PHP insert blank values instead of GET values - php

I have this script on my site:
<?php
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);
if($db_found) {
$SQL = "INSERT INTO users (user, address)
VALUES('".$_GET['username']."','".$_GET['password']."')";
$result = mysql_query($SQL);
mysql_close($db_handle);
print "Records added to the database";
}
else {
print "Database NOT found";
mysql_close($db_handle);
}
?>
I then open this url in my browser:
http://ringkapps.altervista.org/addToDatabase.php?user=ringk&address=test
But instead of inserting "ringk" and "test" in the table, it inserts this:
Can't understand why, any help would be greatly appreciated.

This code is wrong!
$SQL = "INSERT INTO users (user, address)
VALUES('".$_GET['username']."','".$_GET['password']."')";
Replace this.
$SQL = "INSERT INTO users (user, address)
VALUES('".$_GET['user']."','".$_GET['address']."')";

It's not working because you're calling
http://ringkapps.altervista.org/addToDatabase.php?user=ringk&address=test
Which creates $_GET["user"] and $_GET["address"] but you are trying to put in the db $_GET['username'] and $_GET['password'] which don't exist.
You should call:
http://ringkapps.altervista.org/addToDatabase.php?username=ringk&password=test
Plus, read something on security for PHP apps, your code is prone to a lot of vulnerabilities!!!

In the url : http://ringkapps.altervista.org/addToDatabase.php?user=ringk&address=test
We can see user = ringk and address = test.
Where user is the key and ringk it's value.
Where address is the key and test it's value.
You can print all the $_GET value by using var_dump($_GET) and see by yourself what's in it.
My guess is that what you want is to access
$_GET['user'] and $_GET['address']
then just replace the line :
VALUES('".$_GET['username']."','".$_GET['password']."')";
with
VALUES('".$_GET['user']."','".$_GET['address']."')";
or you could update the url to match the code.

Related

How to view HTTP POST values sent by arduino to php form

I have an arduino setup posting data to a data_post.php form online which records values to a mysql db. The value for username is not being recorded properly in the db, it shows up as null. The other values are fine.
When I use an html form to manually post to data_post.php, i use those echo commands currently commented out and I can see the values being posted and they are fine. I would like to know if I can see the values being posted by the arduino setup. But I dont know how to view that data from my server side. The data used to work fine up until May 2019 more or less. Is there a way to view that data?
I looked in the server logs and just found this line but it doesnt show the values because its POST, not GET:
2021-02-21 12:40:54 Access 205.211.254.213 200 POST /arduinostuff/data_post.php HTTP/1.0
Here is the php file:
<?php
$user = 'myusr';
$password = 'mypwd';
$server = 'localhost';
$database = 'test';
$pdo = new PDO("mysql:host=$server;dbname=$database", $user, $password);
$username=$_POST['username'];
//echo $username;
$age=$_POST['age'];
//echo $age;
$uvindex=$_POST['uvindex'];
$mq2=$_POST['mq2'];
$sql = "INSERT INTO example (name,age,uvindex,mq2,beer) VALUES (:username, :age, :uvindex, :mq2, 'NO')";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(":username", $username);
$stmt->bindParam(":age", $age);
$stmt->bindParam(":uvindex", $uvindex);
$stmt->bindParam(":mq2", $mq2);
$stmt->execute();
$result = $stmt->execute(array(':username'=>$username, ':age'=>$age, ':uvindex'=>$uvindex, ':mq2'=>$mq2));
if($result) {
echo "Your text has been posted";
}// end if
else {
echo '0 results';
}// end else
?>
Add to your php code
var_dump($_POST);
or
print_r($_POST);
This will show every value send by POST

mysql problem using php when update table

This system is based on invitation codes, if u have a code that is present in the database you can submit the input therefore change a value in a row. There are 2 inputs, 1) Invitation Code (key), if exist in the database the user can submit the value 2)Name (user). I done the following code but it doesn't work, any suggestions?
<?php
//get value pass from form in login.php
$username = $POST['user'];
$password = $POST['key'];
//connect to the server and select database
mysql_connect("localhost", "...","...");
mysql_select_db("...");
// Query the database for user
$result = mysql_query("UPDATE invitation_keys SET name ='$username' WHERE key = '$password'";)
or die("Failed to query database".mysql_error());
$row = mysql_fetch_array($result);
if ($row['key'] == $password) {
echo "Login success!!!".$row['key'];
} else {
echo "Failed to login";
}
?>
When you are coding in PHP, var_dump($var) is your best friend.
So the first thing to do here, is to print the query.
You will see, that your $username and $password vars are NULL, because you missed the syntax of $_POST[].
After, you can put in var_dump what you want, and that's why its interesting, because you will debug faster with this.

