redarrow Posted March 1, 2017 Share Posted March 1, 2017 (edited) i keep getting database error please help... ! ) Deprecated: mysql_real_escape_string(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\wamp\www\seotoolsgroupbuys\done\admin_add_user.php on line 28 i have tried pdo and mysql and mysqli please help....... <?php $dbhost = "localhost"; $dbname = " "; $dbusername = "root"; $dbpassword = "liononabridge"; $link = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbusername,$dbpassword); $link->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); try { $statement = $link->prepare ("INSERT INTO user_add (`id`, `user_id`, `user_paypal_email`, `user_skype_name`, `user_package_type`, `user_date_added`) ) VALUES(NULL, NULL, 'john@paypal.com', 'nicky@skpe.com', 'Keyword Tool', '22112017')"); $statement->execute(array("Bob","Desaunois",18)); } catch(PDOException $e) { echo $e->getMessage(); } ?> here what i got and still error <?php //Turn the erros off , so when file deleted no php and mysql error..... //error_reporting(0); //@ini_set('display_errors', 0); $servername = "localhost"; $username = "root"; $password = "liononabridge"; $conn = mysqli_connect($servername, $username, $password); if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } if(isset($_POST['submit'])){ // add a date $user_date_added=date('m.d.y'); //post all the varables to the database. $user_paypal_email=mysql_real_escape_string($_POST['user_paypal_email']); $user_skype_name=mysql_real_escape_string($_POST['user_skype_name']); $user_package_type=mysql_real_escape_string($_POST['user_package_type']); mysqli_select_db($conn, "seotoolsgorpbuys_tool"); mysqli_query($conn, "INSERT INTO add_user (`id` , `user_id `, `user_paypal_email` , `user_skype_name` , `user_package_type` , `user_date_added` ) VALUES( NULL , NULL , '$user_paypal_email' , '$user_skype_name' , '$user_package_type' , '$user_date_added' )"); echo "New record created successfully"; exit; } ?> SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') VALUES(NULL, NULL, 'john@paypal.com', 'nicky@skpe.com', 'Keyword Tool', ' at line 1 Edited March 1, 2017 by php-real-degree Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/ Share on other sites More sharing options...
benanamen Posted March 1, 2017 Share Posted March 1, 2017 (edited) You are mixing mysql, mysqli and PDO. You need to use all PDO. The mysql_* functions have been completely removed from Php. Also, remove the id from your query, Edited March 1, 2017 by benanamen Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543525 Share on other sites More sharing options...
redarrow Posted March 1, 2017 Author Share Posted March 1, 2017 (edited) i don't understand please give me a full example cheers. the top example is fully pdo? are you telling me ever think i no on mysql is gone not here no more at all??????? Edited March 1, 2017 by php-real-degree Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543526 Share on other sites More sharing options...
benanamen Posted March 1, 2017 Share Posted March 1, 2017 (edited) The top is PDO. The bottom is mixed mysql and mysqli. The mysql functions were deprecated over 11 years ago and completely removed in php 7. Do not use Mysql_* no matter what version Php you have. You should be running no less than Php 5.6 at this point. Never ever put variables in your query. You need to use prepared statements. Study this PDO tutorial https://phpdelusions.net/pdo Edited March 1, 2017 by benanamen Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543527 Share on other sites More sharing options...
redarrow Posted March 1, 2017 Author Share Posted March 1, 2017 (edited) That dont help me at all, i am like a spastic i am trying to post from a form, if i can not add variables ,i might as well throw my pc throw the wall, and burn it in the middle of the road ,then go and find who made pdo and just kill them with a hammer............ Edited March 1, 2017 by php-real-degree Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543528 Share on other sites More sharing options...
redarrow Posted March 1, 2017 Author Share Posted March 1, 2017 (edited) <?php session_start(); error_reporting(0); @ini_set('display_errors', 0); if(!$_SESSION['username']=="admin"){ header("location: member_login.php"); exit; } $dbhost = "localhost"; $dbname = " "; $dbusername = "root"; $dbpassword = ""; if(isset($_POST['submit'])){ $user_date_added=date('m.d.y'); function randomGen($min, $max, $quantity) { $numbers = range($min, $max); shuffle($numbers); return array_slice($numbers, 0, $quantity); } $num=(randomGen(0,6,6)); $user_id=implode($num); $user_paypal_email=$_POST['user_paypal_email']; $user_skype_name=$_POST['user_skype_name']; $user_package_type=$_POST['user_package_type']; if( ($user_date_added) && ($user_id) && ($user_paypal_email) && ($user_skype_name) && ($user_package_type) ){ $conn = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbusername, $dbpassword); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $sql = "INSERT INTO user_add (`user_id`, `user_paypal_email` , `user_skype_name` , `user_package_type` , `user_date_added` ) VALUES('$user_id', '$user_paypal_email' , '$user_skype_name' , '$user_package_type' , '$user_date_added' )"; // use exec() because no results are returned $conn->exec($sql); echo "Please add another <a href='admin_add_user.php'>HERE</a>"; exit; $conn = null; }else{ echo "Please try agin <a href='admin_add_user.php'>HERE</a>"; exit; } } ?> SOLVED solved it my self........ Edited March 1, 2017 by php-real-degree Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543529 Share on other sites More sharing options...
