I am working on a site to share names of songs, and I have made a recommendation form that I include in every page. This recommendation form is in HTML and leads to a PHP action page, where the information received is added to a SQL table. Here is the code:
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="MYPASSWORD"; // Mysql password
$db_name="DB NAME"; // Database name
$tbl_name="songshare"; // Table name
// Connect to server and select databse.
$link = mysqli_connect("$host", "$username", "$password")or die("cannot connect");
mysqli_select_db($link, "$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$song=$_POST['song'];
$album=$_POST['album'];
$artist=$_POST['artist'];
$linkitunes=$_POST['linkitunes'];
$artwork=$_POST['albumPic'];
// To protect MySQL injection (more detail about MySQL injection)
$song = stripslashes($song);
$album = stripslashes($album);
$artist = stripslashes($artist);
$song = mysqli_real_escape_string($link, $song);
$album = mysqli_real_escape_string($link, $album);
$artist = mysqli_real_escape_string($link, $artist);
$sql="SELECT * FROM $tbl_name WHERE song='$song'";
$result=mysqli_query($link, $sql);
if ($result->num_rows){
echo "Song already taken" . "<br />";
echo "<a href='/music.php'>music</a>";
exit();
}
$sql="INSERT INTO recommendation (user_id, artist, song, album, artwork, linkitunes)";
$sql = $sql . " VALUES ('$_SESSION['user_id']', '$artist', '$song', '$album'. '$artwork'. '$linkitunes');";
$result=mysqli_query($link, $sql);
if(!$result) {
echo "Recommendation failed" . "<br />";
echo $sql;
} else {
print "$song, $artist, $album";
}
ob_end_flush();
?>
I have checked that every username, password, link is correct and valid. My server does, in fact, run PHP. It doesn't seem to me like the PHP code is even running though.
Thank you so much in advance.
-Cameron
Turn on error reporting by adding this on top of page:
ini_set("display_errors",true);
and change this line:
$link = mysqli_connect("$host", "$username", "$password")
to
$link = mysqli_connect($host, $username, $password,$db_name);
Please have a look how to work with mysqli
Instead of '$album'. '$artwork'. '$linkitunes' Do: '$album', '$artwork', '$linkitunes', while saving data.
Try this :-
$sql = $sql . " VALUES ('".$_SESSION['user_id']."', '$artist', '$song', '$album', '$artwork', '$linkitunes')";
instead of
$sql = $sql . " VALUES ('$_SESSION['user_id']', '$artist', '$song', '$album'. '$artwork'. '$linkitunes');";
You should check the version of local server you are working with. If you are working with a higher of local server and you php was written in a lower version it throws a blank page.
Related
<?php
//CONNECT TO DATABASE
$db_host="localhost";
$db_username="root";
$db_pass="";
$db_name="admin";
#mysql_connect("$db_host","$db_username","$db_pass","$db_name")
or die ("not connect");
#mysql_select_db("$db_name") or die ("no database");
echo "succesful connection";
//THEN I CHECK THE VALUES FROM MY FORM
if($_SERVER ['REQUEST_METHOD']=='POST'){
$username=$_POST['username'];
$password=$_POST['password'];
$username=htmlspecialchars($username);
$password=htmlspecialchars($password);
//SEARCH INTO MY DATABASE TABLE
$SQL="SELECT * FROM members WHERE`` username=$username AND password=$password ";
$result=mysql_query($SQL);
//BASED ON MY RESULTS I GIVE TO SESSION VARIABLE A VALUE 1 OR "" AND REDIRECT TO INDEX.PHP
if($result){
$num_rows=mysql_num_rows($result);
if($num_rows>0){
session_start();
$_SESSION['check']="1";
header ("Location:index.php");
}
else{
session_start();
$_SESSION['check']="";
header ("Location:index.php");
}
}
}
?>
#mysql_connect and #mysql_select_db: Please don't do that,
Use mysqli instead of the deprecated mysql extension, see Why shouldn't I use mysql_* functions in PHP?
There is a reason why functions maybe throws errors, you should handle it, instead of using # so they don't show up.
To your problem:
Look at your sql statement:
$SQL="SELECT * FROM members WHERE`` username=$username AND password=$password ";
That doesn't work, you pass $password as plain text for the password, not the value of this var, try:
$SQL='SELECT * FROM members WHERE username="' . $username . '" AND password="' . $password . '";
I think you have issue in your sql query. So try this
$SQL="SELECT * FROM members WHERE `username`='".$username."' AND `password`='".$password."' ";
Issue :
1) You are using direct $username without single quote so if username is string it will not work
2) check that special character you are using after WHERE
There's an error at line $id=$_GET['id']; said that Notice: Undefined index: id in D:\XAMPP\htdocs\view_topic.php on line 101. I tried to change " $_GET " to " $_POST " but the error is still the same. Any help ?
