943,725 Members | Top Members by Rank

Web Development > PHP > please tell me what is wrong with the code?
Ad:
  • PHP Discussion Thread
  • Unsolved
  • Views: 700
  • PHP RSS
Permalink
Feb 11th, 2008
0

please tell me what is wrong with the code?

Expand Post »
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php
echo"Your posted name is\t".$_POST['name'];
echo"Your posted roll is\t".$_POST['roll'];
?>
<?php
$con=mysql_connect("localhost","root","");
if(!$con)
{
die("could not connect:".mysql_error($con));
}
mysql_select_db("form",$con);
mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");
echo"1 record added";
mysql_close($con);
?>
</body>
</html>
error is showing on that line..........
Similar Threads
Reputation Points: 9
Solved Threads: 0
Newbie Poster
niladri.user is offline Offline
15 posts
since Feb 2008
Permalink
Feb 11th, 2008
0

Re: please tell me what is wrong with the code?

See there are some wrong thing in security with your code but now I am going to tell you syntax errors only (cause security is very deep....)

mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");

must evaluate into:
mysql_query("insert into submit(name,roll) values('$_POST['name']','$_POST['roll']')");

after name of table you have to put name of column also!
Reputation Points: 10
Solved Threads: 6
Light Poster
fenixZ is offline Offline
25 posts
since Feb 2008
Permalink
Feb 11th, 2008
0

Re: please tell me what is wrong with the code?

Click to Expand / Collapse  Quote originally posted by fenixZ ...
See there are some wrong thing in security with your code but now I am going to tell you syntax errors only (cause security is very deep....)
What he's trying to say, is you should never insert user input directly into the database. There are a number of ways a malicious user can use that type of insert statement to hack into your database and screw things up.

Instead, you should always validate the input to make sure that it won't harm your database.

The easiest way to clean code for use in a mysql query is to use the "mysql_real_escape_string()" function.

Like so...

php Syntax (Toggle Plain Text)
  1. $name = mysql_real_escape_string($_POST['name']);
  2. $roll = mysql_real_escape_string($_POST['roll']);
  3.  
  4. //  Create mysql query, using $name and $roll

Incidentally, this may also be causing another error for you. You can't include an array value (like $_POST['name']) directly inside of a string. You need to either wrap the entire array variable in brackets {} or reference the variable outside the quotes using a string concatenation.

For example...

php Syntax (Toggle Plain Text)
  1. $query = "insert into submit(name,roll) values('{$_POST['name']}','{$_POST['roll']}')";
  2. //  Or...
  3. $query = "insert into submit (name, roll) values ('" . $_POST['name'] . "', '" . $_POST['roll'] . "')";

- Walkere
Reputation Points: 29
Solved Threads: 5
Junior Poster in Training
Walkere is offline Offline
57 posts
since Jan 2008
Permalink
Feb 11th, 2008
0

Re: please tell me what is wrong with the code?

Click to Expand / Collapse  Quote originally posted by niladri.user ...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php
echo"Your posted name is\t".$_POST['name'];
echo"Your posted roll is\t".$_POST['roll'];
?>
<?php
$con=mysql_connect("localhost","root","");
if(!$con)
{
die("could not connect:".mysql_error($con));
}
mysql_select_db("form",$con);
mysql_query("insert into submit values('$_POST['name']','$_POST['roll']')");
echo"1 record added";
mysql_close($con);
?>
</body>
</html>
error is showing on that line..........
The error is with the parsing of quotes. Instead, use
php Syntax (Toggle Plain Text)
  1. $name=$_POST['name'];
  2. $roll=$_POST['roll'];
  3. mysql_query("insert into submit (col1,col2) values ('$name','$roll')");

Cheers,
Naveen
Moderator
Featured Poster
Reputation Points: 524
Solved Threads: 356
Purple hazed!
nav33n is offline Offline
3,878 posts
since Nov 2007
Permalink
Feb 12th, 2008
0

Thanks!!!!!!!

Thanks for replying!!!!!!!!!!!
Reputation Points: 9
Solved Threads: 0
Newbie Poster
niladri.user is offline Offline
15 posts
since Feb 2008

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in PHP Forum Timeline: How to Omit the COMMENT text box...??
Next Thread in PHP Forum Timeline: problem with my file upload





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC