User Name Password Register
DaniWeb IT Discussion Community
All
What is DaniWeb IT Discussion Community?
You're currently browsing the PHP section within the Web Development category of DaniWeb, a massive community of 422,672 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 4,718 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our PHP advertiser: Lunarpages PHP Web Hosting
Views: 285 | Replies: 4
Reply
Join Date: Feb 2008
Posts: 14
Reputation: niladri.user is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
niladri.user niladri.user is offline Offline
Newbie Poster

Help please tell me what is wrong with the code?

  #1  
Feb 11th, 2008
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php
echo"Your posted name is\t".$_POST['name'];
echo"Your posted roll is\t".$_POST['roll'];
?>
<?php
$con=mysql_connect("localhost","root","");
if(!$con)
{
die("could not connect:".mysql_error($con));
}
mysql_select_db("form",$con);
mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");
echo"1 record added";
mysql_close($con);
?>
</body>
</html>
error is showing on that line..........
AddThis Social Bookmark Button
Reply With Quote  
Join Date: Feb 2008
Posts: 6
Reputation: fenixZ is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 1
fenixZ fenixZ is offline Offline
Newbie Poster

Re: please tell me what is wrong with the code?

  #2  
Feb 11th, 2008
See there are some wrong thing in security with your code but now I am going to tell you syntax errors only (cause security is very deep....)

mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");

must evaluate into:
mysql_query("insert into submit(name,roll) values('$_POST['name']','$_POST['roll']')");

after name of table you have to put name of column also!
Reply With Quote  
Join Date: Jan 2008
Posts: 55
Reputation: Walkere is an unknown quantity at this point 
Rep Power: 1
Solved Threads: 5
Walkere Walkere is offline Offline
Junior Poster in Training

Re: please tell me what is wrong with the code?

  #3  
Feb 11th, 2008
Originally Posted by fenixZ View Post
See there are some wrong thing in security with your code but now I am going to tell you syntax errors only (cause security is very deep....)

What he's trying to say, is you should never insert user input directly into the database. There are a number of ways a malicious user can use that type of insert statement to hack into your database and screw things up.

Instead, you should always validate the input to make sure that it won't harm your database.

The easiest way to clean code for use in a mysql query is to use the "mysql_real_escape_string()" function.

Like so...

  1. $name = mysql_real_escape_string($_POST['name']);
  2. $roll = mysql_real_escape_string($_POST['roll']);
  3.  
  4. // Create mysql query, using $name and $roll

Incidentally, this may also be causing another error for you. You can't include an array value (like $_POST['name']) directly inside of a string. You need to either wrap the entire array variable in brackets {} or reference the variable outside the quotes using a string concatenation.

For example...

  1. $query = "insert into submit(name,roll) values('{$_POST['name']}','{$_POST['roll']}')";
  2. // Or...
  3. $query = "insert into submit (name, roll) values ('" . $_POST['name'] . "', '" . $_POST['roll'] . "')";

- Walkere
Reply With Quote  
Join Date: Nov 2007
Location: Bangalore, India
Posts: 3,098
Reputation: nav33n has a spectacular aura about nav33n has a spectacular aura about 
Rep Power: 8
Solved Threads: 239
nav33n's Avatar
nav33n nav33n is offline Offline
Posting Sensei

Re: please tell me what is wrong with the code?

  #4  
Feb 11th, 2008
Originally Posted by niladri.user View Post
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php
echo"Your posted name is\t".$_POST['name'];
echo"Your posted roll is\t".$_POST['roll'];
?>
<?php
$con=mysql_connect("localhost","root","");
if(!$con)
{
die("could not connect:".mysql_error($con));
}
mysql_select_db("form",$con);
mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");
echo"1 record added";
mysql_close($con);
?>
</body>
</html>
error is showing on that line..........


The error is with the parsing of quotes. Instead, use
  1. $name=$_POST['name'];
  2. $roll=$_POST['roll'];
  3. mysql_query("insert into submit (col1,col2) values ('$name','$roll')");

Cheers,
Naveen
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

*PM asking for help will be ignored*
Reply With Quote  
Join Date: Feb 2008
Posts: 14
Reputation: niladri.user is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
niladri.user niladri.user is offline Offline
Newbie Poster

Thanks!!!!!!!

  #5  
Feb 12th, 2008
Thanks for replying!!!!!!!!!!!
Reply With Quote  
Reply

Only community members can participate in forum threads. You must register or log in to contribute.

DaniWeb PHP Marketplace
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 

Thread Tools Display Modes

Similar Threads
Other Threads in the PHP Forum

All times are GMT -4. The time now is 4:29 pm.
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC