[RESOLVED] Re-designing a flash site in (x)html

[Nightwalker83]

Code:

$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values (' $username', '$password')";

My assumption would be that you haven't connected to a database, mysql_real_escape_string() is failing as a result, and - intentionally or not - you have the error message suppressed. This causes $insert to resolve to "insert into users (username, password) values ('','')". As has been repeated here, you must connect to a MySQL database before using mysql_real_escape_string().

I do connect to the database I not that stupid here is the full code including the above sample.

PHP Code:

<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";

//connect to db
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}

//create database
$query = "CREATE DATABASE IF NOT EXISTS BazaarCeramics";
if (mysql_query($query, $conn)) {
echo ("Database create query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
//select database
if (mysql_select_db($dbDatabase, $conn)) {
echo ("Database selection successful!");
}else {
die ("Could not locate test database" .mysql_error());
}
//create tables
$query = "CREATE TABLE IF NOT EXISTS users
(username varchar(40) not null primary key,
password varchar(20))";
if (mysql_query($query, $conn)) {
echo ("Table users query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
$query = "CREATE TABLE IF NOT EXISTS products
(productid varchar(20) not null primary key,
pPrice decimal (8,2), pImagePath varchar(100), pImageType varchar(100))";
if (mysql_query($query, $conn)) {
echo ("Database products query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
//insert data into tables
  $username = mysql_real_escape_string($_POST['Aaron']);
  $password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values ('$username','$password')"; 
if (mysql_query($insert, $conn)) {
echo ("Insert query successful!");
}else {
die ("Database query failed: " .mysql_error());
}
?>

[SambaNeko]

Yup, your complete code works just fine for me... so another stupid question for you: is there actually any POST data being submitted? Does $_POST['Aaron'] have anything in it?

[Nightwalker83]

Yup, your complete code works just fine for me... so another stupid question for you: is there actually any POST data being submitted? Does $_POST['Aaron'] have anything in it?

Seeing as the data is being inserted via the script rather than a form I doubt I need the "real_escape_string"?

Although, below is some code for user registration:

PHP Code:

<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";

//convert the POST variables from flash to local variables
$cid = mysql_real_escape_string($_POST['cid']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$snum = mysql_real_escape_string($_POST['snum']);
$sname = mysql_real_escape_string($_POST['sname']);
$suburb = mysql_real_escape_string($_POST['suburb']);
$pcode = mysql_real_escape_string($_POST['pcode']);
$country = mysql_real_escape_string($_POST['country']);
$phone = mysql_real_escape_string($_POST['phone']);
$email = mysql_real_escape_string($_POST['email']);
$user = mysql_real_escape_string($_POST['user']);
$password = mysql_real_escape_string($_POST['upassword']);

//connect to server or exit
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}

//create database
$query = "CREATE DATABASE IF NOT EXISTS BazaarCeramics";
if (mysql_query($query, $conn)) {
echo ("Database create query successful");
}
//select database
if (mysql_select_db($dbDatabase, $conn)) {
echo ("Database selection successful");
}else {
die ("Could not locate BazaarCeramics database" .mysql_error());
}
//create tables
$query = "CREATE TABLE IF NOT EXISTS customers (
  cid int(2) NOT NULL auto_increment,
  FName varchar(30) default NULL,
  LName varchar(30) default NULL,
  Email varchar(50) default NULL,
  Streetname varchar(20) default NULL,
  Housenum char(3) default NULL,
  Suburb varchar(20) default NULL,
  Postcode varchar(6) default NULL,
  Country varchar(20) default NULL,
  Phone varchar(10) default NULL,
  Username varchar(10) default NULL,
  Password varchar(8) default NULL,
  PRIMARY KEY  (cid)
) TYPE=MyISAM";


if (mysql_query($query, $conn)) {
echo ("table users query successful");
}else {
//connect to database or exit
if (!(mysql_select_db($dbDatabase, $conn))){
echo '&message=db+selection+failed&';
exit;
}
}

// Make sure the data has been sent to the script from flash
if($cid==""){
echo '&message=you+must+enter+customer+record&';
exit;
}

