Printable View
Hi,
For my major assignment in my php class I have decided to redo the website I created in my flash class. While I have got the majority of the php sorted there are a few things I am confused about.
Number 1:
In flash after the login information was checked and successfully compared the user logs in to the website, sometimes user will be shown a new frame. How do do that re-direct/log-in type thing with html?
Thanks,
Nightwalker
My typical design of a login page (or any page with form submission) goes something like this:
When the user first visits the page, $_POST["formSubmitted"] is not set, so the code for processing the form will be skipped. Also $error_message is false, so no error will display. They then submit the form (leaving the "action" attribute empty on a form will have it submit to the same page it's on), and you handle their data as needed. If the result of your script is "good," send them off to their next location, otherwise inform them of their mistake and let them try again (by not forwarding them away from the login page - the form below the PHP will load up again).Code:<?php
$error_message = false;
if(isset($_POST["formSubmitted"])){
$desired_result = false;
//process form - validate input, do any database operations, etc.
//set $desired_result to true when conditions are satisfied
if($desired_result){
//give user a login cookie, redirect them to where they should go next
header("Location: loggedIn.php");
exit;
}else{
$error_message = "There was a problem with your login.";
}
}
?>
<html>
<head>
<body>
<?php if($error_message){echo "<p>$error_message</p>";}?>
<form action="" method="POST">
...
<input type="submit" name="formSubmitted" value="Submit"/>
</form>
</body>
</html>
Makes sense?...
Thanks, I'll have to try it and see if it's what I'm looking for.
I have created a php page template (.dwt.php) file! I have a .php file that already contains working php code will that code be deleted if I apply the template to that php page?
Don't know, never used Dreamweaver.
I don't think it would but just in case I have a a backup of the php code so if the template does override the code I can apply the template manually.Quote:
Originally Posted by SambaNeko
To enable the code to work properly without magic_quotes_gpc (magic_quotes_gpc turned off) I know I need to check the php.ini edit and edit it to turn off magic_quotes_gpc. However, is there anything in the code I need to change? I'm guessing phpdev, wampserver, etc initially have magic_quotes_gpc turned on because that's how I've been testing my code and each time it works.Quote:
Originally Posted by kows
This is the website I have found so far! It pointed me to the above mentioned php.ini file. The site also mentions:
As I read that I would have been better off sticking with version 3.x.x of PHP rather than upgrading if the creators are going to go backwards during the implementation of features.Quote:
Originally Posted by http://www.jimmysworld.org/article.html?aID=59
I am pretty sure you put this post in the wrong place. it's a good thing I decided to start reading this forum again!
anyway, you would be crazy to think you would be better off using PHP3 over, say, PHP5. even PHP4. magic_quotes_gpc provides a false security to SQL injection, and does encourage sloppy programming. the code you provided was evidence of that.
to "make code work" without magic_quotes_gpc, you simply need to be aware of the dangers of trusting your user's input. any untrustworthy data (no user's input is ever trustworthy -- so this means all input) needs to be sanitised before being used within an SQL query, for example. this counts for inserts, selects, updates, deletes. if you aren't up to adopting a database extension that uses prepared statements (like PDO or MySQLi), you can use the function mysql_real_escape_string() instead. eg.
there isn't really much else to it.PHP Code:<?php
$data = "My name is 'Bob'!";
$data = mysql_real_escape_string($data);
$sql = "SELECT * FROM table WHERE data='$data'";
//without a call to mysql_real_escape_string(), this SQL query would fail because of the single quotes contained in $data.
?>
Nope, this is the correct forum for what I plan on doing which is redesigning website using xhtml.Quote:
Originally Posted by kows;3624781
$data = "My name is 'Bob'!";
$data = mysql_real_escape_string($data);
$sql = "SELECT * FROM table WHERE data='$data'";
//without a call to mysql_real_escape_string(), this SQL query would fail because of the single quotes contained in $data.
?>[/php
So all I have to do is type:
that is removing the ' single quotes but still leaving the double quotes?Quote:
$data = "My name is Bob!";
$data = mysql_real_escape_string($data);
$sql = "SELECT * FROM table WHERE data=$data";
uh, no. you type exactly what my example said (otherwise, why would I have posted an example?). mysql_real_escape_string() does exactly what the name suggests; it's a mysql centered function that escapes strings. it will escape quotes and a few other characters that mysql would like you to.
if you are unsure about what a function does, you should really try to look it up.
my comment about this being in the wrong forum was because the post you quoted me in was from the PHP forum, and this is a forum for HTML, CSS and other misc languages. there is a separate forum for PHP, and PHP-centric posts should generally be put into that forum. on top of that, this thread you created is a month old, so I'd think you wouldn't need to use it to ask for more help, or whatever. not that I'm a moderator, or really have any sort of authority on this subject whatsoever, but I'm just saying! I suppose it doesn't matter a huge deal either way.
Sorry, I thought it was an example of what not to type. It looks to me like the only thing I would have to change with say this code would be putting:Quote:
Originally Posted by kows
instead of just:Code:$cid = mysql_real_escape_string($cid);
($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))
In the above case $cid was a php variable used in this concept:Code:($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))
On the left you have the php variable and on the right the flash variable. Would I need to change the $cid to mysql_real_escape_string($cid); if I were saving data to the database or only when I am retrieving it?PHP Code://convert the POST variables from flash to local variables
$cid = $_POST['cid'];
Ah ok! Maybe I thought about putting this thread in the php section since the website I will be creating will use php. However, I was unsure at the time as to where this thread belonged so I put in the html section.Quote:
my comment about this being in the wrong forum was because the post you quoted me in was from the PHP forum, and this is a forum for HTML, CSS and other misc languages. there is a separate forum for PHP, and PHP-centric posts should generally be put into that forum. on top of that, this thread you created is a month old, so I'd think you wouldn't need to use it to ask for more help, or whatever. not that I'm a moderator, or really have any sort of authority on this subject whatsoever, but I'm just saying! I suppose it doesn't matter a huge deal either way.
I'm not sure if you've been reading along or not.. but, to quote myself (important things bolded):
Quote:
to "make code work" without magic_quotes_gpc, you simply need to be aware of the dangers of trusting your user's input. any untrustworthy data (no user's input is ever trustworthy -- so this means all input) needs to be sanitised before being used within an SQL query, for example. this counts for inserts, selects, updates, deletes. if you aren't up to adopting a database extension that uses prepared statements (like PDO or MySQLi), you can use the function mysql_real_escape_string() instead.
Moved
Ah ok, I will see if I can get it working! If not I will ask my lecturer about the problem or post here about it.Quote:
Originally Posted by kows
Thanks!Quote:
Originally Posted by penagate
Ok I have tested on php using the following:
In php.ini:
In the *.php file:Quote:
Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc =off
It all seems to be working! I just hope the above means that its working without magic quotes.PHP Code://select user record where username and password matches
$query = "select * from Customers where mysql_real_escape_string(Username='mysql_real_escape_string($user)'AND Password=' mysql_real_escape_string($password)')";
if (!($result = mysql_query($query))){ //if query fails echo message and exit
echo 'authenticated=queryFailed';
exit;
}
Edit:
Although, in this file:
I have not added the real escape code and the code still works.PHP Code:<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";
//convert the post variables from flash to local variables
$username = $_POST['username'];
$password = $_POST['uPassword'];
//connect to server or exit
if (!($conn = mysql_connect("localhost", "admin", "") )){
echo 'result=connection+failed';
exit;
}
//connect to database or exit
if (!(mysql_select_db($dbDatabase, $conn))){
echo 'message=db+selection+failed';
exit;
}
//select user record where username and password matches
$query = "select * from users where username='$username'AND password='$password'";
if (!($result = mysql_query($query))){ //if query fails echo message and exit
echo 'authenticated=queryFailed';
exit;
}
if ($row = mysql_fetch_array($result)) { //if user exists
//the following is just one of many different ways of retrieving the information from the select query
//the fetch_array command returns one record/row from the db formatted as an indexed or associative array.
echo "authenticated=true";
}else { //user doesn't exist
echo "authenticated=false";
}
?>
you're not doing it correctly.
please actually read my post and look at the example given to correctly implement using this function into your code. you can't just put it inside of your query a bunch of times. you are sanitising user INPUT. you are not sanitising your own code. you sanitise the variables that you cannot predict, or that could potentially contain something harmful. generally, this means ALL input.
