uploading to mysql database

Question

DaveyMoyes -1 Junior Poster in Training

14 Years Ago

hi all - can anyone help with the following -
I am unable to upload any data to my database -
I can connect successfully as i have changed the password, database name and got the error's i was expecting.

but for some reason, the data just doesn't seem to want to get to my database...???/

Any pointers would be very helpful,

<?
include('autoconfig.php');

$tbl_name=temp_members_db;

// Random confirmation code 
$confirm_code=md5(uniqid(rand())); 

// values sent from form 
$name=$_POST['name'];
$email=$_POST['email'];
$password=$_POST['password'];
$country=$_POST['country'];
$city=$_POST['city'];
$mobnum=$_POST['mobnum'];
$mobnet=$_POST['mobnet'];
$mobpro=$_POST['mobpro'];
$atype=$_POST['atype'];
$datetime=date('l jS F Y h:i:s'); //create date time
$uipa = $_SERVER["REMOTE_ADDR"];
$ref = $_SERVER['HTTP_REFERER'];
$browser = $_SERVER['HTTP_USER_AGENT'];

// Insert data into database 
$sql= "INSERT INTO $tbl_name(confirm_code, name, email, password, country, city, mobnum, mobnet, mobpro, automotive, datetime, uipa, ref, browser)VALUES('$confirm_code', '$name', '$email', '$password', '$country', '$city', '$mobnum', '$mobnet', '$mobpro', '$atype', '$datetime', '$uipa', '$ref', '$browser')";
$result=mysql_query($sql);

php

2 Contributors
5 Replies
68 Views
7 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by kireol

All 5 Replies

kireol 10 Posting Whiz

14 Years Ago

your code is VERY susceptible to hacking.

you need to escape every variable that you are inserting.
http://us.php.net/manual/en/function.mysql-real-escape-string.php

which also might be why your SQL is failing.

first add that code in to escape, then check for an error code from your sql result

kireol 10 Posting Whiz

14 Years Ago

$name=mysql_real_escape_string($_POST['name']);
$email=mysql_real_escape_string($_POST['email']);
$password=mysql_real_escape_string($_POST['password']);
$country=mysql_real_escape_string($_POST['country']);
$city=mysql_real_escape_string($_POST['city']);
$mobnum=mysql_real_escape_string($_POST['mobnum']);
$mobnet=mysql_real_escape_string($_POST['mobnet']);
$mobpro=mysql_real_escape_string($_POST['mobpro']);
$atype=mysql_real_escape_string($_POST['atype']);
$datetime=date('l jS F Y h:i:s'); //create date time
$uipa = $_SERVER["REMOTE_ADDR"];
$ref =mysql_real_escape_string( $_SERVER['HTTP_REFERER']);
$browser = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);

// Insert data into database 
$sql= "INSERT INTO $tbl_name(confirm_code, name, email, password, country, city, mobnum, mobnet, mobpro, automotive, datetime, uipa, ref, browser)VALUES('$confirm_code', '$name', '$email', '$password', '$country', '$city', '$mobnum', '$mobnet', '$mobpro', '$atype', '$datetime', '$uipa', '$ref', '$browser')";
$result=mysql_query($sql)or die ("Insert failed : ".mysql_error());;

try something like this.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

DaveyMoyes -1 Junior Poster in Training · Answer 1 · 2009-07-06T08:15:04+00:00

your code is VERY susceptible to hacking.
you need to escape every variable that you are inserting.
http://us.php.net/manual/en/function.mysql-real-escape-string.php
which also might be why your SQL is failing.
first add that code in to escape, then check for an error code from your sql result

if you could show me how to escape one ? im willing to learn

DaveyMoyes -1 Junior Poster in Training · Answer 2 · 2009-07-06T09:21:50+00:00

$name=mysql_real_escape_string($_POST['name']);
$email=mysql_real_escape_string($_POST['email']);
$password=mysql_real_escape_string($_POST['password']);
$country=mysql_real_escape_string($_POST['country']);
$city=mysql_real_escape_string($_POST['city']);
$mobnum=mysql_real_escape_string($_POST['mobnum']);
$mobnet=mysql_real_escape_string($_POST['mobnet']);
$mobpro=mysql_real_escape_string($_POST['mobpro']);
$atype=mysql_real_escape_string($_POST['atype']);
$datetime=date('l jS F Y h:i:s'); //create date time
$uipa = $_SERVER["REMOTE_ADDR"];
$ref =mysql_real_escape_string( $_SERVER['HTTP_REFERER']);
$browser = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);

// Insert data into database 
$sql= "INSERT INTO $tbl_name(confirm_code, name, email, password, country, city, mobnum, mobnet, mobpro, automotive, datetime, uipa, ref, browser)VALUES('$confirm_code', '$name', '$email', '$password', '$country', '$city', '$mobnum', '$mobnet', '$mobpro', '$atype', '$datetime', '$uipa', '$ref', '$browser')";
$result=mysql_query($sql)or die ("Insert failed : ".mysql_error());;

try something like this.

Excellent, Many thanks - I'm looking forward to understanding more.

Just a quick question. ? please

Am i right in saying that this will help against all sql injection attacks ??

sorry if this is a daft question but I am still learning,

Many thanks again for your input....

kireol 10 Posting Whiz · Answer 3 · 2009-07-06T09:24:29+00:00

kireol 10 Posting Whiz

14 Years Ago

that's exactly what it does :)

uploading to mysql database

Recommended Answers Collapse Answers

All 5 Replies

Recommended Answers