I am trying to retrieve the id from the database and listed all the forum topic posted by users. Others php file can run smoothly. I got problem retrieving id of the post.
<?php
$host="localhost";
$username="root";
$password="";
$db_name="db";
$tbl_name="forum_question";
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// get value of id that sent from address bar
$id=$_GET['id'];
$sql="SELECT * FROM $tbl_name WHERE id='$id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
?>
Always make use of the isset construct when assigning data to variables from outside world
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM $tbl_name WHERE id='$id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
}
else
{
echo "ID was not set. Let me go and check the form again !";
}
?>
This variable has to be set in your URL. You have to check if it's present:
<?php
$host = "localhost";
$username = "root";
$password = "";
$db_name = "db";
$tbl_name = "forum_question";
// Connect to server and select databse.
$db = new mysqli($host, $username, $password, $db_name);
// get value of id that sent from address bar
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
if($id <> 0) {
// TODO
// 404 Not Found
} else {
$sql = "SELECT * FROM $tbl_name WHERE id='$id'";
$row = $db->query($sql)->fetch_assoc();
// TODO
// Do Something with Data
}
Your URL must then be http://example.com/path/to/script.php?id=42
I added (int), so no sql injections are possible.
I replaced mysql_* by MySQLi, see comment to your question.
I removed quotes from variables in your query, you don't need them.
I've got two different sites. What I'd like to do is to automatically run a script that sends some of the data inserted into the database in site 1 when a user registers and updates a table in the database for site 2 so that an account is automatically created in site 2 using the same details.
I'm at the stage of trying to create a query that will update the database. I'm the self-made type so don't know that well what I'm doing. Got this query from somewhere but can't make it work. Can anyone tell what's wrong with it? It's not executing the query.
Thanks!
Eugenie
<?php
$host = "localhost"; // Host name
$username = "----"; // Mysql username
$password = "----"; // Mysql password
$db_name1 = "------"; // Database name
$db_name2 = "-----"; // Database name
$tbl_name1 = "-----"; // Table name
$tbl_name2 = "---"; // Table name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name1")or die("cannot select DB");
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name2")or die("cannot select DB");
$query = "USE $db_name2
UPDATE $db_name2.dbo.$tbl_name2
SET email=d2.email FROM $db_name1.dbo.$tbl_name1 d2
WHERE d2.uid = $tbl_name1.uid";
$result = mysql_query($query) or die ("could't execute query.");
?>
<?php
$host = "localhost"; // Host name
$username = "----"; // Mysql username
$password = "----"; // Mysql password
$db_name1 = "------"; // Database name
$db_name2 = "-----"; // Database name
$tbl_name1 = "-----"; // Table name
$tbl_name2 = "---"; // Table name
$conn = mysql_connect($host, $username, $password);
mysql_select_db($db_name1, $conn) or die("cannot select DB");
mysql_select_db($db_name2, $conn) or die("cannot select DB");;
$query1 = "SELECT * FROM `" . $db_name1.$tb1_name1 . "` ";
$query2 = "SELECT * FROM `" . $db_name2.$tb1_name2 . "` ";
You can fetch data of above query from both database as below
$result1 = mysql_query($query1);
while($row = mysql_fetch_assoc($result1)) {
$data1[] = $row;
}
$result2 = mysql_query($query2);
while($row = mysql_fetch_assoc($result2)) {
$data2[] = $row;
}
print_r($data1);
print_r($data2);
?>
Suggestion: Try shifting to mysqli or PDO since mysql is depreciated now.
Recall the documentation for mysql_connect:
Returns a MySQL link identifier on success or FALSE on failure.
... and the documentation for the second parameter for mysql_query:
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
... should solve your problem. Example:
$link1 = mysql_connect( ... ); // For db 1.
$link2 = mysql_connect( ... ); // For db 2.
$result1 = mysql_query( "some query for db 1", $link1 );
$result2 = mysql_query( "some query for db 2", $link2 );
Well,
first of all, you're not connecting to two different databases, but using two different schemas in the same database. So only a mysql_connect should be used.
Also, if you're using full qualified names to access your tables you don't need to call mysql_select_db, nor the 'use db_name' mysql command.
Your query string is wrong. After USE $db_name2 you should have a semi-colon, and the update sentence is not correct.
Code could be somthing like that:
mysql_connect(...)
