Jump to content

I'm having trouble adding content.

maviyazilim

By maviyazilim
in PHP Coding Help

 Share

Recommended Posts

maviyazilim Regular Member

maviyazilim

Posted
Posted

I have a file with a form. When I say add information here, it goes to the php file to be added. The problem was that while adding content to the database, it suddenly stopped adding content. Sometimes it adds, sometimes it doesn't. Why would it give such an error?

 

<?php

session_start();
include '../ayar/baglan.php';

if(isset($_POST['ekle'])) {

  $baslik = $_POST['baslik'];
  $icerik = $_POST['icerikici'];
  $yazar = $_POST['yazar'];

$ekle = "insert into icerik (baslik,icerik,yazar) values
('$baslik','$icerik','$yazar')";
$sonuc = mysqli_query($veri,$ekle);
}
if($sonuc) {
  header("location:yonetim.php");
}

 ?>

Link to comment
https://forums.phpfreaks.com/topic/314843-im-having-trouble-adding-content/
Share on other sites
schwim Member

schwim

Posted
Posted

You didn't provide the form so there's no way to see what's being sent but you can do some print statements to see if that file is getting the data it expects:
  

<?php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

session_start();
require_once '../ayar/baglan.php';

if(isset($_POST['ekle'])) {

    print('POST data received');

    $baslik = $_POST['baslik'];
    $icerik = $_POST['icerikici'];
    $yazar = $_POST['yazar'];

    $ekle = "insert into icerik (baslik,icerik,yazar) values
    ('$baslik','$icerik','$yazar')";
    $sonuc = mysqli_query($veri,$ekle);
}
if($sonuc) {
    header("location:yonetim.php");
}else{
    print('SQL not executed.);
}

 ?>

 

maviyazilim Regular Member

maviyazilim

Posted
  • Author
Posted
22 minutes ago, schwim said:

You didn't provide the form so there's no way to see what's being sent but you can do some print statements to see if that file is getting the data it expects:
  

<?php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

session_start();
require_once '../ayar/baglan.php';

if(isset($_POST['ekle'])) {

    print('POST data received');

    $baslik = $_POST['baslik'];
    $icerik = $_POST['icerikici'];
    $yazar = $_POST['yazar'];

    $ekle = "insert into icerik (baslik,icerik,yazar) values
    ('$baslik','$icerik','$yazar')";
    $sonuc = mysqli_query($veri,$ekle);
}
if($sonuc) {
    header("location:yonetim.php");
}else{
    print('SQL not executed.);
}

 ?>

<form action="ekle.php" method="post">
<div id="baslik">
  <label>İçerik başlığı: </label>
<input id="baslikform" type="text" name="baslik">
</div>
<div id="icerik">
<label>İçerik: </label>
<textarea id="icerik1" name="icerikici"></textarea>
</div>
<div id="yazar">
  <label>Yazar: </label>
  <input id="baslikform" type="text" name="yazar">
</div>
<div id="ekle">
  <input type="submit" name="ekle" value="İçerik ekle">

</div>
<form>

 

mac_gyver Prolific Member

mac_gyver

Posted
Posted

you are putting the external data directly into the sql query statement. any sql special characters in a value, such as a quote, will break the sql query syntax, producing a sql error. this is also how sql injection is accomplished.

the solution is to switch to use a prepared query, with place-holders for the sql query statement for each value, then supply the actual values when the query gets executed. you would also want to switch to the much simpler PDO database extension. the mysqli extension uses a completely different programming interface for non-prepared and prepared queries, which requires you to learn almost two different database extensions. the PDO extension treats a non-prepared and prepared query the same.

maviyazilim Regular Member

maviyazilim

Posted
  • Author
Posted

ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);

I added these codes. It didn't give any error messages. but it uploaded content. After uploading 4-5 pieces of content, it gave the same error again. Interestingly, the codes work. doesn't work after a while.

maviyazilim Regular Member

maviyazilim

Posted
  • Author
Posted
2 minutes ago, mac_gyver said:

you are putting the external data directly into the sql query statement. any sql special characters in a value, such as a quote, will break the sql query syntax, producing a sql error. this is also how sql injection is accomplished.

the solution is to switch to use a prepared query, with place-holders for the sql query statement for each value, then supply the actual values when the query gets executed. you would also want to switch to the much simpler PDO database extension. the mysqli extension uses a completely different programming interface for non-prepared and prepared queries, which requires you to learn almost two different database extensions. the PDO extension treats a non-prepared and prepared query the same.

Isn't there a solution for this inside the mysqli method? Is there a way to get around the sql special character issue?

mac_gyver Prolific Member

mac_gyver

Posted
Posted

when the insert query no longer works, does the header redirect to yonetim.php work or not, i.e. does it redirect or do you stay on the form processing page?

if the query is failing, you need some actual error handling for the database statements so that you can find out why they are failing. add the following line of code before the point where you make the database connection - 

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

 

maviyazilim Regular Member

maviyazilim

Posted
  • Author
Posted
7 minutes ago, mac_gyver said:

when the insert query no longer works, does the header redirect to yonetim.php work or not, i.e. does it redirect or do you stay on the form processing page?

if the query is failing, you need some actual error handling for the database statements so that you can find out why they are failing. add the following line of code before the point where you make the database connection - 

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

 

haeder is not working. redirect is not working. white page appears. It does not go to the admin.php page. When I print the variables with echo, the data from the form page appears to be on the page. What I don't understand is if this code is faulty, shouldn't it work all the time? sometimes it works fine. sometimes it doesn't work.

maviyazilim Regular Member

maviyazilim

Posted
  • Author
Posted
13 minutes ago, mac_gyver said:

when the insert query no longer works, does the header redirect to yonetim.php work or not, i.e. does it redirect or do you stay on the form processing page?

if the query is failing, you need some actual error handling for the database statements so that you can find out why they are failing. add the following line of code before the point where you make the database connection - 

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

 

I am constantly adding content. finally someone gave this error.

