Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
Is this code safe to use for my website? Without sql injections or hacking, yes or no? I dont want to be hacked etc.
<?php
$db = new mysqli ("localhost", "-", "-", "-");
if($_GET['look'] && $_GET['username'])
{
$username = $db->real_escape_string($_GET['username']);
$look = $db->query("SELECT look FROM users WHERE username = '".$username."'")->fetch_assoc();
echo $look['look'];
}
if($_GET['missie'] && $_GET['username'])
{
$username = $db->real_escape_string($_GET['username']);
$motto = $db->query("SELECT motto FROM users WHERE username = '".$username."'")->fetch_assoc();
echo $motto['motto'];
}
if($_GET['while'] && $_GET['status'])
{
$status = $db->real_escape_string($_GET['status']);
$motto = $db->query("SELECT * FROM users WHERE motto = '".$status."'");
while($lol = $motto->fetch_assoc()) {
echo $lol['username'] . '/';
}
}
?>
And how can i improve it?
If you look at the function description for mysql_real_escape_string, it states
mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement
so it will escape your parameters but I would not recommend relying wholly on that.
In future versions, php will no longer support mysql or mysqli and you will need to use PDO. A good resource that I have used a number of times for my own projects is http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers.
PDO allows you to create prepared statements and will escape your parameters for you and protect yourself from sql injection. Here is an example of how you could do that using PDO:
$db = new \PDO('mysql:host=localhost;dbname=test;charset=utf8', 'username', 'password');
$stmt = $db->prepare('
SELECT *
FROM `book` AS b
WHERE b.genre = ?
');
$stmt->execute(array('fantasy')); // Will replace the ? with 'fantasy' and escape it
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
So basically I got this code right here:
<?php
include_once 'dbconfig2.php';
$con = new DB_con();
$table = "users";
if(isset($_GET['profile_id']))
{
$sql=mysql_query("SELECT * FROM users WHERE user_id=".$_GET['profile_id']);
$result=mysql_fetch_array($sql);
}
?>
I am clueless as to how I would make it so if the user_id is not existent in the records, they cannot view their profile but it leads them to another messsage or piece of code.
If the user_id doesn't exist, there won't be any rows in the result. When you try to read a row with mysql_fetch_array(), it returns FALSE. So you can simply test $result:
if (!$result) {
die("Invalid profile ID");
}
Try to use prepared statements using mysqli, in order to avoid sql injection.
By way of example:
$mysqli = new mysqli("localhost", "root", "root", "test");
if ($mysqli->connect_errno) {
echo "connect_error". $mysqli->connect_error;
}
$id = $_GET['profile_id'];
$result = $mysqli->prepare('SELECT name FROM users WHERE user_id = ?');
$result->bind_param("i", $id);
$result->execute();
$result->bind_result($col1);
$result->fetch();
$is_valid_profile = (!$col1) ? 'Invalid profile' : 'Valid profile';
echo $is_valid_profile;
$result->close();
http://php.net/manual/en/mysqli.prepare.php
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Improve this question
I looked at some other questions online and on here related to this, but none seem to really encounter my error exactly.
I wrote my PHP code and implemented it into my HTML, I get the dropdown box appearing, but it doesn't actually want to display any values. Is there any implementations or fixes I should include in my code? How do I get it to work?
My database is called: Treatments
My column in the database that I want displayed is called: Treatment
treatment_dropdown.php
<?php
$hostname = 'host_name';
$dbname = 'database_name';
$username = 'username';
$password = 'password';
$con=mysql_connect($hostname,$username,$password,$dbname) or die("Failed to connect to MySQL: " . mysql_error());
$db=mysql_select_db($dbname,$con) or die("Failed to connect to MySQL: " . mysql_error());
$query = "SELECT * FROM `Treatments`";
$result = mysql_query($con, $query);
$options = "";
while ($row = mysql_fetch_array($result)){
$options = $options . "<option>$row[1]</option>";
}
?>
HTML:
<body>
<select>
<?php
echo $options;
?>
</select>
</body>
Consider changing this line:
$query = "SELECT * FROM 'Treatments'";
to use backticks instead of single quotes like so:
$query = "SELECT * FROM `Treatments`";
In my test query I got an error because of this, let me know if that helps.
Add <?php include 'treatment_dropdown.php'; ?> to the top of your HTML file. This should give you access to the the $options string so it can be used in that file. Note that in order for this to work, treatment_dropdown.php needs to be in the same directory as your HTML file. If it is not, the include statement will need to be changed to reflect the appropriate file path.
Do not use mysql_*() functions, they are deprecated. Use mysqli or PDO instead.
No matter which library use use to access mysql, always check for errors within the sql code separately. Errors in the sql code do not result in errors in the php code.
In this particular case the problem is that you included the table in single quotes instead of backticks.
The correct code:
$query = "SELECT * FROM `Treatments`";
Here's what your PHP file should look like:
<?php
$hostname = 'localhost';
$dbname = 'Treatments';
$username = 'root';
$password = '';
$con = mysql_connect( $hostname, $username, $password, $dbname) or die("Failed to connect to MySQL: " . mysql_error());
$db = mysql_select_db($dbname,$con) or die("Failed to connect to MySQL: " . mysql_error());
/* No single quotes needed for the table name. */
$query = "SELECT * FROM Treatments";
/* First parameter should be $query not $con */
$result = mysql_query($query, $con);
$options = "";
/* Check if no results exist. */
if ( !$result ) {
die( "NO results found." );
}
while ( $row = mysql_fetch_array($result) ) {
$options .= "<option>$row[treatment]</option>";
}
?>
Notes:
dont use mysql_* functions, they're not secure, use PDO instead.
your table name does not need to be wrapped in single quotes.
mysql_query expects parameter 1 to be the query not the DB connection.
you should probably check if no results are found.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have been working on a form that uses PHP to send e-mails to my account. To save room and de-clutter my mailbox account I am now trying to now use the same PHP to send the info to a MySQL server to log the data. The code I have been trying to make work keeps giving the same error of:
Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future
Here is the PHP code that I am currently trying to use:
$host = 'localhost';
$username = 'root';
$password = '';
$dbname = 'on-boarding';
mysql_connect($host,$username,$password);
mysql_select_db($dbname);
mysql_query("INSERT INTO new_employees ('OnBoardedBy', 'EmployeeName', 'HomePhone') VALUES ('$onboarded_by','$employee_name','$home_phone')");
You should use PDO or MySQLi. I'd recommend directly to use PDO and not MySQLi. PDO has a better integration of Prepared Statements. Do it like this:
try {
$db = new PDO("mysql:host=".$host.";dbname=".$db.";charset=utf8", $user, $password);
} catch(PDOException $e) {
die("Unable to connect. Error: ".$e->getMessage());
}
$link = $db->prepare("INSERT INTO new_employees (`OnBoardedBy`, `EmployeeName`, `HomePhone`) VALUES (?, ?, ?)");
$link->bindvalue(1, $onboarded_by);
$link->bindvalue(2, $employee_name);
$link->bindvalue(3, $home_phone);
$link->execute();
$row = $link->fetch(PDO::FETCH_ASSOC);
edit: Let me add an example for a prepared query.
PHP is not going to support the MySQL extension for much longer anymore. It is recommend to use MySQLi or PDO.
$host = 'localhost';
$username = 'root';
$password = '';
$dbname = 'on-boarding';
$link = mysqli_connect('$host', '$username', '$password', '$dbname');
mysqli_query($link, "INSERT INTO new_employees (`OnBoardedBy`, `EmployeeName`, `HomePhone`) VALUES ('$onboarded_by','$employee_name','$home_phone')");
Prepared statements are much safer and avoid the risk of sql injection: http://php.net/manual/en/mysqli.prepare.php
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
require("./connect.php");
$getid = $_GET['id'];
$getusername = mysql_query("SELECT username FROM user WHERE id='$getid'");
$getdesc = mysql_query("SELECT description FROM user WHERE id='$getid'");
echo "$getusername $getdesc";
I am having trouble, it is not echoing the data from those variables. I is returning resource id #10 and #11.
You need to fetch the data first before you can use the mysql_query result...
please see the example in the PHP Documentation
https://php.net/manual/en/function.mysql-fetch-row.php
<?php
$result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
if (!$result) {
echo 'Could not run query: ' . mysql_error();
exit;
}
$row = mysql_fetch_row($result);
echo $row[0]; // 42
echo $row[1]; // the email value
?>
Warning:
This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.
pdo : https://php.net/manual/en/book.pdo.php
mysqli : http://www.php.net//manual/en/book.mysqli.php
You are trying to print out the resource ID of the query you just ran.
To get to the actual results you have to specifically request it.
mysql_fetch_assoc($getusername); //should be used!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
help me with this code i am new to php
<?php
$conn=mysql_connect("localhost","root","","test");
if(isset($_POST['submit']))
{
$sql="INSERT INTO registration(fname,designation,emailid,
address,phonenumber)VALUES('".$_POST['fname']."','".$_POST['designation']."','".$_POST['ema
lid']."', '".$_POST['address']."','".$_POST['phonenumber']."')";
echo $sql;
$result=mysql_query($conn,$sql);
echo $result;
}
else{
echo "Error";
}
?>
its a registration page getting values and inserting it in the table...
You have the parameters around the wrong way here:
$result=mysql_query($conn,$sql);
Try
$result=mysql_query($sql, $conn) or die(mysql_error($conn));
Side notes:
Don't use mysql_*() functions: they're deprecated. Use mysqli_*() versions instead.
You should escape your user inputs with mysql_real_escape_string() to protect against SQL Injection attacks. Consider using prepared statements with mysqli_() instead.
Take a look at this link which is a good tutorial for inserting data (from a form etc.) to a mysql database.
Also: be aware of sql-injection and prevent it. here is a tutorial on how to do this: link
If you want to have readable code, set the $_POST[] values to a variable, and then pass them to the query, it's not different in fact but this is more easy and clean.:
<?php
$conn=mysql_connect("localhost","root","","test");
if(isset($_POST['submit']))
{
$fname = $_POST['fname'];
$designation = $_POST['designation'];
$emailid = $_POST['emailid'];
$address = $_POST['address'];
$phonenumber = $_POST['phonenumber'];
$sql="INSERT INTO registration(fname,designation,emailid,address,phonenumber)";
$sql .="VALUES('$fname', '$designation', '$emailid', '$address', '$phonenumber')";
echo $sql;
$result=mysql_query($conn,$sql);
echo $result;
}
else{
echo "Error";
}
?>
you hade a typing mistake in $_POST['emailid']...
and you can select your database with this:
mysql_select_db('your db name');
put this line after your connection variable means $conn
and this is wrong:
$result = mysql_query ($conn, $sql)
you have to set the query first:
$result = mysql_query($sql, $conn)