Jump to content


Photo

Issue with inserting data into database


  • Please log in to reply
18 replies to this topic

#1 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 05:07 AM

Hi there I am phreak3r, just registered. I happened to stumble across a forum post dealing with php which lead me to this site. I have tried other avenues of assistance to no avail. I am hoping you all could help me here. The connection to the web server and mysql server seem to be up and running, same with the database. However, there the data doesn't appear to be inserted into the database (well, the specified tables). I have attached the main files involved below. Thank you for your assistance!

 

P.S. Excuse the terrible code and what not, I am new to PHP and this is all just a test, official security 'stuff' will be added later. I am just trying to get past a small hurdle. If you need anymore information/files feel free to reach out to me.

 

EDIT: Running LAMP stack on Xubuntu machine, phpMyAdmin is being utilized as well.

 

 

Attached File  confirmation.php   832bytes   2 downloads

Attached File  signup.php   622bytes   2 downloads

Attached File  dbcon.php   461bytes   2 downloads


Edited by phreak3r, 12 January 2018 - 05:08 AM.


#2 requinix

requinix
  • Administrators
  • Impoverished Administrator
  • 9,873 posts
  • LocationWA

Posted 12 January 2018 - 05:35 AM

Attachments are rather annoying for us to work with. How about posting the parts of the code that have to deal with inserting (ie, the parts that aren't working)?
"Basically, I think the general rule of thumb is: if someone really wants the blood that's inside of your body, and they're like a vampire, or a dracula, or some sort of man-squito, then that's probably okay. A dracula and a man-squito are made for removing things like blood and swords from inside your body. That's basically fine. If something wants to get at your blood and they're, say, some kind of murdersaurus, or maybe a really big frog, that's where the problems start to arise. A really big frog is not made for removing blood, and your blood knows this, which is why it is so vehement about wanting to stay in your body instead of coming out. Unfortunately this will not deter a really big frog because a really big frog is full of things like prizes, and value, and quite a lot of hatred, and it would really rather like to replace any and all of those things with your blood, and basically by any means possible." --slumbermancer

#3 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 05:40 AM

Attachments are rather annoying for us to work with. How about posting the parts of the code that have to deal with inserting (ie, the parts that aren't working)?

 How are attachments annoy for you to work with? Here you go!

  1 <?php
  2 include('header.php');
  3 require('dbcon/dbcon.php');
  4 
  5 if (isset($_POST['submitted'])) {
  6     $username = $_POST['username'];
  7     $password = $_POST['password']; // hash this thing later on...
  8     $email = $_POST['email_address'];
  9 
 10     $sqlinsert = "INSERT INTO profile0 ('username', 'password', 'email_address') VALUES ('$username', '$password', '$email')";
 11     mysqli_query($sqlinsert);
 12 
 13 
 14 
 15 }
 16 ?>



#4 gizmola

gizmola
  • Administrators
  • Advanced Member
  • 4,722 posts
  • LocationLos Angeles, CA USA

Posted 12 January 2018 - 06:08 AM

Here's a "Pro" tip for you. There is no need for, and many possible issues with closing out your php scripts with the closing tag
 
?>
I would suggest you delete those from your files.

We don't know what the problem is without some information from you. The obvious problem I see is that you do not check for errors after your insert, and you are using the procedural mysqli_* functions incorrectly because you are not passing a mysqli link parameter.


Beyond that the SQL does not look incorrect, but any issue with either the database connection or the names of columns, constraints etc. could cause your query to fail.

Since you don't check here, I expect you also don't check to see if your connection works. Take a look at the mysqli::query page: http://php.net/manua...ysqli.query.php

For example:
 
if (TRUE === mysqli_query($conn, $sqlinsert)) {
    echo "Inserted.";

} else {
    echo "Error: " . mysqli_error($conn);
}


#5 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 06:23 AM

Here's a "Pro" tip for you. There is no need for, and many possible issues with closing out your php scripts with the closing tag
 

?>
I would suggest you delete those from your files.

We don't know what the problem is without some information from you. The obvious problem I see is that you do not check for errors after your insert, and you are using the procedural mysqli_* functions incorrectly because you are not passing a link
parameter.


Beyond that the SQL does not look incorrect, but any issue with either the database connection or the names of columns, constraints etc. could cause your query to fail.

Since you don't check here, I expect you also don't check to see if your connection works. Take a look at the mysqli::query page: http://php.net/manua...ysqli.query.php

For example:
 
if (TRUE === mysqli_query($conn, $sqlinsert)) {
    echo "Inserted.";

} else {
    echo "Error: " . mysqli_error($conn);
}

 

I check the connection in another file/some code that is not presented. Here's the code for the connection to the database:

  1 <?php
  2 $servername   = "localhost";
  3 $database = "soapbox";
  4 $username = "root";
  5 $password = "1234";
  6 
  7 // Create connection
  8 $conn = mysqli_connect($servername, $username, $password, $database);
  9 mysqli_select_db($conn, $database);
 10 /*if (!$conn) {
 11     die("Connection failed: " . mysqli_connect_error());
 12 } else {
 13     echo "Connection successful!";
 14 }
 15 
 16 if (!mysqli_select_db($conn, $database)) {
 17     echo " Database not selected!";
 18 } else {
 19     echo " Database selected!";
 20 }*/
 21 ?>
~     

I am not sure what else it could be really. What do you mean by this? "We don't know what the problem is without some information from you. The obvious problem I see is that you do not check for errors after your insert, and you are using the procedural mysqli_* functions incorrectly because you are not passing a link
parameter."



