database not working

[redarrow]

i keep getting database error please help...

 

 

 

! ) Deprecated: mysql_real_escape_string(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\wamp\www\seotoolsgroupbuys\done\admin_add_user.php on line 28

 

i have tried pdo and mysql and mysqli please help.......

<?php
$dbhost = "localhost";
$dbname = " ";
$dbusername = "root";
$dbpassword = "liononabridge";

$link = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbusername,$dbpassword);
    $link->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    
   
    
    try {
       $statement = $link->prepare ("INSERT INTO user_add (`id`, `user_id`, `user_paypal_email`, `user_skype_name`, `user_package_type`, `user_date_added`) ) 
    VALUES(NULL, NULL, 'john@paypal.com', 'nicky@skpe.com', 'Keyword Tool', '22112017')");

        $statement->execute(array("Bob","Desaunois",18));
    } catch(PDOException $e) {
        echo $e->getMessage();
    }
    ?>
    

here what i got and still error

<?php 

//Turn the erros off , so when file deleted no php and mysql error.....
//error_reporting(0);
//@ini_set('display_errors', 0);



$servername = "localhost";
$username = "root";
$password = "liononabridge";


$conn = mysqli_connect($servername, $username, $password);


if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}


if(isset($_POST['submit'])){
    
// add a date
$user_date_added=date('m.d.y');
    
//post all the varables to the database. 
    $user_paypal_email=mysql_real_escape_string($_POST['user_paypal_email']);
    $user_skype_name=mysql_real_escape_string($_POST['user_skype_name']);
    $user_package_type=mysql_real_escape_string($_POST['user_package_type']);





mysqli_select_db($conn, "seotoolsgorpbuys_tool");

  
mysqli_query($conn, "INSERT INTO add_user (`id` , `user_id `, `user_paypal_email` , `user_skype_name` , `user_package_type` , `user_date_added` )
                   VALUES( NULL , NULL , '$user_paypal_email' , '$user_skype_name' , '$user_package_type' , '$user_date_added' )");



    echo "New record created successfully";
 
    
    exit;
    
}

 ?>
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') VALUES(NULL, NULL, 'john@paypal.com', 'nicky@skpe.com', 'Keyword Tool', ' at line 1

Edited March 1, 2017 by php-real-degree

[benanamen]

You are mixing mysql, mysqli and PDO. You need to use all PDO. The mysql_* functions have been completely removed from Php.

 

Also, remove the id from your query,

Edited March 1, 2017 by benanamen

[redarrow]

i don't understand please give me a full example cheers.

 

 

the top example is fully pdo?

 

 

 

are you telling me ever think i no on mysql is gone not here no more at all???????

Edited March 1, 2017 by php-real-degree

[benanamen]

The top is PDO. The bottom is mixed mysql and mysqli. The mysql functions were deprecated over 11 years ago and completely removed in php 7. Do not use Mysql_* no matter what version Php you have. You should be running no less than Php 5.6 at this point.

 

Never ever put variables in your query. You need to use prepared statements. Study this PDO tutorial https://phpdelusions.net/pdo

Edited March 1, 2017 by benanamen

[redarrow]

That dont help me at all, i am like a spastic

 

 

 

i am trying to post from a form, if i can not add variables ,i might as well throw my pc throw the wall, and burn it in the middle of the road ,then go and find who made pdo and just kill them with a hammer............

Edited March 1, 2017 by php-real-degree

[redarrow]

<?php  session_start();

error_reporting(0);
@ini_set('display_errors', 0);

if(!$_SESSION['username']=="admin"){
    
    header("location: member_login.php");
exit;
    }

$dbhost = "localhost";
$dbname = " ";
$dbusername = "root";
$dbpassword = "";

if(isset($_POST['submit'])){
    
    $user_date_added=date('m.d.y');

    function randomGen($min, $max, $quantity) {
    $numbers = range($min, $max);
    shuffle($numbers);
    return array_slice($numbers, 0, $quantity);
}

$num=(randomGen(0,6,6));

$user_id=implode($num);
    
  $user_paypal_email=$_POST['user_paypal_email'];
    $user_skype_name=$_POST['user_skype_name'];
    $user_package_type=$_POST['user_package_type'];
    
    if( ($user_date_added) && ($user_id) && ($user_paypal_email) && ($user_skype_name) && ($user_package_type) ){
    
     $conn = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbusername, $dbpassword);
   
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
   
    $sql = "INSERT INTO user_add (`user_id`, `user_paypal_email` , `user_skype_name` , `user_package_type` , `user_date_added` )
    VALUES('$user_id', '$user_paypal_email' , '$user_skype_name' , '$user_package_type' , '$user_date_added' )";
    // use exec() because no results are returned
    $conn->exec($sql);


echo "Please add another <a href='admin_add_user.php'>HERE</a>";

exit;

$conn = null;

        }else{
        
        
        echo "Please try agin <a href='admin_add_user.php'>HERE</a>";
        exit;
}
    }

?>

SOLVED

 

solved it my self........

Edited March 1, 2017 by php-real-degree

[redarrow]

If your comming from the old mysql or the old mysqli i suggest a really good tutorail

 

I was having really bad problams understanding

All night , the totrial given to me above was to hard to understand ,

 

I come across a really good example

Know i want throw my computer in the road .

 

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers#Fetch_Modes

 

The above link is really easy to undestand as it exsplaines from mysql to pdo and it differences

Which really helps .

 

Please read it you wont regreat it.

 

 

 

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers#Fetch_Modes

 

 

My code i posted as solved is not solved in a perfect way , as pdo has a way to stop hackers getting in or changeing info using a ? Place holder so as i learn i will rebuild my code properly and not cry like a child....

Edited March 1, 2017 by php-real-degree

[Jacques1]

Congratulations, you now have three SQL injection vulnerabilities in one statement and a particularly juicy CSRF vulnerability on top. This can be used to steal any data (passwords/hashes,  personal e-mail addresses, ...) and take over any account.

 

That weird ID generator also means there's a 50% collision chance after just 84 entries.

[redarrow]

I agree with you but as a one night shit was not bad at all , yes it was a way for me to learn but like i say since i have found a good tutorial i change the code as i go , off course i am not going to use the code online in real life .

 

Can you point out the way your think that a hacker can do wrong .....

 

Buy the way it was a pdo first go i am just learning pdo , php i am ok on.

 

Dont no how you see only 88 times with my shuffle code ....

 

Congratulations, you now have three SQL injection vulnerabilities in one statement and a particularly juicy CSRF vulnerability on top. This can be used to steal any data (passwords/hashes, personal e-mail addresses, ...) and take over any account.

 

That weird ID generator also means there's a 50% collision chance after just 84 entries.

Ps.

If you look at the code you got to have the session set as admin before you can even use the page , so i dont no how anyone can set a session as admin if there not going thru the database and getting the session set , if the session not set then the session can not be set in the url ,,,, unless your saying there a way to set a session in a url but how???

Edited March 1, 2017 by php-real-degree

[Jacques1]

A CSRF attack uses your admin session to make requests. When you're logged in and visit any other site, then that site can send arbitrary requests to your application on your behalf.

 

It's generally a bad idea to just assume that a vulnerability cannot be exploited. An experienced attacker knows a lot more about vulnerabilities than you do and will use methods you never even thought about. So whenever you encounter a problem, fix it. Don't make up excuses.

 

 

 

Dont no how you see only 88 times with my shuffle code ....

 

The function generates its IDs by shuffling the 7 digits 0...6. There are theoretically 5040 possible IDs, but collisions will occur much, much earlier due to the birthday paradox.

 

You can actually try it out:

<?php

function randomGen($min, $max, $quantity)
{
    $numbers = range($min, $max);
    shuffle($numbers);

    return array_slice($numbers, 0, $quantity);
}

$generated_ids = [];
for ($i = 0; $i < 200; $i++)
{
    $id = implode(randomGen(0, 6,6));

    // check if ID already exists, otherwise store it
    if (isset($generated_ids[$id]))
    {
        echo 'Duplicate ID '.$id.' after '.$i.' attempts';
        exit;
    }
    else
    {
        $generated_ids[$id] = true;
    }
}

A much better way to get IDs is to use auto-incremented fields in the database table. If you absolutely need random IDs, you must use a proper random number generator (not array_shuffle) and generate very long strings.

 

For example:

<?php

function generate_id()
{
    // the random_bytes() function is only available in PHP 7, but there are implementations for PHP 5 as well: https://github.com/paragonie/random_compat
    return bin2hex(random_bytes(16));
}

echo generate_id();

This requests 16 random bytes from the operating system and encodes them as 32 hexadecimal characters, which makes collisions almost impossible.

Edited March 1, 2017 by Jacques1

[redarrow]

Thank you i am learning thank you for teaching me , i will print it all out and try and understand it all ...

 

Thanks for your help .

 

Regards john ..

Edited March 1, 2017 by php-real-degree