redarrow Posted March 1, 2017 Author Share Posted March 1, 2017 (edited) If your comming from the old mysql or the old mysqli i suggest a really good tutorail I was having really bad problams understanding All night , the totrial given to me above was to hard to understand , I come across a really good example Know i want throw my computer in the road . http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers#Fetch_Modes The above link is really easy to undestand as it exsplaines from mysql to pdo and it differences Which really helps . Please read it you wont regreat it. http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers#Fetch_Modes My code i posted as solved is not solved in a perfect way , as pdo has a way to stop hackers getting in or changeing info using a ? Place holder so as i learn i will rebuild my code properly and not cry like a child.... Edited March 1, 2017 by php-real-degree Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543531 Share on other sites More sharing options...
Jacques1 Posted March 1, 2017 Share Posted March 1, 2017 Congratulations, you now have three SQL injection vulnerabilities in one statement and a particularly juicy CSRF vulnerability on top. This can be used to steal any data (passwords/hashes, personal e-mail addresses, ...) and take over any account. That weird ID generator also means there's a 50% collision chance after just 84 entries. Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543532 Share on other sites More sharing options...
redarrow Posted March 1, 2017 Author Share Posted March 1, 2017 (edited) I agree with you but as a one night shit was not bad at all , yes it was a way for me to learn but like i say since i have found a good tutorial i change the code as i go , off course i am not going to use the code online in real life . Can you point out the way your think that a hacker can do wrong ..... Buy the way it was a pdo first go i am just learning pdo , php i am ok on. Dont no how you see only 88 times with my shuffle code .... Congratulations, you now have three SQL injection vulnerabilities in one statement and a particularly juicy CSRF vulnerability on top. This can be used to steal any data (passwords/hashes, personal e-mail addresses, ...) and take over any account. That weird ID generator also means there's a 50% collision chance after just 84 entries. Ps. If you look at the code you got to have the session set as admin before you can even use the page , so i dont no how anyone can set a session as admin if there not going thru the database and getting the session set , if the session not set then the session can not be set in the url ,,,, unless your saying there a way to set a session in a url but how??? Edited March 1, 2017 by php-real-degree Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543534 Share on other sites More sharing options...
Jacques1 Posted March 1, 2017 Share Posted March 1, 2017 (edited) A CSRF attack uses your admin session to make requests. When you're logged in and visit any other site, then that site can send arbitrary requests to your application on your behalf. It's generally a bad idea to just assume that a vulnerability cannot be exploited. An experienced attacker knows a lot more about vulnerabilities than you do and will use methods you never even thought about. So whenever you encounter a problem, fix it. Don't make up excuses. Dont no how you see only 88 times with my shuffle code .... The function generates its IDs by shuffling the 7 digits 0...6. There are theoretically 5040 possible IDs, but collisions will occur much, much earlier due to the birthday paradox. You can actually try it out: <?php function randomGen($min, $max, $quantity) { $numbers = range($min, $max); shuffle($numbers); return array_slice($numbers, 0, $quantity); } $generated_ids = []; for ($i = 0; $i < 200; $i++) { $id = implode(randomGen(0, 6,6)); // check if ID already exists, otherwise store it if (isset($generated_ids[$id])) { echo 'Duplicate ID '.$id.' after '.$i.' attempts'; exit; } else { $generated_ids[$id] = true; } } A much better way to get IDs is to use auto-incremented fields in the database table. If you absolutely need random IDs, you must use a proper random number generator (not array_shuffle) and generate very long strings. For example: <?php function generate_id() { // the random_bytes() function is only available in PHP 7, but there are implementations for PHP 5 as well: https://github.com/paragonie/random_compat return bin2hex(random_bytes(16)); } echo generate_id(); This requests 16 random bytes from the operating system and encodes them as 32 hexadecimal characters, which makes collisions almost impossible. Edited March 1, 2017 by Jacques1 Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543540 Share on other sites More sharing options...
redarrow Posted March 1, 2017 Author Share Posted March 1, 2017 (edited) Thank you i am learning thank you for teaching me , i will print it all out and try and understand it all ... Thanks for your help . Regards john .. Edited March 1, 2017 by php-real-degree Quote Link to comment https://forums.phpfreaks.com/topic/303315-database-not-working/#findComment-1543549 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.