I hope you understand that using mysql_real_escape_string() on your variables does not just "make or break" your script. it does exactly what it says. it escapes a string for any characters that MySQL might be unhappy with. this means quotes and a few other characters (all detailed on the function's page at PHP.net). however, if you don't present an invalid query to MySQL (meaning one that does not need characters escaped), then everything is going to work fine. but, for the code you're running above, you're vulnerable to an SQL injection (quick example in a previous post I've made). if you put the string ' OR 1=1 # in the username field, and anything in the password field, your new SQL query would be:
select * from users where username='' OR 1=1 #'AND password='whatever' (bolded what our "username" would do to the query)
of course, this statement is true, because the username can either be an empty string, or 1 can be equal to 1. 1 is always equal to 1, and thus the user would be automatically logged in. note that the hash/pound symbol ("#") is a comment in MySQL (the rest of the stuff making sure the password also matches is simply ignored).
magic_quotes_gpc will give you some protection against this, but it's a false sense of security and you should really be aware of the problems you are opening yourself up to. if you ran this script on a server without magic_quotes_gpc (which you've said you've now turned off), you would be vulnerable to an attack. instead, you can apply mysql_real_escape_string() to your $username variable, and hash your $password variable (assuming you're using encryption, otherwise, use mysql_real_escape_string() on it as well).
hope you understood that. if you don't, please ask questions. I hate seeing people struggle.
I took out the typo in the above code so it now says:Quote:
Originally Posted by kows
The example I was trying to follow was the 1st example here.PHP Code:$query = "select * from Customers where Username='mysql_real_escape_string($user)'AND Password='mysql_real_escape_string($password)')";
well, you're not following it at all. look at the example in my post. it doesn't get any more basic than that. you have a variable. you use the PHP function mysql_real_escape_string() on it. then you make your query. that's all you have to do. the code you're posting wouldn't protect you from an attack and would literally check for the text "mysql_real_escape_string(username)" as the entire username.
and lastly, if you're not sure what sprintf() does, don't try to follow an example using it ;)
edit: and, you need to have a space before the "AND" after "username=''" in your query.
I just asked my lecturer and he said that php5.3.0 and onward has magic quotes turn off so there is no need to use the mysql_real_escape_string() which, is also backed up by the php manual.
However, if you are using php 5 or before magic quotes is supported! Kows, I am guessing you are using version 5 of php because of the above posts. I will be downloading the latest version of php which uses a different method of accounting for the slash in the post.
uhhh.. I have no idea what you're thinking, or what you misunderstood from what your lecturer told you, or what you misunderstood from reading the PHP manual, but you need to step back and just ... read. you seriously are not getting this.
magic_quotes_gpc being defaulted to off in newer versions of PHP doesn't mean you don't need to worry about anything. magic_quotes_gpc being off means you DO need to worry about SQL injection. it's a deprecated feature that is still being used by many users and many hosts, and this is bad. it provides a false sense of security (like mentioned above).
let me break it down. take this example of code:
now, if you are using magic_quotes_gpc, then all user input ($_POST, $_GET) basically has addslashes() ran on it. this adds a slash to every single quote, double quote, backslash, and null byte. this means that when you submit the script above, it will produce the following:PHP Code:<?php
print_r($_POST);
?>
<form action="<?php echo __FILE__; ?>" method="post">
<input type="hidden" name="test" value="'Hello' "there"" />
<input type="submit" value="POST" />
</form>
this means that the input to this script has been sanitised. however, this is an unreliable sanitation because it relies on a server variable being set. without that variable being set, this script is vulnerable. that's bad. magic_quotes_gpc being on also means that you would need to use stripslashes() on anything you want to output to the browser. if you're not even using a database, this is completely unnecessary and is a waste of resources (even if the resource usage isn't very taxing). anyway, if you don't have magic_quotes_gpc on, you would just get plain text:Code:Array ( [test] => \'Hello\' \"there\" )
this is where you might be asking yourself what exactly is bad about this? well, if you actually read through my last post, you should be able to piece it together. if not, I'll go through it again. it's all about A) SQL injection, and B) that someone entering a certain character can break your script altogether. how? take the following script for example (magic_quotes_gpc off):Code:Array ( [test] => 'Hello' "there" )
for a legitimate user, we can submit the script like normal. we will get the following query:PHP Code:<?php
$sql = "SELECT * FROM users WHERE username='{$_POST['username']}' AND password='{$_POST['password']}'";
echo $sql;
?>
<form action="<?php echo __FILE__; ?>" method="post">
<input type="text" name="username" value="test" />
<input type="password" name="password" value="test" />
<input type="submit" value="POST" />
</form>