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'e Katlandı','1111111','admin')' at line 2 in C:\xampp\htdocs\xxxx\yonet\ekle.php:17 Stack trace: #0 C:\xampp\htdocs\xxxx\yonet\ekle.php(17): mysqli_query(Object(mysqli), 'insert into ice...') #1 {main} thrown in C:\xampp\htdocs\xxxx\yonet\ekle.php on line 17

line 17 -> $sonuc = mysqli_query($veri,$ekle);

mac_gyver Prolific Member

mac_gyver

Posted
Posted
37 minutes ago, maviyazilim said:

the right syntax to use near 'e Katlandı','1111111','admin')'

the error is because the content contains a single-quote/apostrophe. this is breaking the sql query syntax. in the distant past, php provided some protection for this, but this has been removed since it didn't address every character set situation.

the best way of handling this is to use a prepared query, which provides fool-proof protection for ALL data types.

you can use a prepared query with the mysqli extension, but as already stated this is overly complex, requiring you to learn the same amount of new statements as learning a whole new database extension. if you are going to do that much work, you might as well just learn the much simpler PDO extension.

converting any query to be a prepared query, using the PDO extension, is extremely simple - 

// 1. remove the php variables, any single-quotes around them, any {} around them, and any concatenation dots that are being used to get the php variables into the sql query statement.
// 2. replace each value in the sql query statement with a simple ? place-holder.

// your sql query would look like this -
$ekle = "insert into icerik (baslik,icerik,yazar) values
(?,?,?)";

// 3. prepare the query -
$stmt = $pdo->prepare($ekle);

// 4. take the variables you removed in step #1 and supply them as an array to the execute call -
$stmt->execute([ $baslik,$icerik,$yazar ]);

the above conversion applies to select, insert, update, and delete queries. for select queries, to fetch data from the query, you would need to use either the fetch() method (for single row of data), fetchAll() method (for all the rows of data), or sometimes the fetchColumn() method (for single column, such as a COUNT() value from a query.)

the following is typical PDO connection code - 

$DB_HOST = ''; // database host name or ip address
$DB_USER = ''; // database username
$DB_PASS = ''; // database password
$DB_NAME = ''; // database name
$DB_ENCODING = 'utf8mb4'; // db character encoding. set to match your database table's character set

$options = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // set the error mode to exceptions
			PDO::ATTR_EMULATE_PREPARES => false, // run real prepared queries
			PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // set default fetch mode to assoc
			];

$pdo = new pdo("mysql:host=$DB_HOST;dbname=$DB_NAME;charset=$DB_ENCODING",$DB_USER,$DB_PASS,$options);

 

maviyazilim Regular Member

maviyazilim

Posted
  • Author
Posted
On 5/27/2022 at 5:47 AM, mac_gyver said:

the error is because the content contains a single-quote/apostrophe. this is breaking the sql query syntax. in the distant past, php provided some protection for this, but this has been removed since it didn't address every character set situation.

the best way of handling this is to use a prepared query, which provides fool-proof protection for ALL data types.

you can use a prepared query with the mysqli extension, but as already stated this is overly complex, requiring you to learn the same amount of new statements as learning a whole new database extension. if you are going to do that much work, you might as well just learn the much simpler PDO extension.

converting any query to be a prepared query, using the PDO extension, is extremely simple - 

// 1. remove the php variables, any single-quotes around them, any {} around them, and any concatenation dots that are being used to get the php variables into the sql query statement.
// 2. replace each value in the sql query statement with a simple ? place-holder.

// your sql query would look like this -
$ekle = "insert into icerik (baslik,icerik,yazar) values
(?,?,?)";

// 3. prepare the query -
$stmt = $pdo->prepare($ekle);

// 4. take the variables you removed in step #1 and supply them as an array to the execute call -
$stmt->execute([ $baslik,$icerik,$yazar ]);

the above conversion applies to select, insert, update, and delete queries. for select queries, to fetch data from the query, you would need to use either the fetch() method (for single row of data), fetchAll() method (for all the rows of data), or sometimes the fetchColumn() method (for single column, such as a COUNT() value from a query.)

the following is typical PDO connection code - 

$DB_HOST = ''; // database host name or ip address
$DB_USER = ''; // database username
$DB_PASS = ''; // database password
$DB_NAME = ''; // database name
$DB_ENCODING = 'utf8mb4'; // db character encoding. set to match your database table's character set

$options = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // set the error mode to exceptions
			PDO::ATTR_EMULATE_PREPARES => false, // run real prepared queries
			PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // set default fetch mode to assoc
			];

$pdo = new pdo("mysql:host=$DB_HOST;dbname=$DB_NAME;charset=$DB_ENCODING",$DB_USER,$DB_PASS,$options);

 

Thank you. I will try your solutions. As far as I understand, if I use musqli, if there are characters in the content I add that will break the sql code, the code is broken. there is no solution for this in php. I need to learn SQL. do i understand the problem correctly?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.