Jump to content

php language


VictorObah

Recommended Posts

i created a insert php code which successfully submit to database but i was lost at some point because what i really wanted was a php code that will print on the next page after submission to db

 

 

 



<?php


include ("config.php");


//Connect to server and select databse.
mysql_connect   ("$host", "$username", "$password")   or     die("cannot connect to server");
mysql_select_db("$db_name") or  die("cannot select DB");


$    p= $_POST['firstname'];
$    b= $_POST['lastname'];    
$    a= $_POST['location']; 
$    user= $_POST['username'];
$    d= $_POST['dt']; 
$    am=$_POST['state']; 
$    p=$_POST['password']; 
$    f=$_POST['sex']; 


$sql="INSERT INTO $tbl_name(firstname,lastname,location,username,dt,state,password,sex)
VALUES('$_POST[firstname]','$_POST[lastname]','$_POST[location]','$_POST[username]','$_POST[dt]','$_POST[state]','$_POST[password]','$_POST[sex]')";
$result=mysql_query($sql);


header ("location:account-tr.php");


?>


 

 

config.php

 



<?php
$host="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="*****"; // Mysql password 
$db_name="****"; // Database name  
$tbl_name="registration"; // Table name


// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 
?>

Edited by Ch0cu3r
Formatted post and removed credentials
Link to comment
Share on other sites

Couple things right off the bat: first, if those are your actual database credentials, remove them from the post. Second, please use the code tags (the < > button on the post editor) when you post code - it makes it much easier to read. Third, the mysql_* functions have been deprecated for about a decade now and will be flat-out removed at some point in the near-ish future - use PDO (preferably) or mysqli_* instead. They both are still supported and let you use prepared statements, which will circumvent the massive security holes you've got in your current script. Google 'SQL Injection attacks' for more information. I'm assuming the spaces between the dollar sign and the variable name is a typo, as I don't think php will properly parse that, although it may not be noticeable if you're developing with errors turned off as you're assigning all the $_POST values to local variables and then ignoring those variables completely.

 

Now, on to the meat of the question. If you've got the data saving (dangerously) to your database, you're halfway there, technically. On the account-tr.php page, you'll need to write a SELECT sql statement that pulls the newly inserted data from the database. So, on the initial page, after the insert completes successfully, you'll need to get the insert_id() and either store that in $_SESSION or pass it via the URL string (?id=xxxx). I'd recommend using sessions in this case, personally. Use that to select the row you just inserted, and you can print out the data on account-tr.php.

 

Also, you're connecting to and selecting the same database twice - once in config.php, once in your processing script.

Link to comment
Share on other sites

thanks for your response.. but i am still finding it hard to compute all together.

 

i do have a login system which is loggin in successfully.

 

after a successful login.. the user submit a form value to another table called  " info"  in database which is submitting successfully.

 

all i want is that,  the new form value submitted to table "info" in database should print on the next page " account-tr.php"

 

here is my html table

 

 

<form action="sub.php" method="post" enctype="multipart/form-data" name="form1">
  <p>price
    <label for="price"></label>
    <input type="text" name="price" id="price">
  </p>
  <p>size
    <input type="text" name="size" id="size">
  </p>
  <p>location
    <input type="text" name="location" id="location">
  </p>
  <p>type
    <input name="type" type="text" id="type">
    <input type="submit" name="button" id="button" value="Submit">
    <label for="user_id"></label>
    <input name="user_id" type="hidden" id="user_id" value="<?php echo "" . $_SESSION['id'] . ""; ?>">
  </p>
</form>

 

this is my insert.php code

 

<?php 
include ("config.php");
$user_id=mysql_real_escape_string($_SESSION['user_id']);
$price=mysql_real_escape_string($_SESSION['price']);
$size=mysql_real_escape_string($_SESSION['pair']);
$location=mysql_real_escape_string($_SESSION['bid']);
$type=mysql_real_escape_string($_SESSION['amt']);
 
 
$sql="INSERT INTO $tbl_names(user_id,price,size,location,type)
VALUES('$_POST[user_id]','$_POST[price]','$_POST','$_POST[location]','$_POST[type]')";
$result=mysql_query($sql);
header ("location:account-tr.php");
?>
 
 
the is my select statement
 
$sql=mysql_query("SELECT * FROM $tbl_names WHERE user_id='" . $_SESSION[ "user_id" ] . "' ORDER BY user_id ASC LIMIT 0, 1");
$result=mysql_query($sql);
$row=mysql_fetch_assoc($result); ?>

 

 

config.php

 

<?php
$host
="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="*****"; // Mysql password 
$db_name="****"; // Database name  
$tbl_name="info"; // Table name


// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db
("$db_name")or die("cannot select DB"); 
?>
Link to comment
Share on other sites

 

include ("config.php");
$user_id=mysql_real_escape_string($_SESSION['user_id']);
$price=mysql_real_escape_string($_SESSION['price']);
$size=mysql_real_escape_string($_SESSION['pair']);
$location=mysql_real_escape_string($_SESSION['bid']);
$type=mysql_real_escape_string($_SESSION['amt']);
 
 
$sql="INSERT INTO $tbl_names(user_id,price,size,location,type)
VALUES('$_POST[user_id]','$_POST[price]','$_POST','$_POST[location]','$_POST[type]')";
$result=mysql_query($sql);
header ("location:account-tr.php");

Variables are assigned from right to left in php. So you shouldn't be putting $_POST['user_id'] in your sql but $user_id. Use paramaterized queries ideally, although they are a bit harder to debug.

 

For debugging, try:

$query = "SELECT * FROM table";
// Run query
if(!$query){
echo mysqli_error($mysqli);
}
Link to comment
Share on other sites

OK - there are still some major issues in the code. First off, your config file defines $tbl_name, and your queries use $tbl_names for inserting and selecting (which alone should be stopping everything from working), you've still got the same enormous security holes in the scripts posted, there's no error checking of any sort in place, and relying on using LIMIT in your SELECT query to find the exact record your user inserted is a logical flaw that happens to look like it's working correctly.

 

First off, you really need to use either MySQLi or PDO and prepared statements. Then, you need to check to make sure the insert successfully happened before you redirect the user. Once you determine the insert happened correctly, get the insert_id for the record you just inserted. You can then put that id in session or append it to the redirect URL.

 

Once the user has been redirected to the target page, instead of selecting the top 1 ow attributed to the currently logged in user, use the insert_id you got from the actual row inserted and either stored in session or appended to the URL string, and use that in your WHERE clause (preferable in addition to the $_SESSION stored user_id) in your MySQLi or PDO prepared SELECT statement. Once you've made sure the SELECT statement completed successfully, you can use the data in the results array (or object) to display the data either directly to the target page HTML, or in a form on the target page.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.