this is fine. right? right. a legitimate user can use this script to login, or do whatever, and everything will be fine. but what if he has a typo, and types his username as test' instead of test? our SQL changes:Code:SELECT * FROM users WHERE username='test' AND password='test'
this will simply produce an error because our SQL is invalid. if errors are suppressed, then the user will just see something about not finding a username match, or whatever. that's kind of fine, too, but not ideal. now, what if an illegitimate user wants to gain access to this system? well, you're not escaping anything in this script. if the user types in the username as ' OR 1=1 # instead of test, then our SQL changes again:Code:SELECT * FROM users WHERE username='test'' AND password='test'
this statement will always be true because either the username needs to be blank, or 1 needs to be equal to 1. 1 is, obviously, always equal to 1. the hash represents a comment, and the rest of the query is simply ignored at this point. this will let an illegitimate user log into your system. this is, for obvious reasons, bad.Code:SELECT * FROM users WHERE username='' OR 1=1 #' AND password='test'
so, how do we stop it? introducing the function I've been trying to teach you about for much longer than I think I should have needed to -- mysql_real_escape_string(). what does this function do? it's very similar to magic_quotes_gpc/addslashes(), in that it escapes special PHP characters. however, this function is made for MySQL specifically (meaning you need a MySQL connection in your script to even use it), and so it actually escapes some other MySQL specific characters, too. you can see the list here. now, what if we use this function to escape our variables in the previous script? "how to use" example:
so, what has this done for us? let's see. if we submit the script as is (the legitimate user), we get this:PHP Code:<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
echo $sql;
?>
<form action="<?php echo __FILE__; ?>" method="post">
<input type="text" name="username" value="test" />
<input type="password" name="password" value="test" />
<input type="submit" value="POST" />
</form>
this will log the test user in. if our legitimate user makes a typo (test' instead of test), we get this:Code:SELECT * FROM users WHERE username='test' AND password='test'
this will be a valid query that returns a result set of 0. this is ideal. and what if we have an illegitimate user trying to break into our system? (' OR 1=1 # instead of test)Code:SELECT * FROM users WHERE username='test\'' AND password='test'
so what does this do? well, the quote was escaped by the function, and thus MySQL is searching for a user that is actually named the string "' OR 1=1 #" -- this will most likely come up as a result set of 0. an illegitimate user can no longer break into your system.Code:SELECT * FROM users WHERE username='\' OR 1=1 #' AND password='test'
so that's it. that's how you use the function, and why you might need to use the function. having magic_quotes_gpc turned off in the future does NOT automatically make you safe. actually, it makes you more vulnerable than if you had it on. that doesn't mean you should have it on, though; it just means that you should be aware of the way your scripts might be exploited so that you can prevent it.
if you get into object oriented programming in PHP, you might run into either PDO or MySQLi, which are object based database handlers. they both support prepared statements that do not require you to use mysql_real_escape_string(). if you're having this much trouble with this function, though, you do not want to start poking your head in that direction yet.
if you don't understand at this point, I simply give up.
From comparing your before and after mysql_real_escape_string codes the only difference I can see is that to the second code you added:Quote:
Originally Posted by kows
I added the above lines to my code whenever I inserted, selected, updated or deleted data. I modified the code as needed to suit the different variables I was using but the majority of the code remained the same. This is some of the code I used:PHP Code:$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
I hope I understood correctly this time.PHP Code:$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values ('$username','$password')";
yes, the code will basically remain the same. you're just storing sanitised versions of user input rather than raw user input; this makes them safe. that is, literally, all you needed to do!
Although, I haven't been noticing any difference when the user accidentally enters the wrong data. I think this might be because I was testing on a flash site where validation was used from flash code to check the user details were correct before sending them to the php script.Quote:
Originally Posted by kows
Edit:
Also, do I need to add real escape to the post strings of a mail form?
PHP Code:<?php
sendTo = "myemail";
$subject = . $_POST["uSubject"];
$message = "Customers name: " . $_POST["Username"] ."\n\r"
."Customers email:" . $_POST["uEmail"] . "\n\r"
."Customers address:" . $_POST["uAddress"] . "\n\r" ;
$header = "From: flash application";
mail($sendTo, $subject, $message, $header);
?>
no. you don't need to escape things for email. mysql_real_escape_string() is just to prevent SQL injection for MySQL.
Email headers (To, From, Subject) must be sanitised but the email body can be left as is.
Ah ok!Quote:
Originally Posted by kows
I am confused as to why you say that when kows says otherwise?Quote:
Originally Posted by penagate
What if someone posts a subject which contains the string \r\nTo:someoneelse?
At the very least, strip newline characters out of the header fields.
penagate is right. I was really just referring to using mysql_real_escape_string for it.
I hope that is the correct way to write the code!PHP Code:<?php
sendTo = "myemail";
$subject =mysql_real_escape_string (. $_POST["uSubject"]);
$message = "Customers name: " mysql_real_escape_string (. $_POST["Username"])."\n\r"
."Customers email:" mysql_real_escape_string(. $_POST["uEmail"]) . "\n\r"
."Customers address:" mysql_real_escape_string(. $_POST["uAddress"]) . "\n\r" ;
$header = "From: flash application";
mail($sendTo, $subject, $message, $header);
?>
Edit:
For some reason the php seems to closing after I include the real escape string. Before I added the real escape string the code was working perfectly but now its not. I checked the errors.txt and it says:
The error is the same for all the php files!Quote:
[14-Oct-2009 20:18:59] PHP Fatal error: Call to undefined function: mysql_real_escape_string() in c:\phpdev\www\flash\dynamicwebsite\createbazaarceramics.php on line 42
Edit:
Found the answer:
I was testing my code using php 4.2.3 guess I should stick to WAMPServer or wait for the full release of phpdev 5.Quote:
source: http://www.quirm.net/punbb/viewtopic.php?pid=191#p191
The problem appears to be specifically with the mysql_real_escape_string() function - which is a function that is inbuilt within the PHP 4.3.0 core.
you also can't use mysql_real_escape_string() unless you have a valid mysql connection. you should probably just use addslashes() or create your own function to strip new line characters (\r and \n).
make sure you're concatenating strings correctly, too. in whatever example you posted, you weren't doing it correctly:
PHP Code://right:
$var = "some text" . function($var) . "concatenation";
//wrong (parse error):
$var = "some text" function(. $var) . "concatenation";
-.-_-.-Quote:
Originally Posted by kows
Is it a different context that makes it recommendable here? (Asking to learn.)Quote:
Originally Posted by kows
Ah ok, I am not sure why the "." was in the original code anyway. However, is there any reason to have the real escape string in there since it is not sending the information to a database?Quote:
Originally Posted by kows
I will see if the rest of the code works on the computers at school in reference to the quote below:
I'm pretty sure that it is a software problem because it seem to take forever to connect to localhost.Quote:
For some reason the php seems to closing after I include the real escape string. Before I added the real escape string the code was working perfectly but now its not.
this is one of the only situations I would ever suggest using addslashes()! but yes, it's just the context. you need to escape new line characters. you can either do it manually with a replace, or just use addslashes. I'm not sure there would be any easier way to do it.
addslashes will not touch newline characters and furthermore the slash-to-escape notation isn't supported in email headers.
Just use str_replace.
I have solved the problem of hy my code wasn't working as stated in post #29. The problem is that the "mysql_real_escape_string" is interfering with my code and not allowing it to execute. Is there any around it? If not a won't add the "mysql_real_escape_string" to my code. I can across the solution while trying to solve the "Waiting for localhost" problem.
Like kows said, mysql_real_escape_string() cannot be used without connecting to a MySQL database first. It's not really appropriate for use in your code on post #29, because you're not dealing with database input. Do like penagate said and use str_replace to get rid of newline characters.
Code:$newLines = array("\r\n", "\n", "\r");
$subject = str_replace($newLines,"",$_POST["uSubject"]);
Thanks for that! However, I have been running in to trouble with the "mysql_escape_string". It seems to be interfering with my php code stopping it from working.Quote:
Originally Posted by SambaNeko
The above quote refers to the fact that I had to remove the "mysql_escape_string" code to get the scripts working.Quote:
Originally Posted by Nightwalker83
Edit:
I don't understand why the commented out part doesn't insert the variable in to the database?
However, if I type the data straight into the values section it works. So if I use:PHP Code://insert data into tables
//$username = mysql_real_escape_string($_POST['Aaron']);
//$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values ('Aaron','Aaron')";
It just puts blanks fields in the users table! However, if I do:PHP Code:$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values (' $username', '$password')";
It inserts the data into the created fields.PHP Code:$insert = "insert into users (username, password) values ('Aaron','Aaron')";
What do you mean by "not working"? Do you get an error, does it not save it? Please elaborate. :wave:Quote:
Originally Posted by Nightwalker83
I've edited the above post #37!Quote:
Originally Posted by visualAd
My assumption would be that you haven't connected to a database, mysql_real_escape_string() is failing as a result, and - intentionally or not - you have the error message suppressed. This causes $insert to resolve to "insert into users (username, password) values ('','')". As has been repeated here, you must connect to a MySQL database before using mysql_real_escape_string().Code:$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values (' $username', '$password')";
I do connect to the database I not that stupid here is the full code including the above sample.Quote:
Originally Posted by SambaNeko
PHP Code:<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";
//connect to db
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}
//create database
$query = "CREATE DATABASE IF NOT EXISTS BazaarCeramics";
if (mysql_query($query, $conn)) {
echo ("Database create query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
//select database
if (mysql_select_db($dbDatabase, $conn)) {
echo ("Database selection successful!");
}else {
die ("Could not locate test database" .mysql_error());
}
//create tables
$query = "CREATE TABLE IF NOT EXISTS users
(username varchar(40) not null primary key,
password varchar(20))";
if (mysql_query($query, $conn)) {
echo ("Table users query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
$query = "CREATE TABLE IF NOT EXISTS products
(productid varchar(20) not null primary key,
pPrice decimal (8,2), pImagePath varchar(100), pImageType varchar(100))";
if (mysql_query($query, $conn)) {
echo ("Database products query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
//insert data into tables
$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values ('$username','$password')";
if (mysql_query($insert, $conn)) {
echo ("Insert query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
?>
Yup, your complete code works just fine for me... so another stupid question for you: is there actually any POST data being submitted? Does $_POST['Aaron'] have anything in it?