#6 gizmola

gizmola
  • Administrators
  • Advanced Member
  • 4,722 posts
  • LocationLos Angeles, CA USA

Posted 12 January 2018 - 03:56 PM

Did you look at the code I provided and check what is different from your code?

Look at the manual page I linked. Note that the 1st parameter needs to be the mysqli connection handle aka 'link'.

I fixed the problem for you in the code I provided.

#7 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 04:13 PM

Did you look at the code I provided and check what is different from your code?

Look at the manual page I linked. Note that the 1st parameter needs to be the mysqli connection handle aka 'link'.

I fixed the problem for you in the code I provided.

 

Yes I did check what was different. I added the first parameter. Still nothing... And remove the closing tags? Why?



#8 gizmola

gizmola
  • Administrators
  • Advanced Member
  • 4,722 posts
  • LocationLos Angeles, CA USA

Posted 12 January 2018 - 04:41 PM

Closing tags can inject whitespace accidentally that causes output breaking sessions and other things. Without the end tags, PHP cleans up those problems for you.

In your dbconn.php remove the comments around the error checking. Are you actually getting a connection or an error?

#9 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 04:51 PM

Closing tags can inject whitespace accidentally that causes output breaking sessions and other things. Without the end tags, PHP cleans up those problems for you.

In your dbconn.php remove the comments around the error checking. Are you actually getting a connection or an error?

 

Well wouldn't that mess up the visual look of the page, say if you've got php at the top, html in the middle, and php at the bottom? I tried it and it did not work for me.

I am indeed getting a connection, no errors are being thrown. Everything goes through, but there's no data being inserted into the database, it is very weird.



#10 gizmola

gizmola
  • Administrators
  • Advanced Member
  • 4,722 posts
  • LocationLos Angeles, CA USA

Posted 12 January 2018 - 05:02 PM

No it doesn't mess up the look of anything to not have end tags. It is not relevant to the problems you are having, but it's a best practice with professional PHP.

It's part of PSR-2 which you can look at here: http://www.php-fig.org/psr/psr-2/

If you follow those standards and recommendations your code will also be easy to read.

At any rate, did you also provide the code I offered up around the insert? This can help you debug if there is a SQL issue with the Insert itself.

Feel free to post snippets of the current insert code you have. Also, are you using something like firebug to insure that the form is submitting where you think it is, and you are getting a valid HTTP response?

#11 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 06:32 PM

"No it doesn't mess up the look of anything to not have end tags. It is not relevant to the problems you are having, but it's a best practice with professional PHP."

 

"The closing ?> tag MUST be omitted from files containing only PHP." - From PSR-2 Coding Style Guide - PHP-FIG under Files 2.2

 

The confirmation.php script is not PHP only. As for some of the others, they would benefit from removing the PHP end tag.

 

CONFIRMATION.PHP

 <?php
  2 include('header.php');
  3 require('dbcon/dbcon.php');
  4 
  5 if (isset($_POST['submitted'])) {
  6     $username = $_POST['username'];
  7     $password = $_POST['password']; // hash this thing later on...
  8     $email = $_POST['email_address'];
  9 
 10     $sqlinsert = "INSERT INTO profile0 ('username', 'password', 'email_address') VALUES ('$username', '$password', '$email')";
 11     mysqli_query($conn, $sqlinsert);
 12 
 13     if (TRUE === mysqli_query($conn, $sqlinsert)) {
 14         echo "Inserted.";
 15 
 16     } else {
 17         echo "Error: " . mysqli_error($conn);
 18     }
 19 }       
 20 ?>
 21 
 22 <!DOCTYPE html>
 23     <html>
 24         <head>
 25             <title>soapbox - confirmation</title>
 26         </head>
 27 
 28         <body>
 29             <br>
 30             <?php echo "The data provided has been sent to the server and is being inserted into the database.
 31                         In order to complete the process $username, we need you to confirm your account.
 32                         We have sent you an email at $email, the provided email upon signing up for an account.
 33                         Thank you and cheers! - dbk"
 34             ?>
 35         </body>
 36     </html>

SIGNUP.PHP

  1 <?php include('header.php'); ?>
  2 
  3 <!DOCTYPE html>
  4 <html>
  5     <head>
  6         <title>soapbox - sign up</title>
  7     </head>
  8 
  9     <body>
 10         <form action="confirmation.php" method="POST">
 11             <br> Username: <br>
 12             <input type="text" name="username" maxlength="26" placeholder="Username">
 13 
 14             <br> Password: <br>
 15             <input type="password" name="password" maxlength="26" placeholder="Password">
 16 
 17             <br> Email Address: <br>
 18             <input type="email" name="email_address" placeholder="Email Address">
 19 
 20             <br>
 21             <input type="submit" value="Submit">
 22         </form>
 23     </body>
 24 
 25 <!--Include footer later on -->
 26 </html>