//send mysql a query to select records from the products table where the id's match. If the query fails exit
if (!($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))){
echo '&message=query+failed&';
exit;
}
//Retrieve the number of rows (records)that have been returned from above query
$num_results = mysql_num_rows($result);
if($num_results <= 0) {//customer does not exist so insert 
$query = "INSERT INTO customers (cid, FName, LName, Housenum,  Streetname, Suburb, Postcode, Country, Phone, Email, Username, Password) 
VALUES ('$cid','$fname', '$lname', '$snum', '$sname','$suburb','$pcode','$country','$phone','$email','$user','$password')";
if (mysql_query($query , $conn))
echo "&message=the+customer+'$FName'+'$LName'+has+been+successfully+added&";
else
echo '&message=the+insert+was+not+successful&';
}else { //customer exists so update existing customer
$update = "update customers set FName='$fname'; LName='$lname'; where customerid='$cid'";
if(mysql_query($update, $conn))
echo "&message=the+details+have+been+updated&";
else
echo "&message=update+not+successful&";
}
?>

The above code requires the user to submit a form before posting the info to the database. With the "mysql_escape_string" included the onlt thing that happens is the "customer" table is added no data or fields.

[SambaNeko]

Seeing as the data is being inserted via the script rather than a form I doubt I need the "real_escape_string"?

If your data is coming from $_POST, then yes, you most definitely need to use mysql_real_escape_string() on it.

You didn't really answer the question if $_POST['Aaron'] had anything in it... but as for this new code you've posted, the problem is here:

Code:

//convert the POST variables from flash to local variables
$cid = mysql_real_escape_string($_POST['cid']);
$fname = mysql_real_escape_string($_POST['fname']);
// ... etc. ...

//connect to server or exit
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}

You don't connect to the database until after you've used mysql_real_escape_string(). Move the connection above the block of variable assignment.

[Nightwalker83]

If your data is coming from $_POST, then yes, you most definitely need to use mysql_real_escape_string() on it.

You didn't really answer the question if $_POST['Aaron'] had anything in it...

"Aaron" was the data being inserted not the name of a field inside the table. So how should I write it for data instead of a field?

You don't connect to the database until after you've used mysql_real_escape_string(). Move the connection above the block of variable assignment.

I just tried it the way you say to do it but the same problem occurs for some reason it is blocking the script from running.

Edit:

As stated previously, this is what I have the "php.ini" file:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

[kows]

if "Aaron" was the text being submitted, and not the field name, why on earth were you doing this?

PHP Code:

$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']); 


if $_POST['Aaron'] is empty, this will do nothing. try $_POST['username'] and $_POST['password'], or whatever you use as an equivalent, instead.

oh, and as previously stated many times, you must have a database connection before you can call mysql_real_escape_string(). the easiest way to ensure this is to make the first thing your script does is connect to a database.

[Nightwalker83]

if "Aaron" was the text being submitted, and not the field name, why on earth were you doing this?

PHP Code:

$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']); 


if $_POST['Aaron'] is empty, this will do nothing. try $_POST['username'] and $_POST['password'], or whatever you use as an equivalent, instead.

I have already tried as you suggest but nothing happens! I think I got confused between the "post" and "insert" because there is an insert statement.

Normal method of adding the data via script without user input:

PHP Code:

$insert = "insert into users (username, password) values ('Aaron','Aaron')"; 


[visualAd]

Read this: http://www.php.net/forms

Look specifically at the part that relates to POST and GET arrays and make sure you actually read it. Secondly, turn on error reporting to the maximum level and tells us what you get. To do this, add the following line to the top of your script:

PHP Code:

error_reporting(E_ALL); 


As everyone is trying to say, you probably aren't submitting the form, which is why all your variables are empty.

[Nightwalker83]

As everyone is trying to say, you probably aren't submitting the form, which is why all your variables are empty.

The scripts are the scripts which I am accessing via flash and they work perfectly with out the "mysql_real_escape_string". As I have stated before I add the string and whole thing stops. Yes, I have even changed my scripts so that the connection to the database and the table creation happens before the variables are called.

Also with the error log where is it suppose to be? In the same directory as the php files? If that is the case I'm not getting any errors because there is no log.

[visualAd]

Have you set error reporting as described in my previous post?

[Nightwalker83]

I have email my project with the scripts to my lecturer to see if he can figure out why it is not working. I should be able to get a response from him by Tuesday.

Edit:

Have you set error reporting as described in my previous post?

Yes,

PHP Code:

<?php
error_reporting(E_ALL);

code
?>

[visualAd]

I have email my project with the scripts to my lecturer to see if he can figure out why it is not working. I should be able to get a response from him by Tuesday.

