logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Can't write to database using php.

 
Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner



View previous topic :: View next topic  
Author Message
santa



Joined: 20 Nov 2006
Posts: 2

PostPosted: Wed 22 Nov '06 9:37    Post subject: Can't write to database using php. Reply with quote

Hi there,

I'm running my apache-server on a windows 98 operation system and using php 4.

My problem is that I can't write to my database using a simple form-script. I can read the database with my read.php but not write.

I've hand-added a new entry in my database using phpmyadmin and it worked fine to read it with php.

When i write using my post.html i get the script to make an add into the database so that the outcome is a blank row in my database but it simply will not print what i write in the form as goes for name and comment.

If I change the part of

"$insert = mysql_query("insert into $table (name, comment) values ('$name', '$comment')", $link)"

into let's say

$insert = mysql_query("insert into $table (name, comment) values ('HELLO WORLD', '$comment')", $link)

it will write HELLO WORLD into the database.

Here are the script for writing to my database.

post.html
----
<form action="form.php" method="post">
<table><tr>
<td>Name: </td>
<td><input type="text" name="$name" size="15" maxlength="30"></td>
<td>Comment: </td>
<td><textarea name="$comment" cols="15" rows="4"></textarea></td>
</tr><tr>
<td colspan="2" align="center"><input type="submit" name="submit" value="Submit">
<input type="reset" name="reset" value="Reset"></td>
</tr></table>
</form>

----

form.php
-----
<?php

include "config.php";

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// insert data into database
$insert = mysql_query("insert into $table (name, comment) values ('$name', '$comment')", $link)
or die("Could not insert data because ".mysql_error());

mysql_close();

echo "Thanks for signing my guestbook! Click <a href=read.php>here</a> to view your entry.";

?>

----

The config file is a normal one...
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Wed 22 Nov '06 23:09    Post subject: Reply with quote

I see two issues, first of all in your HTML you do NOT want to use $name as the variable name as in:
Code:
<input type="text" name="$name" size="15" maxlength="30">

...instead use...
Code:
<input type="text" name="name" size="15" maxlength="30">

Next, I don't know if you have REGISTER_GLOBALS enabled (set to 1 or yes), but it would be far more secure if you did not have this featured enabled. In this case, if you do not automatically register globals, that is submitted GET and POST variables, then you would need to obtain them from the PHP $_GET and $_POST methods.

So, in your script(s) that receive submitted data, you would use (for a POSTed form) something like this:
Code:
<?php

###############################
# ensure that the variables are from the
# posted form content here
###############################
$name = $_POST['name'];
$comments = $_POST['comments'];


include "config.php";

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// insert data into database
$insert = mysql_query("insert into $table (name, comment) values ('$name', '$comment')", $link)
or die("Could not insert data because ".mysql_error());

mysql_close();

echo "Thanks for signing my guestbook! Click <a href=read.php>here</a> to view your entry.";

?>


Please post a reply as to if this helps or not.
Back to top
santa



Joined: 20 Nov 2006
Posts: 2

PostPosted: Wed 22 Nov '06 23:45    Post subject: Reply with quote

Brain

Thank you Brain!

You fixed my problem and I'm very greatful for that!

Thank you for taking your time to help me out with this script!

About register globals. I've turned them on since before but it seems like your code-snippets did the trick for me.

Once again, thank you very much. =)

EDIT:

I know it's very insecure to use register globals but since my server will mostly be used as my personal little thingy I will at first have them on and then maybe I will turn them on and try and secure the site. =)
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Thu 23 Nov '06 0:09    Post subject: Reply with quote

If you are running PHP as SAPI, you can go ahead and TURN OFF globals in your main PHP.INI file, then, for each one of the vhosts that needs globals on, because many scripts are written in such a manner that they need globals on, then you can place in the VHOST container this line:
Code:
php_admin_value register_globals "1"

Example:
Code:
<VirtualHost *>
  ServerName www.somesite.com
  ServerAlias *.somesite.com somesite.com
  DocumentRoot "d:/www/"
  php_admin_value open_basedir "/www/"
  php_admin_value register_globals "1"
</VirtualHost>

This way you can ensure you only have globals on for those sites that need it, and you can write/rewrite code as you see fit to not require globals to be auto-registered.

Even with register globals on, you can still ensure security with $_GET and $_POST.
Back to top
kr33



Joined: 19 Sep 2006
Posts: 64
Location: South Africa

PostPosted: Tue 28 Nov '06 11:18    Post subject: Reply with quote

Hi,

I completely agree with Brian's solution...in fact I spotted the same problems when I firts had a look...

Another "trick" or scripting style I'd like to show you, not necessary, yet alittle easier to work with as far as i've noticed, is to break up the SQL query statements and the mysql_query() function call.

Eg. (Instead of)
Quote:

// insert data into database
$insert = mysql_query("insert into $table (name, comment) values ('$name', '$comment')", $link)
or die("Could not insert data because ".mysql_error());


I find it easier to debug by separating the them.

Code:

$sql = "INSERT INTO $table (name, ".
       "comment) VALUES ('$name', '$comment')";

$result = mysql_query($sql, $link);
if (!$result) {
    die ("Error inserting data : ".mysql_error());
}


Note:
I capitalised the SQL commands, so that it would be easier to differentiate between the commands and data/variables.

Just some food for thought, from a programmers perspective of coding practices.

Otherwise, the solution is flawless.

Ciao
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner
Page 1 of 1