I am working on a php form that submits data to one table and then images to a second table in my mysql database.
The bit i am stuck on is submitting to the second table for what ever reason it just doesnt seam to be working.
Can someone please point me in the right direction to where i am going wrong with this code?
Any help at all would be greatly appreciated
<?php
/*
Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password)
*/
$link = mysqli_connect("localhost", "***", "***", "***");
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$id = mysqli_real_escape_string($link, $_POST['id']);
$title = mysqli_real_escape_string($link, $_POST['title']);
$price = mysqli_real_escape_string($link, $_POST['price']);
$sqm = mysqli_real_escape_string($link, $_POST['sqm']);
$sqm_land = mysqli_real_escape_string($link, $_POST['sqm_land']);
$type = mysqli_real_escape_string($link, $_POST['type']);
$area = mysqli_real_escape_string($link, $_POST['area']);
$location = mysqli_real_escape_string($link, $_POST['location']);
$bedroom = mysqli_real_escape_string($link, $_POST['bedroom']);
$terrace = mysqli_real_escape_string($link, $_POST['terrace']);
$orientation = mysqli_real_escape_string($link, $_POST['orientation']);
$water = mysqli_real_escape_string($link, $_POST['water']);
$seaview = mysqli_real_escape_string($link, $_POST['seaview']);
$pool = mysqli_real_escape_string($link, $_POST['pool']);
$ownerinfo = mysqli_real_escape_string($link, $_POST['ownerinfo']);
$gaddress = mysqli_real_escape_string($link, $_POST['gaddress']);
$description = mysqli_real_escape_string($link, $_POST['description']);
$image = mysqli_real_escape_string($link, $_POST['image']);
$lastid = mysqli_real_escape_string($link, $_POST['lastid']);
$seq = mysqli_real_escape_string($link, $_POST['seq']);
// attempt insert query execution
$sql = "INSERT INTO property (title, price, sqm, sqm_land, type, area, location, bedroom, terrace, orientation, water, seaview, pool, ownerinfo, gaddress, description) VALUES
('$title', '$price', '$sqm', '$sqm_land', '$type', '$area', '$location', '$bedroom', '$terrace', '$orientation', '$water', '$seaview', '$pool', '$ownerinfo', '$gaddress', '$description' )";
function insertimages($image,$lastid,$seq){
$query="insert into images(imagepath,property_id,imageorder) values('".$image."','".$lastid."','".$seq."')";
$this->execQuery($query);
}
if(mysqli_query($link, $sql)){
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
Here you have declared the insertimages function but not calling. You can call like this:
if(mysqli_query($link, $sql)){
insertimages($image,$lastid,$seq);
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
Related
I'm trying to set a max value to my inputs. I can do it with html but anyone can easily overwrite that in any browser's inspect menu. So I want to use php to set it. I don't really know where I should put it and if this is the right way or not.
<?php
$link = mysqli_connect("localhost", "root", "", "reg");
mysqli_set_charset($link, "utf8");
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$name = mysqli_real_escape_string($link, $_REQUEST['name']);
$job = mysqli_real_escape_string($link, $_REQUEST['job']);
$email = mysqli_real_escape_string($link, $_REQUEST['email']);
$phone = mysqli_real_escape_string($link, $_REQUEST['phone']);
$phone2 = mysqli_real_escape_string($link, $_REQUEST['phone2']);
$address = mysqli_real_escape_string($link, $_REQUEST['address']);
$description = mysqli_real_escape_string($link, $_REQUEST['description']);
$visibility = mysqli_real_escape_string($link, $_REQUEST['visibility']);
// attempt insert query execution
$sql = "INSERT INTO cards (name, job, email, phone, phone2, address, description, visibility) VALUES ('$name', '$job', '$email', '$phone', '$phone2', '$address', '$description', '$visibility')";
if(mysqli_query($link, $sql)){
header("Location: addbusiness.php?message=1");
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
if(strlen($name) > 10)
{
echo "Max value is 10";
}
// close connection
mysqli_close($link);
?>
<label>Name</label>
<input class="form-control" id="name" name="name" type="text" required="required">
You need to do the strlen() check before you perform the insert, and not insert anything if the check fails.
