VictorObah Posted September 3, 2014 Share Posted September 3, 2014 (edited) i created a insert php code which successfully submit to database but i was lost at some point because what i really wanted was a php code that will print on the next page after submission to db <?php include ("config.php"); //Connect to server and select databse. mysql_connect ("$host", "$username", "$password") or die("cannot connect to server"); mysql_select_db("$db_name") or die("cannot select DB"); $ p= $_POST['firstname']; $ b= $_POST['lastname']; $ a= $_POST['location']; $ user= $_POST['username']; $ d= $_POST['dt']; $ am=$_POST['state']; $ p=$_POST['password']; $ f=$_POST['sex']; $sql="INSERT INTO $tbl_name(firstname,lastname,location,username,dt,state,password,sex) VALUES('$_POST[firstname]','$_POST[lastname]','$_POST[location]','$_POST[username]','$_POST[dt]','$_POST[state]','$_POST[password]','$_POST[sex]')"; $result=mysql_query($sql); header ("location:account-tr.php"); ?> config.php <?php $host="localhost"; // Host name $username="*****"; // Mysql username $password="*****"; // Mysql password $db_name="****"; // Database name $tbl_name="registration"; // Table name // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); ?> Edited September 4, 2014 by Ch0cu3r Formatted post and removed credentials Quote Link to comment https://forums.phpfreaks.com/topic/290835-php-language/ Share on other sites More sharing options...
maxxd Posted September 4, 2014 Share Posted September 4, 2014 Couple things right off the bat: first, if those are your actual database credentials, remove them from the post. Second, please use the code tags (the < > button on the post editor) when you post code - it makes it much easier to read. Third, the mysql_* functions have been deprecated for about a decade now and will be flat-out removed at some point in the near-ish future - use PDO (preferably) or mysqli_* instead. They both are still supported and let you use prepared statements, which will circumvent the massive security holes you've got in your current script. Google 'SQL Injection attacks' for more information. I'm assuming the spaces between the dollar sign and the variable name is a typo, as I don't think php will properly parse that, although it may not be noticeable if you're developing with errors turned off as you're assigning all the $_POST values to local variables and then ignoring those variables completely. Now, on to the meat of the question. If you've got the data saving (dangerously) to your database, you're halfway there, technically. On the account-tr.php page, you'll need to write a SELECT sql statement that pulls the newly inserted data from the database. So, on the initial page, after the insert completes successfully, you'll need to get the insert_id() and either store that in $_SESSION or pass it via the URL string (?id=xxxx). I'd recommend using sessions in this case, personally. Use that to select the row you just inserted, and you can print out the data on account-tr.php. Also, you're connecting to and selecting the same database twice - once in config.php, once in your processing script. Quote Link to comment https://forums.phpfreaks.com/topic/290835-php-language/#findComment-1489844 Share on other sites More sharing options...
VictorObah Posted September 6, 2014 Author Share Posted September 6, 2014 thanks for your response.. but i am still finding it hard to compute all together. i do have a login system which is loggin in successfully. after a successful login.. the user submit a form value to another table called " info" in database which is submitting successfully. all i want is that, the new form value submitted to table "info" in database should print on the next page " account-tr.php" here is my html table <form action="sub.php" method="post" enctype="multipart/form-data" name="form1"> <p>price <label for="price"></label> <input type="text" name="price" id="price"> </p> <p>size <input type="text" name="size" id="size"> </p> <p>location <input type="text" name="location" id="location"> </p> <p>type <input name="type" type="text" id="type"> <input type="submit" name="button" id="button" value="Submit"> <label for="user_id"></label> <input name="user_id" type="hidden" id="user_id" value="<?php echo "" . $_SESSION['id'] . ""; ?>"> </p> </form> this is my insert.php code <?php include ("config.php"); $user_id=mysql_real_escape_string($_SESSION['user_id']); $price=mysql_real_escape_string($_SESSION['price']); $size=mysql_real_escape_string($_SESSION['pair']); $location=mysql_real_escape_string($_SESSION['bid']); $type=mysql_real_escape_string($_SESSION['amt']); $sql="INSERT INTO $tbl_names(user_id,price,size,location,type) VALUES('$_POST[user_id]','$_POST[price]','$_POST','$_POST[location]','$_POST[type]')"; $result=mysql_query($sql); header ("location:account-tr.php"); ?> the is my select statement $sql=mysql_query("SELECT * FROM $tbl_names WHERE user_id='" . $_SESSION[ "user_id" ] . "' ORDER BY user_id ASC LIMIT 0, 1"); $result=mysql_query($sql); $row=mysql_fetch_assoc($result); ?> config.php <?php$host="localhost"; // Host name $username="*****"; // Mysql username $password="*****"; // Mysql password $db_name="****"; // Database name $tbl_name="info"; // Table name// Connect to server and select database.mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); ?> Quote Link to comment https://forums.phpfreaks.com/topic/290835-php-language/#findComment-1490200 Share on other sites More sharing options...
anderson_catchme Posted September 6, 2014 Share Posted September 6, 2014 include ("config.php"); $user_id=mysql_real_escape_string($_SESSION['user_id']); $price=mysql_real_escape_string($_SESSION['price']); $size=mysql_real_escape_string($_SESSION['pair']); $location=mysql_real_escape_string($_SESSION['bid']); $type=mysql_real_escape_string($_SESSION['amt']); $sql="INSERT INTO $tbl_names(user_id,price,size,location,type) VALUES('$_POST[user_id]','$_POST[price]','$_POST','$_POST[location]','$_POST[type]')"; $result=mysql_query($sql); header ("location:account-tr.php"); Variables are assigned from right to left in php. So you shouldn't be putting $_POST['user_id'] in your sql but $user_id. Use paramaterized queries ideally, although they are a bit harder to debug. For debugging, try: $query = "SELECT * FROM table"; // Run query if(!$query){ echo mysqli_error($mysqli); } Quote Link to comment https://forums.phpfreaks.com/topic/290835-php-language/#findComment-1490203 Share on other sites More sharing options...
jcbones Posted September 7, 2014 Share Posted September 7, 2014 Sanitation and validation are VERY important parts of database/ web interface procedure. Using PDO or MySQLi would go a long way in these procedures. Keeping your sites free of intruders. Quote Link to comment https://forums.phpfreaks.com/topic/290835-php-language/#findComment-1490262 Share on other sites More sharing options...
maxxd Posted September 9, 2014 Share Posted September 9, 2014 OK - there are still some major issues in the code. First off, your config file defines $tbl_name, and your queries use $tbl_names for inserting and selecting (which alone should be stopping everything from working), you've still got the same enormous security holes in the scripts posted, there's no error checking of any sort in place, and relying on using LIMIT in your SELECT query to find the exact record your user inserted is a logical flaw that happens to look like it's working correctly. First off, you really need to use either MySQLi or PDO and prepared statements. Then, you need to check to make sure the insert successfully happened before you redirect the user. Once you determine the insert happened correctly, get the insert_id for the record you just inserted. You can then put that id in session or append it to the redirect URL. Once the user has been redirected to the target page, instead of selecting the top 1 ow attributed to the currently logged in user, use the insert_id you got from the actual row inserted and either stored in session or appended to the URL string, and use that in your WHERE clause (preferable in addition to the $_SESSION stored user_id) in your MySQLi or PDO prepared SELECT statement. Once you've made sure the SELECT statement completed successfully, you can use the data in the results array (or object) to display the data either directly to the target page HTML, or in a form on the target page. Quote Link to comment https://forums.phpfreaks.com/topic/290835-php-language/#findComment-1490406 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.