Seeing as the data is being inserted via the script rather than a form I doubt I need the "real_escape_string"?Quote:
Originally Posted by SambaNeko
Although, below is some code for user registration:
The above code requires the user to submit a form before posting the info to the database. With the "mysql_escape_string" included the onlt thing that happens is the "customer" table is added no data or fields.PHP Code:<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";
//convert the POST variables from flash to local variables
$cid = mysql_real_escape_string($_POST['cid']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$snum = mysql_real_escape_string($_POST['snum']);
$sname = mysql_real_escape_string($_POST['sname']);
$suburb = mysql_real_escape_string($_POST['suburb']);
$pcode = mysql_real_escape_string($_POST['pcode']);
$country = mysql_real_escape_string($_POST['country']);
$phone = mysql_real_escape_string($_POST['phone']);
$email = mysql_real_escape_string($_POST['email']);
$user = mysql_real_escape_string($_POST['user']);
$password = mysql_real_escape_string($_POST['upassword']);
//connect to server or exit
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}
//create database
$query = "CREATE DATABASE IF NOT EXISTS BazaarCeramics";
if (mysql_query($query, $conn)) {
echo ("Database create query successful");
}
//select database
if (mysql_select_db($dbDatabase, $conn)) {
echo ("Database selection successful");
}else {
die ("Could not locate BazaarCeramics database" .mysql_error());
}
//create tables
$query = "CREATE TABLE IF NOT EXISTS customers (
cid int(2) NOT NULL auto_increment,
FName varchar(30) default NULL,
LName varchar(30) default NULL,
Email varchar(50) default NULL,
Streetname varchar(20) default NULL,
Housenum char(3) default NULL,
Suburb varchar(20) default NULL,
Postcode varchar(6) default NULL,
Country varchar(20) default NULL,
Phone varchar(10) default NULL,
Username varchar(10) default NULL,
Password varchar(8) default NULL,
PRIMARY KEY (cid)
) TYPE=MyISAM";
if (mysql_query($query, $conn)) {
echo ("table users query successful");
}else {
//connect to database or exit
if (!(mysql_select_db($dbDatabase, $conn))){
echo '&message=db+selection+failed&';
exit;
}
}
// Make sure the data has been sent to the script from flash
if($cid==""){
echo '&message=you+must+enter+customer+record&';
exit;
}
//send mysql a query to select records from the products table where the id's match. If the query fails exit
if (!($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))){
echo '&message=query+failed&';
exit;
}
//Retrieve the number of rows (records)that have been returned from above query
$num_results = mysql_num_rows($result);
if($num_results <= 0) {//customer does not exist so insert
$query = "INSERT INTO customers (cid, FName, LName, Housenum, Streetname, Suburb, Postcode, Country, Phone, Email, Username, Password)
VALUES ('$cid','$fname', '$lname', '$snum', '$sname','$suburb','$pcode','$country','$phone','$email','$user','$password')";
if (mysql_query($query , $conn))
echo "&message=the+customer+'$FName'+'$LName'+has+been+successfully+added&";
else
echo '&message=the+insert+was+not+successful&';
}else { //customer exists so update existing customer
$update = "update customers set FName='$fname'; LName='$lname'; where customerid='$cid'";
if(mysql_query($update, $conn))
echo "&message=the+details+have+been+updated&";
else
echo "&message=update+not+successful&";
}
?>
If your data is coming from $_POST, then yes, you most definitely need to use mysql_real_escape_string() on it.Quote:
Seeing as the data is being inserted via the script rather than a form I doubt I need the "real_escape_string"?
You didn't really answer the question if $_POST['Aaron'] had anything in it... but as for this new code you've posted, the problem is here:
You don't connect to the database until after you've used mysql_real_escape_string(). Move the connection above the block of variable assignment.Code://convert the POST variables from flash to local variables
$cid = mysql_real_escape_string($_POST['cid']);
$fname = mysql_real_escape_string($_POST['fname']);
// ... etc. ...