Submit variable in URL to MySQL Database

I would like to have a page that, when someone clicks a pre-formatted link I've sent, writes a variable in the URL to a MySQL database and just displays "Thank You" or something to the user.
Example:
The user would click a link formatted something like http://www.example.com/click.php?id=12345
When the page loads the 12345 would be written to a table in a MySQL database, it would show a Thank you, and that is it.
Seems like it should be simple enough but I can't find anything on it. I'm probably searching wrong, since this is all new to me.
Your best bet is to utilise $_GET['id'] which will take in the value from your url.
After grabbing the id from your url you will want to use PDO or mysqli prepared statements in order to protect yourself from sql injection.
I hope this helps.
Updated as per Kevin Voorn's comment.
if(isset($_GET['id']) && !empty($_GET['id'])) {
$logged_id = $_GET['id'];
$stmt = $mysqli->prepare("INSERT INTO tableName (`logged_id`) VALUES (?)");
$stmt->bind_param('i', $logged_id);
$stmt->execute();
if($stmt->affected_rows > 0){
echo "Thank You.";
}
$stmt->close();
}
User $_GET to retrive the value and put into your table.
Example:
code inside click.php
<?php
$id=$_GET['id'];
$sql="Insert into table1 VALUES ($id)";
mysqli_query($connect,$sql);
echo "<script>alert('Thank you')</script>";
?>
Thanks for the responses. I ended up finding this page: https://www.binpress.com/tutorial/using-php-with-mysql-the-right-way/17 that described the process for using mysqli to connect to my database. I used that page to create the necessary functions in ../db.php and included it in the actual PHP script that would catch the url. My script ended up looking like this:
<?php
require '../db.php';
date_default_timezone_set('UTC');
$date = date("Y-m-d H:i:s T");
$db = new Db();
$db_id = $db -> quote($_GET['id']);
$db_date = $db -> quote($date);
$result = $db -> query("INSERT INTO `table` (`id`,`GUID`,`AccessTime`) VALUES (NULL, " . $db_id . "," . $db_date . ")");
if($result === false) {
exit();
} else {
echo "<html><body><center><br><h1>Thank You!</h1></center></body></html>";
}
?>

Why is my SELECT code not working?

I have a program that moves registration data from one datatable to another (think login activation page from temp to permanent after email confirmation). I'm not the best at Mysql yet, still learning so it might be a stupid question. I've checked all over stackoverflow and it looks like I'm doing it correctly.
For some reason my select call is not working. Here is a bit of my code:
$username = mysqli_query($dbc,"SELECT 'username' FROM 'temp_users' WHERE 'activation'= '$key'");
$password = mysqli_query($dbc,"SELECT 'password' FROM 'temp_users' WHERE 'activation'= '$key'");
// Add row to database
mysqli_query($dbc,"INSERT INTO users (username, password, salt', 'email') VALUES ('$username', '$password_hash', '$salt', '$email')");
echo $username, $password, $email, mysqli_affected_rows($dbc), $key;
// Print a customized message:
if (mysqli_affected_rows($dbc) == 1) //if update query was successfull
{
echo '<div>Your account is now active. You may now Log in</div>';
} else {
echo '<div>Oops !Your account could not be activated. Please recheck the link or contact the system administrator.</div>';
}
I threw in the echo my variables so I could see what was going on. At this point, $key is correct, $email is correct from earlier code, mysqli_affected_rows($dbc) is giving me a -1 (which means error). $username and $password are blank variables, so clearly I am doing the SELECT incorrectly.
Any thoughts or help?
Remove '(Single quotes) use (backticks) = ``
SELECT `username` FROM `temp_users` WHERE `activation`= '$key'

Storing info in a PostgreSQl database issue

Ok I am making a registry for my website.
First page asks for some personal info
if($error==false) {
$query = pg_query("INSERT INTO chatterlogins(firstName, lastName, gender, password, ageMonth, ageDay, ageYear, email, createDate) VALUES('$firstNameSignup', '$lastNameSignup', '$genderSignup', md5('$passwordSignup'), $monthSignup, $daySignup, $yearSignup, '$emailSignup', now());");
$query = pg_query("INSERT INTO chatterprofileinfo(email, lastLogin) VALUES('$emailSignup', now());");
$userNameSet = $emailSignup;
$_SESSION['$userNameSet'] = $userNameSet;
header('Location: signup_step2.php'.$rdruri);
}
The first query works. The second query works but doesn't save the email...
the session doesn't work but the header works and sends me to the next page
I get no errors even if I comment out header
next page
#session_start();
$conn = pg_connect("host=localhost dbname=brittains_db user=brittains password=XXXX" );
$signinCheck = false;
$checkForm = "";
if(isset($_SESSION['$userName'])) {
$userName = $_SESSION['$userName'];
$signinCheck = true;
$query = pg_query("UPDATE chatterprofileinfo SET lastLogin='now()' WHERE email='$userName'");
}
if(isset($_SESSION['$userNameSet'])) {
$userName = $_SESSION['$userNameSet'];
$signinCheck = true;
$query = pg_query("UPDATE chatterprofileinfo SET lastLogin='now()' WHERE email='$userName'");
}
This is the top starting the session depending on if your logged in or not.
then if I enter in the info here and put it through this
if($error==false) {
$query = pg_query("UPDATE chatterprofileinfo SET aboutSelf='$aboutSelf', hobbies='$hobbies', music='$music', tv='$tv', sports='$sports', lastLogin='now()' WHERE email='$userName'") or exit(pg_last_error());
//header('Location: signup_step3.php'.$rdruri);
}
nothing shows up for on my database from this.
I have no idea where I went wrong
the website is
http://opentech.durhamcollege.ca/~intn2201/brittains/chatter/
For starters, don't put things that aren't strings in single-quotes like that. 'now()' means a literal string "now()"
Also, if you're doing updates to your database you're better of using prepared statements to help prevent against sql injection. In your case, see http://www.php.net/manual/en/function.pg-prepare.php

Categories