submit">
</form>
 
<?php
//connect
$con=mysqli_connect("xxx","xxx","xxx!");
 
//check connection
if (mysqli_connect_errno($con))
{
echo "Connection Failed: " . mysqli_connect_error();
}
else
{
echo "Connection Sucessful";
}
 
// Create database
$sql="CREATE DATABASE({$_POST['name']})";
if (mysqli_query($con,$sql))
  {
  echo "Database my_db created successfully";
  }
else
  {
  echo "Error creating database: ";
  }
?>
Edited by deltahawk

I see you are using 'mysqli_query" but, you should know that just because you ran mysqli_query instead of mysql_query does not make it more secure. You need to validate your input and use prepared statements.

Edited by teynon

I see you are using 'mysqli_query" but, you should know that just because you ran mysqli_query instead of mysql_query does not make it more secure. You need to validate your input and use prepared statements.

Thank you for letting me know.

 

This is all internal facing, I'm using a dummy database server and right now my primary focus is to be able to make the PHP script work (which is what I am trying to learn).

Edited by deltahawk

After learning php/mysql in object oriented style, i think specially for secured database operation you may consider using a good framework where ORM is used. You would get help of built in database classes.

I don't see any advice of ORM doing anything but make the task, as outlined by the OP, more complicated and time consuming. While ORM is great for its use, this is not a case for it.

 

deltahawk: If you're trying to learn PHP then I strongly recommend getting into the habit of validating input and escaping output right away. Even if this is an internally-facing application, it could still be attacked from the outside. Or be brought down by one unfortunate employee who just made a typo.

CSRF is one such attack that could come from the outside, to attack the internal system, XSS attacks from the internal application can be used to attack all of the computers inside your company, and so forth. I doubt you'll want your application, and thus you yourself, being responsible for something like that.

 

Security is not just for sites available online, after all. It is paramount for all applications, whether network-capable or not.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.