//connect to server or exit
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}
"Aaron" was the data being inserted not the name of a field inside the table. So how should I write it for data instead of a field?Quote:
Originally Posted by SambaNeko
I just tried it the way you say to do it but the same problem occurs for some reason it is blocking the script from running.Quote:
You don't connect to the database until after you've used mysql_real_escape_string(). Move the connection above the block of variable assignment.
Edit:
As stated previously, this is what I have the "php.ini" file:
Quote:
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
if "Aaron" was the text being submitted, and not the field name, why on earth were you doing this?
if $_POST['Aaron'] is empty, this will do nothing. try $_POST['username'] and $_POST['password'], or whatever you use as an equivalent, instead.PHP Code:$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']);
oh, and as previously stated many times, you must have a database connection before you can call mysql_real_escape_string(). the easiest way to ensure this is to make the first thing your script does is connect to a database.
I have already tried as you suggest but nothing happens! I think I got confused between the "post" and "insert" because there is an insert statement.Quote:
Originally Posted by kows
Normal method of adding the data via script without user input:
PHP Code:$insert = "insert into users (username, password) values ('Aaron','Aaron')";
Read this: http://www.php.net/forms
Look specifically at the part that relates to POST and GET arrays and make sure you actually read it. Secondly, turn on error reporting to the maximum level and tells us what you get. To do this, add the following line to the top of your script:
As everyone is trying to say, you probably aren't submitting the form, which is why all your variables are empty.PHP Code:error_reporting(E_ALL);
The scripts are the scripts which I am accessing via flash and they work perfectly with out the "mysql_real_escape_string". As I have stated before I add the string and whole thing stops. Yes, I have even changed my scripts so that the connection to the database and the table creation happens before the variables are called.Quote:
Originally Posted by visualAd
Also with the error log where is it suppose to be? In the same directory as the php files? If that is the case I'm not getting any errors because there is no log.
Have you set error reporting as described in my previous post?
I have email my project with the scripts to my lecturer to see if he can figure out why it is not working. I should be able to get a response from him by Tuesday.
Edit:
Yes,Quote:
Originally Posted by visualAd
PHP Code:<?php
error_reporting(E_ALL);
code
?>
Have you also checked your PHP.ini to ensure that display_errors = on? If you do these, you will be able to see all errors and warnings. Can you also post the HTML you are using to submit the script?Quote:
Originally Posted by Nightwalker83
Have you also checked your PHP.ini to ensure that display_errors = on? If you do these, you will be able to see all errors and warnings. Can you also post the HTML you are using to submit to the script?
Both "Display Errors" and "Log Errors to output file" are "on"! With the php at the moment I am accessing it via flash could that be the problem? As stated before the scripts I am using are part of my flash site.Quote:
Originally Posted by visualAd
can you just post this entire script so that we can see all of your revisions? just this one that you're having problems with. not anything else. if your variables are set at the beginning of the script, and then become empty later on, then you are doing something out of sequence.
to ensure your form is submitting, at the beginning of your script, type out:
if these variables are all set at the beginning of the script, then something you are doing is messing it up (whether you're calling mysql_real_escape_string() before a database connection is established or something else entirely, but that's the only thing I can think of since you keep saying the variables are only empty after trying to use that function). so, post the entire script in its current form so that I don't need to keep guessing.Code:print_r($_POST);
The problem is with all the scripts that why I emailed the project to my lecturer and asked him to have a look at it. I am not sure if flash would react differently to the "mysql_real_escape_string" then if I were using html to send/receive the variables?Quote:
Originally Posted by kows
but you're not sending those variables to flash, you're receiving them from flash. and flash knows how to send a post request just fine; flash has nothing to do with anything. the script is the problem, and if you would like help then I suggest you just post the script you're talking about.
we can't help you if you won't show us. the problem is obvious -- your variables are empty after you've used mysql_real_escape_string() on them. mysql_real_escape_string() will never just empty your string, so you're probably just doing something in the wrong order (calling mysql_real_escape_string() before mysql_connect(), for example), or you have some kind of typo. but I've yet to see the rest of the script you're working with, and the script you posted above with the table creation query has already shown to have that same problem.