Edit:



Yes,

PHP Code:

<?php
error_reporting(E_ALL);

code
?>

Have you also checked your PHP.ini to ensure that display_errors = on? If you do these, you will be able to see all errors and warnings. Can you also post the HTML you are using to submit the script?

[visualAd]

Have you also checked your PHP.ini to ensure that display_errors = on? If you do these, you will be able to see all errors and warnings. Can you also post the HTML you are using to submit to the script?

[Nightwalker83]

Have you also checked your PHP.ini to ensure that display_errors = on? If you do these, you will be able to see all errors and warnings. Can you also post the HTML you are using to submit the script?

Both "Display Errors" and "Log Errors to output file" are "on"! With the php at the moment I am accessing it via flash could that be the problem? As stated before the scripts I am using are part of my flash site.

[kows]

can you just post this entire script so that we can see all of your revisions? just this one that you're having problems with. not anything else. if your variables are set at the beginning of the script, and then become empty later on, then you are doing something out of sequence.

to ensure your form is submitting, at the beginning of your script, type out:

Code:

print_r($_POST);

if these variables are all set at the beginning of the script, then something you are doing is messing it up (whether you're calling mysql_real_escape_string() before a database connection is established or something else entirely, but that's the only thing I can think of since you keep saying the variables are only empty after trying to use that function). so, post the entire script in its current form so that I don't need to keep guessing.

[Nightwalker83]

can you just post this entire script so that we can see all of your revisions? just this one that you're having problems with. not anything else.

The problem is with all the scripts that why I emailed the project to my lecturer and asked him to have a look at it. I am not sure if flash would react differently to the "mysql_real_escape_string" then if I were using html to send/receive the variables?

[kows]

but you're not sending those variables to flash, you're receiving them from flash. and flash knows how to send a post request just fine; flash has nothing to do with anything. the script is the problem, and if you would like help then I suggest you just post the script you're talking about.

we can't help you if you won't show us. the problem is obvious -- your variables are empty after you've used mysql_real_escape_string() on them. mysql_real_escape_string() will never just empty your string, so you're probably just doing something in the wrong order (calling mysql_real_escape_string() before mysql_connect(), for example), or you have some kind of typo. but I've yet to see the rest of the script you're working with, and the script you posted above with the table creation query has already shown to have that same problem.

[Nightwalker83]

we can't help you if you won't show us. the problem is obvious -- your variables are empty after you've used mysql_real_escape_string() on them.

What I don't understand is why is it working without the "mysql_real_escape_string()" but not when the string is included as shown in the data submission script dated "Yesterday O1:08 PM". All I did to the original script was add the "mysql_real_escape_string()" that is all.

Edit:

So the original code would be:

PHP Code:

$cid = $_POST['cid']; 


You can see the difference between that and the code in post #43. The scripts in posts #41 and #43 are the two main scripts for the website the other scripts just use the same code mentioned above to insert/modify database data at different times on for the website.

[visualAd]

What I don't understand is why is it working without the "mysql_real_escape_string()" but not when the string is included

You need to turn error reporting to its maximum level, as I have already stated. If you are sending the data via a flash script (which does not send post variables any differently from using HTML), then in order to see the errors, you need to create a small HTML page to submit some dummy data. Or you need to set log_errors to true and the error_log to a file to have them logged to a file in addition to setting error_reporting to E_ALL.

Once you have done this, you need to check the errors / error log every time you execute a script. You should take special note of warnings and get rid of all notices which are usually caused if a variable is undefined.

Edit:

So the original code would be:

PHP Code:

$cid = $_POST['cid']; 


as shown in the data submission script dated "Yesterday O1:08 PM". All I did to the original script was add the "mysql_real_escape_string()" that is all.

You are using the mysql_real_escape_string() function before you are connecting to the database. You have already been told this several times.

You can see the difference between that and the code in post #43. The scripts in posts #41 and #43 are the two main scripts for the website the other scripts just use the same code mentioned above to insert/modify database data at different times on for the website.

I think I can speak for everyone in saying that we would rather you took the time to post the entire script as it exists at the moment. And the code for the HTML page you are going to create to submit the dummy data.

[Nightwalker83]

I think I can speak for everyone in saying that we would rather you took the time to post the entire script as it exists at the moment. And the code for the HTML page you are going to create to submit the dummy data.