if(strlen($name) > 10)
{
echo "Max value is 10";
exit();
}
// attempt insert query execution
$sql = "INSERT INTO cards (name, job, email, phone, phone2, address, description, visibility) VALUES ('$name', '$job', '$email', '$phone', '$phone2', '$address', '$description', '$visibility')";
if(mysqli_query($link, $sql)){
header("Location: addbusiness.php?message=1");
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
I am totally confused as to why my update query is not updating the records. There are no errors in inspector console. If I run the query in phpmyadmin substituting the vars with actual values it works fine.
I have tried coding the vars like this in query: '".$name."' and also like i have it now. All field names are correct and all values are being passed to php correctly. I would be grateful if someone could point out my error as it is driving me nuts. Many thanks
<?php
$conn = mysqli_connect("localhost","root","","domain");
if($conn === false) {
die("ERROR: Could not connect. " . mysqli_connect_error());
}
$id = mysqli_real_escape_string($conn, $_POST['idcon']);
$company = mysqli_real_escape_string($conn, $_POST['companycon']);
$name = mysqli_real_escape_string($conn, $_POST['namecon']);
$email = mysqli_real_escape_string($conn, $_POST['emailcon']);
$phone = mysqli_real_escape_string($conn, _POST['phonecon']);
$fax = mysqli_real_escape_string($conn, $_POST['faxcon']);
$mobile = mysqli_real_escape_string($conn, $_POST['mobilecon']);
$sql = mysqli_query($conn, "UPDATE contact_con SET idcode_con = '$company', name_con = '$name', email_con = '$email', phone_con = '$phone', fax_con = '$fax', mobile_con = '$mobile' WHERE id_con='$id'");
mysqli_close($conn);
?>
You should be using prepared queries, also you have a typo _POST['phonecon'].
<?php
$conn = mysqli_connect("localhost", "root", "", "domain");
// check connection
if (mysqli_connect_errno()) {
exit("Connect failed: ". mysqli_connect_error());
}
// create a prepared statement
$stmt = $conn->prepare("
UPDATE contact_con
SET idcode_con = ?,
name_con = ?,
email_con = ?,
phone_con = ?,
fax_con = ?,
mobile_con = ?
WHERE id_con= ?
");
if ($stmt) {
// bind parameters for markers
$stmt->bind_param(
"ssssssi",
$_POST['companycon'],
$_POST['namecon'],
$_POST['emailcon'],
$_POST['phonecon'],
$_POST['faxcon'],
$_POST['mobilecon'],
$_POST['idcon']
);
// execute query
$stmt->execute();
// close statement
$stmt->close();
}
// close connection
$conn->close();
?>
I am trying to enter user's data into a database. I think the commas in the address are causing the error.
<?php
$full_name = $_POST["fullname"];
$email = $_POST["email"];
$password = $_POST["password"];
$full_address = $_POST["address"];
$city = $_POST["city"];
$age = $_POST["age"];
$contact_number = $_POST["number"];
$gender = $_POST["gender"];
$education = $_POST["education"];
?>
<?php
$servername = "hidden";
$username = "hidden";
$password = "hidden";
$dbname = "hidden";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$sql = "INSERT INTO users (full_name, email, password,full_address,city,age,contact_number,gender,education)
VALUES ($full_name, $email, $password,$full_address,$city,$age,$contact_number,$gender,$education)";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
?>
As others have noted, your code is vulnerable to SQL injections. You should consider using parameterized queries:
$sql = "INSERT INTO users (full_name, email, password, full_address, city, age, contact_number, gender, education)
VALUES (?,?,?,?,?,?,?,?,?)";
$stmt = mysqli_prepare($conn, $sql);
// Bind parameters
$stmt->bind_param("s", $full_name);
$stmt->bind_param("s", $email);
$stmt->bind_param("s", $password);
$stmt->bind_param("s", $full_address);
$stmt->bind_param("s", $city);
$stmt->bind_param("s", $age);
$stmt->bind_param("s", $contact_number);
$stmt->bind_param("s", $gender);
$stmt->bind_param("s", $education);
if ($stmt->execute()) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
For more information refer to the PHP manual on MySQLi prepared statements.
