From: "Thomas H. George" on

I am a newbie. The following script works but the second one (below)
loads the variables from an html form and then fails. The connection
commands in the second sript are identical as the first script was copied
from the first. Only the variable values have been changed.

#!/usr/bin/php
#
<?php
$first_name = 'Harry';
$last_name = 'Potter';
$when_it_happened = 'This morning';
$how_long = '6 ms';
$how_many = 'millions';
$alien_description = 'angels';
$what_they_did = 'danced on the head of a pin';
$fang_spotted = 'No';
$other = 'There were bright flashing lights';
$email = 'harry(a)aol.com';

$dbc = mysqli_connect('localhost', 'tom', 'fog^horn9', 'aliendatabase')
or die('Error connecting to MySQL server');

$query = "INSERT INTO aliens_abduction (first_name, last_name, when_it_happened, how_long, " .
"how_many, alien_description, what_they_did, fang_spotted, other, email) " .
"VALUES ('$first_name', '$last_name', '$when_it_happened', '$how_long', '$how_many', " .
"'$alien_description', '$what_they_did', '$fang_spotted', '$other', '$email')";

$result = mysqli_query($dbc,$query)
or die('Error Querying the database');

mysqli_close($dbc);

?>

The following program successfully loads the variables from an html form
and then fails.


<?php
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$when_it_happened = $_POST['whenithappened'];
$how_long =$_POST['howlong'];
$how_many = $_POST['howmany'];
$alien_description = $_POST['aliendescription'];
$what_they_did = $_POST['whattheydid'];
$fang_spotted = $_POST['fangspotted'];
$other = $_POST['other'];
$email = $_POST['email'];

echo 'got to here, ';
echo "$last_name\n\n";

$dbc = mysqli_connect('localhost', 'tom', 'fog^horn9', 'aliendatabase')
or die('Error connecting to MySQL server');

$query = "INSERT INTO aliens_abduction (first_name, last_name, when_it_happened, how_long, " .
"how_many, alien_description, what_they_did, fang_spotted, other, email) " .
"VALUES ('$first_name', '$last_name', '$when_it_happened', '$how_long', '$how_many', " .
"'$alien_description', '$what_they_did', '$fang_spotted', '$other', '$email')";

$result = mysqli_query($dbc,$query)
or die('Error Querying the database');

mysqli_close($dbc);

?>

The echo entries confirm the variables a have been loaded from an html
form. The program just stops after the echo entries - no die message,
nothing in /var/log/mysql.err or mysql.log.


My system is Debian Squeeze, 64 bit. I have php5 version 5.3.1-5, php5-mysql version 5.3.1-5, mysql-client-5 and mysql-server-5 version 5.1.41-3 installed.

Any suggestions?

Tom

From: John Black on
On 03/01/2010 07:54 PM, Thomas H. George wrote:
> <?php ...
> $alien_description = $_POST['aliendescription'];
> $what_they_did = $_POST['whattheydid'];
> $email = $_POST['email'];
> ...
> $query = "INSERT INTO aliens_abduction (first_name, last_name, when_it_happened, how_long, " .
> "how_many, alien_description, what_they_did, fang_spotted, other, email) " .
> "VALUES ('$first_name', '$last_name', '$when_it_happened', '$how_long', '$how_many', " .
> "'$alien_description', '$what_they_did', '$fang_spotted', '$other', '$email')";

> Any suggestions?
> Tom

Yes I have one. Whatever book you are using, burn it then shoot it!

Without looking at the query, it is most likely failing because you are
inserting un-escaped data into your database.
So when you enter something like: Goa'uld into your alien database then
it will fail because you have an unescaped control character.
This code, when freely accessible, will ensure that your database will
be compromised quickly. Search for SQL Injection on Google.

Unfortunately I can not recommend a good beginners guide since most of
the ones I have seen teach this kind of stuff but hopefully someone else
on this list can.

BTW, you can do your mysql connection this way and get the error
returned plus the SQL query.

mysqli_query($link, $sql) or die("<p>$sql</p>".mysqli_error($link));
--
John
Gerechtigkeit entspringt dem Neid; denn ihr oberster Grundsatz ist:
Allen das Gleiche.
[Walther Rathenau]