Here is the modified script from post #43:

PHP Code:

<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";

//connect to server or exit
$conn = @mysql_connect("localhost", "root", "");
if (!$conn) {
die("Connection failed: " .mysql_error());
}

//create database
$query = "CREATE DATABASE IF NOT EXISTS BazaarCeramics";
if (mysql_query($query, $conn)) {
echo ("Database create query successful");
}
//select database
if (mysql_select_db($dbDatabase, $conn)) {
echo ("Database selection successful");
}else {
die ("Could not locate BazaarCeramics database" .mysql_error());
}

//create tables
$query = "CREATE TABLE IF NOT EXISTS customers (
  cid int(2) NOT NULL auto_increment,
  FName varchar(30) default NULL,
  LName varchar(30) default NULL,
  Email varchar(50) default NULL,
  Streetname varchar(20) default NULL,
  Housenum char(3) default NULL,
  Suburb varchar(20) default NULL,
  Postcode varchar(6) default NULL,
  Country varchar(20) default NULL,
  Phone varchar(10) default NULL,
  Username varchar(10) default NULL,
  Password varchar(8) default NULL,
  PRIMARY KEY  (cid)
) TYPE=MyISAM";


if (mysql_query($query, $conn)) {
echo ("table users query successful");
}else {
//connect to database or exit
if (!(mysql_select_db($dbDatabase, $conn))){
echo '&message=db+selection+failed&';
exit;
}
}

//convert the POST variables from flash to local variables
$cid = mysql_real_escape_string($_POST['cid']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$snum = mysql_real_escape_string($_POST['snum']);
$sname = mysql_real_escape_string($_POST['sname']);
$suburb = mysql_real_escape_string($_POST['suburb']);
$pcode = mysql_real_escape_string($_POST['pcode']);
$country = mysql_real_escape_string($_POST['country']);
$phone = mysql_real_escape_string($_POST['phone']);
$email = mysql_real_escape_string($_POST['email']);
$user = mysql_real_escape_string($_POST['user']);
$password = mysql_real_escape_string($_POST['upassword']);

// Make sure the data has been sent to the script from flash
if($cid==""){
echo '&message=you+must+enter+customer+record&';
exit;
}

//send mysql a query to select records from the products table where the id's match. If the query fails exit
if (!($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))){
echo '&message=query+failed&';
exit;
}
//Retrieve the number of rows (records)that have been returned from above query
$num_results = mysql_num_rows($result);
if($num_results <= 0) {//customer does not exist so insert
$query = "INSERT INTO customers (cid, FName, LName, Housenum,  Streetname, Suburb, Postcode, Country, Phone, Email, Username, Password)
VALUES ('$cid','$fname', '$lname', '$snum', '$sname','$suburb','$pcode','$country','$phone','$email','$user','$password')";
if (mysql_query($query , $conn))
echo "&message=the+customer+'$FName'+'$LName'+has+been+successfully+added&";
else
echo '&message=the+insert+was+not+successful&';
}else { //customer exists so update existing customer
$update = "update customers set FName='$fname'; LName='$lname'; where customerid='$cid'";
if(mysql_query($update, $conn))
echo "&message=the+details+have+been+updated&";
else
echo "&message=update+not+successful&";
}
?>

I'll just leave the script from post #41 as is since it is containing the data within the script rather than via user input.

Edit:

Putting the "real_escape_string" variables after all the connections (ie server, database and table) worked whereas before I was putting them after only the server connection.

Like kows said, mysql_real_escape_string() cannot be used without connecting to a MySQL database first. It's not really appropriate for use in your code on post #29, because you're not dealing with database input. Do like penagate said and use str_replace to get rid of newline characters.

Code:

$newLines   = array("\r\n", "\n", "\r");
$subject =  str_replace($newLines,"",$_POST["uSubject"]);

Would I added the "str_replace" to the subject box only or the "To", "From", "Body", etc boxes as well?

[kows]

you should add it to any variables that are set by the user aside from the body (and definitely don't use it on the headers). the body is allowed to have new lines (otherwise, you'll just get a bunch of garbled text with no paragraphs [assuming you are creating paragraphs]).

glad you finally figured out the mysql_real_escape_string() thing.

[Nightwalker83]

you should add it to any variables that are set by the user aside from the body (and definitely don't use it on the headers). the body is allowed to have new lines (otherwise, you'll just get a bunch of garbled text with no paragraphs [assuming you are creating paragraphs]).

glad you finally figured out the mysql_real_escape_string() thing.