What I don't understand is why is it working without the "mysql_real_escape_string()" but not when the string is included as shown in the data submission script dated "Yesterday O1:08 PM". All I did to the original script was add the "mysql_real_escape_string()" that is all.Quote:
Originally Posted by kows
Edit:
So the original code would be:
You can see the difference between that and the code in post #43. The scripts in posts #41 and #43 are the two main scripts for the website the other scripts just use the same code mentioned above to insert/modify database data at different times on for the website.PHP Code:$cid = $_POST['cid'];
You need to turn error reporting to its maximum level, as I have already stated. If you are sending the data via a flash script (which does not send post variables any differently from using HTML), then in order to see the errors, you need to create a small HTML page to submit some dummy data. Or you need to set log_errors to true and the error_log to a file to have them logged to a file in addition to setting error_reporting to E_ALL.Quote:
Originally Posted by Nightwalker83
Once you have done this, you need to check the errors / error log every time you execute a script. You should take special note of warnings and get rid of all notices which are usually caused if a variable is undefined.
You are using the mysql_real_escape_string() function before you are connecting to the database. You have already been told this several times.Quote:
Originally Posted by Nightwalker83
I think I can speak for everyone in saying that we would rather you took the time to post the entire script as it exists at the moment. And the code for the HTML page you are going to create to submit the dummy data.Quote:
Originally Posted by Nightwalker83
Quote:
Originally Posted by visualAd
Here is the modified script from post #43:
I'll just leave the script from post #41 as is since it is containing the data within the script rather than via user input.PHP Code:<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";
//connect to server or exit
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}
//create database
$query = "CREATE DATABASE IF NOT EXISTS BazaarCeramics";
if (mysql_query($query, $conn)) {
echo ("Database create query successful");
}
//select database
if (mysql_select_db($dbDatabase, $conn)) {
echo ("Database selection successful");
}else {
die ("Could not locate BazaarCeramics database" .mysql_error());
}
//create tables
$query = "CREATE TABLE IF NOT EXISTS customers (
cid int(2) NOT NULL auto_increment,
FName varchar(30) default NULL,
LName varchar(30) default NULL,
Email varchar(50) default NULL,
Streetname varchar(20) default NULL,
Housenum char(3) default NULL,
Suburb varchar(20) default NULL,
Postcode varchar(6) default NULL,
Country varchar(20) default NULL,
Phone varchar(10) default NULL,
Username varchar(10) default NULL,
Password varchar(8) default NULL,
PRIMARY KEY (cid)
) TYPE=MyISAM";
if (mysql_query($query, $conn)) {
echo ("table users query successful");
}else {
//connect to database or exit
if (!(mysql_select_db($dbDatabase, $conn))){
echo '&message=db+selection+failed&';
exit;
}
}
//convert the POST variables from flash to local variables
$cid = mysql_real_escape_string($_POST['cid']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$snum = mysql_real_escape_string($_POST['snum']);
$sname = mysql_real_escape_string($_POST['sname']);
$suburb = mysql_real_escape_string($_POST['suburb']);
$pcode = mysql_real_escape_string($_POST['pcode']);
$country = mysql_real_escape_string($_POST['country']);
$phone = mysql_real_escape_string($_POST['phone']);
$email = mysql_real_escape_string($_POST['email']);
$user = mysql_real_escape_string($_POST['user']);
$password = mysql_real_escape_string($_POST['upassword']);
// Make sure the data has been sent to the script from flash
if($cid==""){
echo '&message=you+must+enter+customer+record&';
exit;
}
//send mysql a query to select records from the products table where the id's match. If the query fails exit
if (!($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))){
echo '&message=query+failed&';
exit;
}
//Retrieve the number of rows (records)that have been returned from above query
$num_results = mysql_num_rows($result);
if($num_results <= 0) {//customer does not exist so insert
$query = "INSERT INTO customers (cid, FName, LName, Housenum, Streetname, Suburb, Postcode, Country, Phone, Email, Username, Password)
VALUES ('$cid','$fname', '$lname', '$snum', '$sname','$suburb','$pcode','$country','$phone','$email','$user','$password')";
if (mysql_query($query , $conn))
echo "&message=the+customer+'$FName'+'$LName'+has+been+successfully+added&";
else
echo '&message=the+insert+was+not+successful&';
}else { //customer exists so update existing customer
$update = "update customers set FName='$fname'; LName='$lname'; where customerid='$cid'";
if(mysql_query($update, $conn))
echo "&message=the+details+have+been+updated&";
else
echo "&message=update+not+successful&";
}
?>
Edit:
Putting the "real_escape_string" variables after all the connections (ie server, database and table) worked whereas before I was putting them after only the server connection. :o
Quote:
Originally Posted by SambaNeko
Would I added the "str_replace" to the subject box only or the "To", "From", "Body", etc boxes as well?