$query = "update $db2.$table2, $db1.$table1
I am trying to delete a record using php from a database. This is supposed to happen when I click a button, no error is displayed and the query appears on the screen but the record remains on the database
phpmyadmin gives me the following code to use: DELETE FROM 'the shop'.'customer' WHERE 'customer'.'CustomerID' = 8
<?php
$host="localhost"; // Host name
$tbl_name="customer"; // Table name
$db_user="root";
$db_pass="";
$connect = mysql_connect("$host", "$db_user", "$db_pass");
$db_name="the_shop"; // Database name
mysql_select_db("$db_name");
if (!$connect)
{
die("MySQL could not connect!");
}
if(isset($_GET['submit2'])){
$db_username = $_GET['username'];
$sql4 = "DELETE FROM 'the_shop'.'customer' WHERE 'customer'.'CustomerID' = 8"
or die('error deleting record');
mysql_query($sql4);
echo $sql4;
}
?>
I know this will only delete the record that has a CustomerID that = 8
my intention is that once this works I will replace CustomerID with Username and the '8' with the relevant variable that will be given a value via a form
any help is appreciated
You are using quotes instead of back tick
$sql4 = "DELETE FROM `the_shop`.`customer` WHERE `customer`.`CustomerID` = 8";
Moreover you don't need back ticks(In this case as you are not using any Reserved keywords here) as well as you are using die() at wrong place
Use this,It is working.
<?php
$host="localhost"; // Host name
$tbl_name="customer"; // Table name
$db_user="root";
$db_pass="";
$connect = mysql_connect("$host", "$db_user", "$db_pass");
$db_name="the_shop"; // Database name
mysql_select_db("$db_name",$connect);
if (!$connect)
{
die("MySQL could not connect!");
}
if(isset($_GET['submit2'])){
$db_username = $_GET['username'];
$sql4 = "DELETE FROM `the_shop`.`customer` WHERE `customer`.`CustomerID` = 8";
mysql_query($sql4,$connect) or die('error deleting record');
echo $sql4;
}
?>
Your statement is not correct. You use quoted instead of back ticks. But you can make your statement easier.
$sql4 = "DELETE FROM customer WHERE CustomerID = 8";
$sql4 = "DELETE FROM `the_shop`.`customer` WHERE `customer`.`CustomerID` = 8"
mysql_query($sql4);or die('error deleting record');
echo $sql4;
You don't need to specify which database to query in your query.
This will suffice:
DELETE FROM customer WHERE CustomerID = 8
The Mysql extension is deprecated. This means that it is no longer supported by PHP and should not be used. Try mysqli or pdo instead.
You can just use this. There is no need for you to specify the database.
delete from customer where CustomerID = 8
I'm working on my first PHP/MySQL project, and I've gotten basic logins and INSERT queries working, but not updates. This is my first update, which is just one row with a state and zipcode. Is anything wrong?
$dbc = mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$state=$_POST['state'];
$zip=$_POST['zip'];
$custnum = 0;
$sql="UPDATE $tbl_name SET state = '$state', zip = '$zip', WHERE custnum = '$custnum'";
$result = mysqli_query($dbc, $sql)
or die('Error querying database.');
$sql="UPDATE {$tbl_name} SET state='{$state}', zip='{$zip}' WHERE custnum='{$custnum}'";
Remove the last comma before "WHERE" clause. Also, if you're just starting out it's good to put parenthesis around variables names when using double-quotes for strings. Helps you to distinguish the variables better.
Pekka is also correct in his comments, you are mixing mysql and mysqli functions. Use mysql_query() instead.
I think you need to get rid of the comma just before the WHERE.
$suitno =mysqli_real_escape_string($ecms,$_POST['suitno']);//protecting sql injection
$defendant=mysqli_real_escape_string($ecms,$_POST['defendant']);//protecting sql injection
$casenature=mysqli_real_escape_string($ecms,$_POST['casenature']);//protecting sql injection
$sql="UPDATE causelist SET suitno='{$suitno}',
casenature='{$casenature}' WHERE suitno='{$suitno}'";
$result = mysqli_query($ecms, $sql)
or die('Error querying database.');
$dbc = mysql_connect($host, $username, $password)or die("cannot connect"); //don't need quotes
mysql_select_db($db_name,$dbc)or die("cannot select DB"); //added the $dbc (connection link) as a second parameter
$state=mysql_real_escape_string($_POST['state']); //Should make it safe!
$zip=mysql_real_escape_string($_POST['zip']); //Should make it safe!
$custnum = 0;
$sql="UPDATE $tbl_name SET state = '$state', zip = '$zip' WHERE custnum = '$custnum'";
//removed an extra comma
//Notice that $tbl_name isn't defined!
u
$result = mysql_query($sql)
or die('Error querying database.'); //from mysqli to mysql
Looks like a sql syntax error:Remove the comma before WHERE
if(isset($_POST['update']))
{
$name=$_POST['name'];
//echo $name; die;
$surname=$_POST['surname'];
$upd="update table_name SET name='$name',surname='$surname' where id=$id";
mysql_query($upd);
}