Ah ok so it would be:

PHP Code:

<?php
sendTo = "myemail";
$newLines   = array("\r\n", "\n", "\r");
$subject =  str_replace($newLines,"",$_POST["uSubject"]);
$message = "Customers name: " . $_POST["Username"] ."\n\r"
."Customers email:" . $_POST["uEmail"] . "\n\r"
."Customers address:" . $_POST["uAddress"] . "\n\r" ;
$header = "From: flash application";
mail($sendTo, $subject, $message, $header);
?>

[kows]

sure.

[kows]

I'm surprised you're still not understanding this, to be completely honest.

the only thing you need to use mysql_real_escape_string() on is user input that will be going into a database or SQL query! this doesn't mean you use it on data you've received from a database (unless you're putting it back in, possibly). if your script stops working when you use it on an image name or image type that you are storing in a database, then you are again doing something wrong. if you aren't putting it into a database, then there would be no reason to use mysql_real_escape_string() on it. ever.

if you want to make things a little easier on yourself, do something I do when I'm handling form data that may or may not go into a database:

PHP Code:

<?php
  //only if we're posted to
  if($_SERVER['REQUEST_METHOD'] == "POST"){

    $mysql_safe = array();
    foreach($_POST as $key => $value){
      $mysql_safe[$key] = mysql_real_escape_string($value);
    }

  }
?>

****** if you run this code, then you have your original variables stored in $_POST, and your sanitised variables stored in $mysql_safe! if you are ever inserting data into an SQL query, you can use $mysql_safe to do so; if you are instead displaying output to a user or echoing out your flash variables, you can use $_POST.

PHP Code:

$sql = "INSERT INTO table (name) VALUES('{$mysql_safe['name']}');

echo "Hello, {$_POST['name']}!"; 


****** editor's note: this is a very simplified example and I also do all error processing (empty variables, valid emails, etc) during this foreach loop. you could do it there as well, if you like.

edit: hey, look, this is my 1337th post. neat.

[Nightwalker83]

I'm surprised you're still not understanding this, to be completely honest.

It ok! I made a couple of simple mistakes. This code works:

PHP Code:

<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";
//connect to server or exit
if (!($conn = mysql_connect("localhost", "root", "") )){
echo 'result=connection+failed';
exit;
}

$pName=  mysql_real_escape_string($_POST['pName']);
$pPrice=  mysql_real_escape_string($_POST['pPrice']);
$pImageName= mysql_real_escape_string($_POST['pImageName']);
$pImageType= mysql_real_escape_string($_POST['pImageType']);

// Make sure a file has been entered
if($pName =="" || $pPrice==""||$pImageName==""||$pImageType==""){
echo '&result=you+must+enter+a+product&';
exit;
}
if (!(mysql_select_db($dbDatabase, $conn))){
echo '&result=db+selection+failed&';
exit;
}

if (!($result = mysql_query("SELECT * FROM products where productid= '$pName'"))){
echo '&result=query+failed&';
exit;
}
$num_results = mysql_num_rows($result);
if($num_results == 0) {//product does not exist so insert
$insert = "insert into products (productid, pPrice, pImagePath, pImageType)
values('$pName','$pPrice', '$pImageName', '$pImageType')";
if (mysql_query($insert, $conn))
echo "&result=the+product+'$pName'+has+been+successfully+added&";
else
echo '&result=the+insert+was+not+successful&';
}else {//update product
$update = "update products set pPrice='$pPrice', pImagePath='$pImageName', pImageType='$pImageType' where productid='$pName'";
if (mysql_query($update, $conn))
echo "&result=the+product+'$pName'+has+been+successfully+updated&";
else
echo '&result=the+update+was+not+successful&';
}
?>

I removed the string before because I though I didn't need it on:

PHP Code:

$pImageName= mysql_real_escape_string($_POST['pImageName']);
$pImageType= mysql_real_escape_string($_POST['pImageType']); 


However, after testing the code again I found out I was wrong.

[Nightwalker83]

Hopefully, I will be able to get the code to work with design I want. I am just waiting on the code to code to run the database creation script via a link. I have got the code to run the script via a flash button through.

[Nightwalker83]

Finally finished the site! If I upload it I will put the link in my sig.