Jump to content

I'm having trouble adding content.


maviyazilim

Recommended Posts

I have a file with a form. When I say add information here, it goes to the php file to be added. The problem was that while adding content to the database, it suddenly stopped adding content. Sometimes it adds, sometimes it doesn't. Why would it give such an error?

 

<?php

session_start();
include '../ayar/baglan.php';

if(isset($_POST['ekle'])) {

  $baslik = $_POST['baslik'];
  $icerik = $_POST['icerikici'];
  $yazar = $_POST['yazar'];

$ekle = "insert into icerik (baslik,icerik,yazar) values
('$baslik','$icerik','$yazar')";
$sonuc = mysqli_query($veri,$ekle);
}
if($sonuc) {
  header("location:yonetim.php");
}

 ?>

Link to comment
Share on other sites

You didn't provide the form so there's no way to see what's being sent but you can do some print statements to see if that file is getting the data it expects:
 

<?php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

session_start();
require_once '../ayar/baglan.php';

if(isset($_POST['ekle'])) {

    print('POST data received');

    $baslik = $_POST['baslik'];
    $icerik = $_POST['icerikici'];
    $yazar = $_POST['yazar'];

    $ekle = "insert into icerik (baslik,icerik,yazar) values
    ('$baslik','$icerik','$yazar')";
    $sonuc = mysqli_query($veri,$ekle);
}
if($sonuc) {
    header("location:yonetim.php");
}else{
    print('SQL not executed.);
}

 ?>

 

Link to comment
Share on other sites

22 minutes ago, schwim said:

You didn't provide the form so there's no way to see what's being sent but you can do some print statements to see if that file is getting the data it expects:
 

<?php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

session_start();
require_once '../ayar/baglan.php';

if(isset($_POST['ekle'])) {

    print('POST data received');

    $baslik = $_POST['baslik'];
    $icerik = $_POST['icerikici'];
    $yazar = $_POST['yazar'];

    $ekle = "insert into icerik (baslik,icerik,yazar) values
    ('$baslik','$icerik','$yazar')";
    $sonuc = mysqli_query($veri,$ekle);
}
if($sonuc) {
    header("location:yonetim.php");
}else{
    print('SQL not executed.);
}

 ?>

<form action="ekle.php" method="post">
<div id="baslik">
  <label>İçerik başlığı: </label>
<input id="baslikform" type="text" name="baslik">
</div>
<div id="icerik">
<label>İçerik: </label>
<textarea id="icerik1" name="icerikici"></textarea>
</div>
<div id="yazar">
  <label>Yazar: </label>
  <input id="baslikform" type="text" name="yazar">
</div>
<div id="ekle">
  <input type="submit" name="ekle" value="İçerik ekle">

</div>
<form>

 

Link to comment
Share on other sites

you are putting the external data directly into the sql query statement. any sql special characters in a value, such as a quote, will break the sql query syntax, producing a sql error. this is also how sql injection is accomplished.

the solution is to switch to use a prepared query, with place-holders for the sql query statement for each value, then supply the actual values when the query gets executed. you would also want to switch to the much simpler PDO database extension. the mysqli extension uses a completely different programming interface for non-prepared and prepared queries, which requires you to learn almost two different database extensions. the PDO extension treats a non-prepared and prepared query the same.

Link to comment
Share on other sites

ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);

I added these codes. It didn't give any error messages. but it uploaded content. After uploading 4-5 pieces of content, it gave the same error again. Interestingly, the codes work. doesn't work after a while.

Link to comment
Share on other sites

2 minutes ago, mac_gyver said:

you are putting the external data directly into the sql query statement. any sql special characters in a value, such as a quote, will break the sql query syntax, producing a sql error. this is also how sql injection is accomplished.

the solution is to switch to use a prepared query, with place-holders for the sql query statement for each value, then supply the actual values when the query gets executed. you would also want to switch to the much simpler PDO database extension. the mysqli extension uses a completely different programming interface for non-prepared and prepared queries, which requires you to learn almost two different database extensions. the PDO extension treats a non-prepared and prepared query the same.

Isn't there a solution for this inside the mysqli method? Is there a way to get around the sql special character issue?

Link to comment
Share on other sites

when the insert query no longer works, does the header redirect to yonetim.php work or not, i.e. does it redirect or do you stay on the form processing page?

if the query is failing, you need some actual error handling for the database statements so that you can find out why they are failing. add the following line of code before the point where you make the database connection -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

 

Link to comment
Share on other sites

7 minutes ago, mac_gyver said:

when the insert query no longer works, does the header redirect to yonetim.php work or not, i.e. does it redirect or do you stay on the form processing page?

if the query is failing, you need some actual error handling for the database statements so that you can find out why they are failing. add the following line of code before the point where you make the database connection -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

 

haeder is not working. redirect is not working. white page appears. It does not go to the admin.php page. When I print the variables with echo, the data from the form page appears to be on the page. What I don't understand is if this code is faulty, shouldn't it work all the time? sometimes it works fine. sometimes it doesn't work.

Link to comment
Share on other sites

13 minutes ago, mac_gyver said:

when the insert query no longer works, does the header redirect to yonetim.php work or not, i.e. does it redirect or do you stay on the form processing page?

if the query is failing, you need some actual error handling for the database statements so that you can find out why they are failing. add the following line of code before the point where you make the database connection -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

 

I am constantly adding content. finally someone gave this error.

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'e Katlandı','1111111','admin')' at line 2 in C:\xampp\htdocs\xxxx\yonet\ekle.php:17 Stack trace: #0 C:\xampp\htdocs\xxxx\yonet\ekle.php(17): mysqli_query(Object(mysqli), 'insert into ice...') #1 {main} thrown in C:\xampp\htdocs\xxxx\yonet\ekle.php on line 17

line 17 -> $sonuc = mysqli_query($veri,$ekle);

Link to comment
Share on other sites

37 minutes ago, maviyazilim said:

the right syntax to use near 'e Katlandı','1111111','admin')'

the error is because the content contains a single-quote/apostrophe. this is breaking the sql query syntax. in the distant past, php provided some protection for this, but this has been removed since it didn't address every character set situation.

the best way of handling this is to use a prepared query, which provides fool-proof protection for ALL data types.

you can use a prepared query with the mysqli extension, but as already stated this is overly complex, requiring you to learn the same amount of new statements as learning a whole new database extension. if you are going to do that much work, you might as well just learn the much simpler PDO extension.

converting any query to be a prepared query, using the PDO extension, is extremely simple -

// 1. remove the php variables, any single-quotes around them, any {} around them, and any concatenation dots that are being used to get the php variables into the sql query statement.
// 2. replace each value in the sql query statement with a simple ? place-holder.

// your sql query would look like this -
$ekle = "insert into icerik (baslik,icerik,yazar) values
(?,?,?)";

// 3. prepare the query -
$stmt = $pdo->prepare($ekle);

// 4. take the variables you removed in step #1 and supply them as an array to the execute call -
$stmt->execute([ $baslik,$icerik,$yazar ]);

the above conversion applies to select, insert, update, and delete queries. for select queries, to fetch data from the query, you would need to use either the fetch() method (for single row of data), fetchAll() method (for all the rows of data), or sometimes the fetchColumn() method (for single column, such as a COUNT() value from a query.)

the following is typical PDO connection code -

$DB_HOST = ''; // database host name or ip address
$DB_USER = ''; // database username
$DB_PASS = ''; // database password
$DB_NAME = ''; // database name
$DB_ENCODING = 'utf8mb4'; // db character encoding. set to match your database table's character set

$options = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // set the error mode to exceptions
			PDO::ATTR_EMULATE_PREPARES => false, // run real prepared queries
			PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // set default fetch mode to assoc
			];

$pdo = new pdo("mysql:host=$DB_HOST;dbname=$DB_NAME;charset=$DB_ENCODING",$DB_USER,$DB_PASS,$options);

 

Link to comment
Share on other sites

On 5/27/2022 at 5:47 AM, mac_gyver said:

the error is because the content contains a single-quote/apostrophe. this is breaking the sql query syntax. in the distant past, php provided some protection for this, but this has been removed since it didn't address every character set situation.

the best way of handling this is to use a prepared query, which provides fool-proof protection for ALL data types.

you can use a prepared query with the mysqli extension, but as already stated this is overly complex, requiring you to learn the same amount of new statements as learning a whole new database extension. if you are going to do that much work, you might as well just learn the much simpler PDO extension.

converting any query to be a prepared query, using the PDO extension, is extremely simple -

// 1. remove the php variables, any single-quotes around them, any {} around them, and any concatenation dots that are being used to get the php variables into the sql query statement.
// 2. replace each value in the sql query statement with a simple ? place-holder.

// your sql query would look like this -
$ekle = "insert into icerik (baslik,icerik,yazar) values
(?,?,?)";

// 3. prepare the query -
$stmt = $pdo->prepare($ekle);

// 4. take the variables you removed in step #1 and supply them as an array to the execute call -
$stmt->execute([ $baslik,$icerik,$yazar ]);

the above conversion applies to select, insert, update, and delete queries. for select queries, to fetch data from the query, you would need to use either the fetch() method (for single row of data), fetchAll() method (for all the rows of data), or sometimes the fetchColumn() method (for single column, such as a COUNT() value from a query.)

the following is typical PDO connection code -

$DB_HOST = ''; // database host name or ip address
$DB_USER = ''; // database username
$DB_PASS = ''; // database password
$DB_NAME = ''; // database name
$DB_ENCODING = 'utf8mb4'; // db character encoding. set to match your database table's character set

$options = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // set the error mode to exceptions
			PDO::ATTR_EMULATE_PREPARES => false, // run real prepared queries
			PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // set default fetch mode to assoc
			];

$pdo = new pdo("mysql:host=$DB_HOST;dbname=$DB_NAME;charset=$DB_ENCODING",$DB_USER,$DB_PASS,$options);

 

Thank you. I will try your solutions. As far as I understand, if I use musqli, if there are characters in the content I add that will break the sql code, the code is broken. there is no solution for this in php. I need to learn SQL. do i understand the problem correctly?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.