DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   PHP (http://www.daniweb.com/forums/forum17.html)
-   -   please tell me what is wrong with the code? (http://www.daniweb.com/forums/thread108659.html)

niladri.user Feb 11th, 2008 3:31 pm
please tell me what is wrong with the code?
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php
echo"Your posted name is\t".$_POST['name'];
echo"Your posted roll is\t".$_POST['roll'];
?>
<?php
$con=mysql_connect("localhost","root","");
if(!$con)
{
die("could not connect:".mysql_error($con));
}
mysql_select_db("form",$con);
mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");
echo"1 record added";
mysql_close($con);
?>
</body>
</html>
error is showing on that line..........

fenixZ Feb 11th, 2008 5:39 pm
Re: please tell me what is wrong with the code?
 
See there are some wrong thing in security with your code but now I am going to tell you syntax errors only (cause security is very deep....)

mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");

must evaluate into:
mysql_query("insert into submit(name,roll) values('$_POST['name']','$_POST['roll']')");

after name of table you have to put name of column also!

Walkere Feb 11th, 2008 6:52 pm
Re: please tell me what is wrong with the code?
 
Quote:
Originally Posted by fenixZ (Post 532455)
See there are some wrong thing in security with your code but now I am going to tell you syntax errors only (cause security is very deep....)
What he's trying to say, is you should never insert user input directly into the database. There are a number of ways a malicious user can use that type of insert statement to hack into your database and screw things up.

Instead, you should always validate the input to make sure that it won't harm your database.

The easiest way to clean code for use in a mysql query is to use the "mysql_real_escape_string()" function.

Like so...

$name = mysql_real_escape_string($_POST['name']);

$roll = mysql_real_escape_string($_POST['roll']);



//  Create mysql query, using $name and $roll

Incidentally, this may also be causing another error for you. You can't include an array value (like $_POST['name']) directly inside of a string. You need to either wrap the entire array variable in brackets {} or reference the variable outside the quotes using a string concatenation.

For example...

$query = "insert into submit(name,roll) values('{$_POST['name']}','{$_POST['roll']}')";

//  Or...

$query = "insert into submit (name, roll) values ('" . $_POST['name'] . "', '" . $_POST['roll'] . "')";

- Walkere

nav33n Feb 11th, 2008 6:57 pm
Re: please tell me what is wrong with the code?
 
Quote:
Originally Posted by niladri.user (Post 532394)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php
echo"Your posted name is\t".$_POST['name'];
echo"Your posted roll is\t".$_POST['roll'];
?>
<?php
$con=mysql_connect("localhost","root","");
if(!$con)
{
die("could not connect:".mysql_error($con));
}
mysql_select_db("form",$con);
mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");
echo"1 record added";
mysql_close($con);
?>
</body>
</html>
error is showing on that line..........
The error is with the parsing of quotes. Instead, use 
$name=$_POST['name'];

$roll=$_POST['roll'];

mysql_query("insert into submit (col1,col2) values ('$name','$roll')");

Cheers,
Naveen

niladri.user Feb 12th, 2008 6:27 am
Thanks!!!!!!!
 
Thanks for replying!!!!!!!!!!!


All times are GMT -4. The time now is 11:56 pm.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC