Simple Insert Variable PHP into MySQL - php

I have a simple bit of code that I can't get working.
<?php
$mysqli_connection = new MySQLi('localhost', 'root', 'secret', 'edgeserver');
if ($mysqli_connection->connect_error) {
echo "Not connected, error: " . $mysqli_connection->connect_error;
$username = 'Eddie';
$username = mysql_real_escape_string($username);
$email = 'eddie_the_eagle#hotmail.com';
$email = mysql_real_escape_string($email);
$sql = "INSERT INTO `users` (`username`, `email`)
VALUES ( '".$username."', '".$email."')";
$res = $mysqli_connection->query($sql);
}
?>
When I run the code no error appears but the users table remains empty.

Try This
<?php
$mysqli_connection = new MySQLi('localhost', 'root', 'secret', 'edgeserver');
if ($mysqli_connection->connect_error)
{
echo "Not connected, error: " . $mysqli_connection->connect_error;
}//Change
$username = 'Eddie';
$username = mysqli_real_escape_string($mysqli_connection,$username);//Change
$email = 'eddie_the_eagle#hotmail.com';
$email = mysqli_real_escape_string($mysqli_connection,$email); //Change
$sql = "INSERT INTO users (username, email) VALUES ( '".$username."', '".$email."')";
$res = $mysqli_connection->query($sql);
?>

You were mixing two API's mysql and mysqli. Stop using deprecated mysql
$username = mysqli_real_escape_string($mysqli_connection,$username);
$email = mysqli_real_escape_string($mysqli_connection,$email);
And you forgot to close your if condition too
if ($mysqli_connection->connect_error) {
echo "Not connected, error: " . $mysqli_connection->connect_error;
}//<------forgot

There are two problems:-
you are mixing mysql_* with mysqli_*
no error checking is done.
Try like this:-
<?php
$mysqli_connection = new MySQLi('localhost', 'root', 'secret', 'edgeserver');
if ($mysqli_connection->connect_error)
{
echo "Not connected, error: " . $mysqli_connection->connect_error;
}//Change
$username = 'Eddie';
$username = mysqli_real_escape_string($mysqli_connection,$username);//connection link must be provided as a first parameter
$email = 'eddie_the_eagle#hotmail.com';
$email = mysqli_real_escape_string($mysqli_connection,$email); //same here
$sql = "INSERT INTO users (username, email) VALUES ( '".$username."', '".$email."')";
$res = $mysqli_connection->query($sql);
?>
Note:-Please habitat yourselves to use error reporting when you are going to do any stuff. thanks.

You forgot to close your if statement, so your insert logic will only run if there is an connect error.
Move the last } to a new line after
$mysqli_connection->connect_error;

Related

MySQL insert username and password via php error

MySQL is not inserting the correct username and password in the database. The php code is:
<?php
$username = $_POST["email"];
$password = $_POST["password"];
require 'database.php';
$myquery = "INSERT INTO verify (`username`, `password`) VALUES ('$username','$password')";
$query = mysql_query($myquery);
if (!$query) {
echo mysql_error();
die;
}
?>
I checked the database.php, it is absolutely fine. It is showing username and password as pranav even though the values are different.
Thanks in advance.
Try to re-order you code, maybe some vars are overwritting his values:
<?php
require 'database.php';
$username = $_POST["email"];
$password = $_POST["password"];
$myquery = "INSERT INTO verify (`username`, `password`) VALUES ('$username','$password')";
$query = mysql_query($myquery);
if (!$query) {
echo mysql_error();
die;
}
?>
I found out what the error was . It was happening because the database.php was coded like this.
PHP:
<?php
$username="pranav";
$password="pranav";
$host="localhost";
$database="requester";
$server = mysql_connect($host, $username, $password);
$connection = mysql_select_db ($database, $server);
$table='verify'
?>
The username and password was getting rewritten.
Thanks Grommy

prepare statement fatal error

<?php
//Defining page title
define('WEBSITE_TITLE', 'Register');
//Content location
$content = 'content/register.php';
//Database connection
try {
$dbh = new PDO('mysql:host=localhost;dbname=saldev', 'admin', '420blazeit');
$dbh = null;
} catch (PDOException $e) {
die();
}
//Including website template
include_once 'template.php';
if(isset($_POST['submitRegister'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$email = $_POST['email'];
$rank = 'user';
$ins = $dbh->prepare("INSERT INTO 'users'('username', 'password', 'email', 'rank') VALUES (''username','password', 'email','user')");
$ins->execute();
echo 'Success! you have been register';
header("Location: index.php");
}
?>
I get the following error: "Fatal error: Call to a member function prepare() on null in C:\workspace\register.php on line 23"
I have been trying to find out what the problem is, but I haven't got a clue how to fix this. Somebody please help! :c
You have two single quotes '. Replace
$ins = $dbh->prepare("INSERT INTO 'users'('username', 'password', 'email', 'rank') VALUES (''username','password', 'email','user')");
to
$ins = $dbh->prepare("INSERT INTO users (username, password, email, rank) VALUES ('username','password', 'email','user')");
Also remove $dbh = null;.
Well, you setting null on $dbh
$dbh = null;
Also you should not use ' inside the mysql query for tables or columns names.

Having trouble creating a safe way for users to update their data

I am making a way for users to edit their data. My first way I did it worked, but then I remembered that it is very insecure and that I should never insert data directly into the database; at least that's what I was told. I try to make it more secure by doing the VALUES (?,?,?,?,?) thing so that the data is not directly going in, which seemed to work fine in my registration page (which I can include if you want).
To start, here is my original update data page that worked fine but it does not use the (?,?,?,?,?) method:
if(isset($_POST['submit'])) {
$userid=$_SESSION['userid'];
$skype=$_POST['skype'];
$email=$_POST['email'];
$region=$_POST['region'];
$crank=$_POST['league1'];
$drank=$_POST['league2'];
if(empty($skype) || empty($email) || empty($crank) || empty($drank) || empty($region))
{
echo "Cannot leave any field blank";
}
else
{
$host= "localhost";
$dbname = "boost";
$user = "root";
$pwd = "";
$port=3306;
try
{
$mysqli= new mysqli($host, $user, $pwd, $dbname,$port);
if ($mysqli->connect_error) {
die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
}
$query = "UPDATE usertable SET SkypeID = '$skype', Email = '$email', Region = '$region', CRank = '$crank', DRank = '$drank' WHERE UserID = '$userid'";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("sssss",$skype,$email,$region,$crank,$drank);
$stmt->execute();
$iLastInsertId=$mysqli->insert_id;
header('Location: http://localhost/Boost/account.php');
$stmt->close();
$mysqli->close();
} catch (mysqli_sql_exception $e) {
throw $e;
}
}
}
Here is what I tried to do to make it more secure but this doesn't seem to work. Specifically the $query = "UPDATE usertable SET usertable(SkypeID,Email,Region,CRank,DRank) VALUES (?,?,?,?,?) WHERE UserID = '$userid'"; seems to be the issue, though the syntax looks fine to me
if(isset($_POST['submit'])) {
$userid=$_SESSION['userid'];
$skype=$_POST['skype'];
$email=$_POST['email'];
$region=$_POST['region'];
$crank=$_POST['league1'];
$drank=$_POST['league2'];
if(empty($skype) || empty($email) || empty($crank) || empty($drank) || empty($region))
{
echo "Cannot leave any field blank";
}
else
{
$host= "localhost";
$dbname = "boost";
$user = "root";
$pwd = "";
$port=3306;
try
{
$mysqli= new mysqli($host, $user, $pwd, $dbname,$port);
if ($mysqli->connect_error) {
die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
}
$query = "UPDATE usertable SET usertable(SkypeID,Email,Region,CRank,DRank) VALUES (?,?,?,?,?) WHERE UserID = '$userid'";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("sssss",$skype,$email,$region,$crank,$drank);
$stmt->execute();
$iLastInsertId=$mysqli->insert_id;
header('Location: http://localhost/Boost/account.php');
$stmt->close();
$mysqli->close();
} catch (mysqli_sql_exception $e) {
throw $e;
}
}
}
So I am not sure what the problem is. In my experience with PHP, the syntax should be fine but I must be missing something.
It's quite simple actually, you went from
$query = "UPDATE usertable SET SkypeID = '$skype', Email = '$email', Region = '$region', CRank = '$crank', DRank = '$drank' WHERE UserID = '$userid'";
TO
$query = "UPDATE usertable SET usertable(SkypeID,Email,Region,CRank,DRank) VALUES (?,?,?,?,?) WHERE UserID = '$userid'";
It appears you confused an INSERT statement vs. an UPDATE statement when rewriting so to fix you simply use your old statement with the new style...
$query = "UPDATE usertable SET SkypeID = ?, Email = ?, Region = ?, CRank = ?, DRank = ? WHERE UserID = $userid";

php bcrypt 505 error

I am trying to use a simple hash for users emails and passwords.
But when I run the following php script that is called on an ajax request i fet a 505 error.
<?php
$user = json_decode(file_get_contents('php://input'));
$email = $user->email;
$pass = $user->pass;
$cpass = $user->cpass;
$ssid = $user->ssid;
$type = $user->type;
$date = $user->regtime;
$con = mysqli_connect("localhost", "", "", "");
// Check connection
if (mysqli_connect_errno()){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$validateEmail = "SELECT `Email` FROM `newUsers` WHERE `Email` = '$email' ";
$newVar = password_hash($pass, PASSWORD_DEFAULT);
if ($result = mysqli_query($con,$validateEmail)) {
if ($result->num_rows == 0){
$sql = "INSERT INTO `newUsers`(`email`, `type`, `date`, `ssid`, `hashpass`) VALUES ('$email', '$type', '$date', '$ssid', '$newVar')";
mysqli_query($con,$sql);
}
}
mysqli_close($con);
?>
If i remove the hash attempt and leave the pass word as it is received the password gets inserted so I believe it is the hashing function that is causing the 505. Can anyone see what is going wrong with my hash attempt?

PHP registered user check

I have PHP + AS3 user login&register modul.I want to check registered user by username.But can't do it because I'm new at PHP.If you can help it will helpfull thx.(result_message part is my AS3 info text box.)
<?php
include_once("connect.php");
$username = $_POST['username'];
$password = $_POST['password'];
$userbio = $_POST['userbio'];
$sql = "INSERT INTO users (username, password, user_bio) VALUES ('$username', '$password', '$userbio')";
mysql_query($sql) or exit("result_message=Error");
exit("result_message=success.");
?>
Use MySQLi as your PHP function. Start there, it's safer.
Connect your DB -
$host = "////";
$user = "////";
$pass = "////";
$dbName = "////";
$db = new mysqli($host, $user, $pass, $dbName);
if($db->connect_errno){
echo "Failed to connect to MySQL: " .
$db->connect_errno . "<br>";
}
If you are getting the information from the form -
$username = $_POST['username'];
$password = $_POST['password'];
$userbio = $_POST['userbio'];
you can query the DB and check the username and password -
$query = "SELECT * FROM users WHERE username = '$username'";
$result = $db->query($query);
If you get something back -
if($result) {
//CHECK PASSWORD TO VERIFY
} else {
echo "No user found.";
}
then verify the password. You could also attempt to verify the username and password at the same time in your MySQL query like so -
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password';
#Brad is right, though. You should take a little more precaution when writing this as it is easily susceptible to hacks. This is a pretty good starter guide - http://codular.com/php-mysqli
Using PDO is a good start, your connect.php should include something like the following:
try {
$db = new PDO('mysql:host=host','dbname=name','mysql_username','mysql_password');
catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
Your insert would go something like:
$username = $_POST['username'];
$password = $_POST['password'];
$userbio = $_POST['userbio'];
$sql = "INSERT INTO users (username, password, user_bio) VALUES (?, ?, ?)";
$std = $db->prepare($sql);
$std = execute(array($username, $password, $userbio));
To find a user you could query similarly setting your $username manually of from $_POST:
$query = "SELECT * FROM users WHERE username = ?";
$std = $db->prepare($query)
$std = execute($username);
$result = $std->fetchAll();
if($result) {
foreach ($result as $user) { print_r($user); }
} else { echo "No Users found."; }
It is important to bind your values, yet another guide for reference, since I do not have enough rep yet to link for each PDO command directly from the manual, this guide and website has helped me out a lot with PHP and PDO.

Categories