DBCON.PHP

  1 <?php
  2 $servername   = "localhost";
  3 $database = "soapbox";
  4 $username = "root";
  5 $password = "1234";
  6 
  7 // Create connection
  8 $conn = mysqli_connect($servername, $username, $password, $database);
  9 mysqli_select_db($conn, $database);
 10 if (!$conn) {
 11     die("Connection failed: " . mysqli_connect_error());
 12 } else {
 13     echo "Connection successful!";
 14 }
 15 
 16 if (!mysqli_select_db($conn, $database)) {
 17     echo " Database not selected!";
 18 } else {
 19     echo " Database selected!";
 20 }
 21 ?>

"Also, are you using something like firebug to insure that the form is submitting where you think it is, and you are getting a valid HTTP response?"

 

Nope, I am using plain old vim. I believe I am indeed getting a valid HTTP response. The server is up and running, no problems of that sort.



#12 benanamen

benanamen
  • Members
  • PipPipPip
  • Master Coder
  • 1,564 posts

Posted 12 January 2018 - 07:06 PM

The problem is your code is looking for POST submitted in order to work and it doesn't exist. You are improperly hoping the name of a button will be submitted in order for your script to work. You need to be checking the REQUEST METHOD instead.

 

Do not create variables for nothing.

 

NEVER EVER put variables in your query. You need to use Prepared Statements.

 

Do not output internal system errors to the user.

 

I recommend you use PDO.

https://phpdelusions.net/pdo


Edited by benanamen, 12 January 2018 - 07:09 PM.

To save time, let's just assume I am never wrong.

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.


Make A Donation https://www.paypal.me/KevinRubio

 

"This text has been encoded with ROT26. If you can read this you must have found a backdoor. Congratulations!"


#13 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 07:10 PM

The problem is your code is looking for POST submitted in order to work and it doesn't exist. You are improperly hoping the name of a button will be submitted in order for your script to work. You need to be checking the REQUEST METHOD instead.

 

Do not create variables for nothing.

 

NEVER EVER put variables in your query. You need to use Prepared Statements.

 

@benanamen Ah, I thought it would be a simple problem. I feel stupid, but thank you. I will use the request method. However, if you use POST with an input instead of a button it will give you problems from what I understand, yeah? I hope that made sense. I rush and post without giving myself time to properly organize my thoughts.



#14 benanamen

benanamen
  • Members
  • PipPipPip
  • Master Coder
  • 1,564 posts

Posted 12 January 2018 - 07:23 PM

I didnt say dont use a button. I said dont check for it for the script to work.

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
//Process form
}

To save time, let's just assume I am never wrong.

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.


Make A Donation https://www.paypal.me/KevinRubio

 

"This text has been encoded with ROT26. If you can read this you must have found a backdoor. Congratulations!"


#15 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 12 January 2018 - 09:26 PM

 

I didnt say dont use a button. I said dont check for it for the script to work.

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
//Process form
}

 

Like this?

  5  if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  6     $username = $_POST['username'];
  7     $password = $_POST['password']; // hash this thing later on...
  8     $email = $_POST['email_address'];
  9 
 10     $sqlinsert = "INSERT INTO profile0 ('username', 'password', 'email_address') VALUES ('$username', '$password', '$email')";
 11     mysqli_query($conn, $sqlinsert);
 12 }  


#16 benanamen

benanamen
  • Members
  • PipPipPip
  • Master Coder
  • 1,564 posts

Posted 13 January 2018 - 12:00 AM

Yes. Now just stop creating variables for nothing. You already have the POST variables, just use them. Next, you need to get the variables out of the query and use Prepared Statements.


To save time, let's just assume I am never wrong.

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.


Make A Donation https://www.paypal.me/KevinRubio

 

"This text has been encoded with ROT26. If you can read this you must have found a backdoor. Congratulations!"


#17 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 13 January 2018 - 12:19 AM

Yes. Now just stop creating variables for nothing. You already have the POST variables, just use them. Next, you need to get the variables out of the query and use Prepared Statements.

 

Creating variables for nothing? I thought they served a purpose, keep me from re-typing. This is very frustrating, nothing is being inserted into the database.


Edited by phreak3r, 13 January 2018 - 12:20 AM.


#18 benanamen

benanamen
  • Members
  • PipPipPip
  • Master Coder
  • 1,564 posts

Posted 13 January 2018 - 12:27 AM

I suggest you spend your efforts on learning PDO. This tutorial will get you going.

https://phpdelusions.net/pdo


To save time, let's just assume I am never wrong.

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.


Make A Donation https://www.paypal.me/KevinRubio

 

"This text has been encoded with ROT26. If you can read this you must have found a backdoor. Congratulations!"


#19 phreak3r

phreak3r
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 13 January 2018 - 12:28 AM

I suggest you spend your efforts on learning PDO. This tutorial will get you going.

https://phpdelusions.net/pdo

 

Okay...thanks? :confused: :shrug:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users