You need to quote string in your SQL statement;
$sql = "INSERT INTO users (full_name, email, password,full_address,city,age,contact_number,gender,education)
VALUES ('$full_name', '$email', '$password','$full_address','$city',$age,'$contact_number','$gender','$education')";
Notice the single quotes around all the variables that contain strings. I might be a bit off because I don't know the values or table structure.
But the just quote all values that are going in to a Date or Text field.
To avoid additional problems and security risks you should be using mysqli_real_escape_string (at a minimum).
In all your assignment statements wrap the values in mysqli_real_escape_string
$full_name = mysqli_real_escape_string($conn, $_POST["fullname"]);
$email = mysqli_real_escape_string($conn, $_POST["email"]);
...
Note this requires setting up your DB connection before the variable assignments, so you'll have to reorganize your code a bit.
rink.attendant.6's answer is the proper way to adapt your code.
I'm trying to add the current user id from a Wordpress site to a table I have set up. All other values from inputs are going in fine, but I'm getting a php error when I try this code:
$link = mysqli_connect("localhost", "XXXXXX", "XXXXXX", "XXXXXX");
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
$latLng = mysqli_real_escape_string($link, $_POST['latLng']);
$title = mysqli_real_escape_string($link, $_POST['title']);
$type = mysqli_real_escape_string($link, $_POST['type']);
$current_user = wp_get_current_user();
$WP_id = $current_user->ID;
$sql = "INSERT INTO `user_locations` ( `id` , `WP_id` , `latLng` , `type` , `title` ) VALUES ('', '$WP_id', '$latLng', '$type', '$title')";
if(mysqli_query($link, $sql)){
header("Location: leaflet-test-page");
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
mysqli_close($link);
The error is:
Fatal error: Call to undefined function wp_get_current_user() in /home/XXXXX/public_html/XXXXXX/insert.php on line 17
Any help identifying the reason I am getting this error would be appreciated.
Adding this worked. include_once '../../../wp-blog-header.php'; I know its nasty, but does the trick for what I need it for.
I am trying to get the count of number of rows from Vulnerability table based on the vulnerability and threat entered. But always i get a value None in place of vulnerability count.
$link = mysqli_connect("localhost", "root", "sharmi#08", "MySQL56");
// Check connection
if ($link === false) {
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$Vulnerability = mysqli_real_escape_string($link, $_POST['Vulnerability']);
$Threat = mysqli_real_escape_string($link, $_POST['Threat']);
/*$P_Vulnerability = mysqli_real_escape_string($link, $_POST['P_Vulnerability']);*/
/*$P_Threat = mysqli_real_escape_string($link, $_POST['P_Threat']);*/
$Threat_count = mysqli_real_escape_string($link, $_POST['Threat_count']);
$table = mysqli_real_escape_string($link, $_POST['Vul']);
// attempt insert query execution
$sql = "INSERT INTO vuln_threat(Vulnerability, Threat) VALUES ('$Vulnerability', '$Threat') ";
$Vulnerability_count = mysqli("Select count(*) from vuln_threat");
$sql = "UPDATE vuln_threat SET Vulnerability_Count='$Vulnerability_count',Threat_Count='1' WHERE Vulnerability='".$Vulnerability."' AND Threat='".$Threat."'";
//$select_result = mysqli_query($query);
if ( mysqli_query($link, $sql, $query)) {
echo "New Records added successfully." ;
} else {
echo "Please add records." ;
}
// close connection
mysqli_close($link);
mysqli_query accepts only predefined constants as the 3rd parameter when used in a procedural fashion.
http://php.net/manual/en/mysqli.query.php