I have the script below running on my server when the postdata is passed all the fields in the database contain the number 1 and not the data I need
<?php
$servername = "localhost";
$username = "tadmin_admin";
$password = "Revolution1990#";
$dbname = "tadmin_datalord";
$db = new PDO( 'mysql:host=webpag.cu.cc;dbname=tadmin_datalord', $username, $password );
$ip = isset($_POST['ipaddress']);
$ip =strip_tags($ip);
$useragent = $_SERVER['HTTP_USER_AGENT'];
$useragent =strip_tags($useragent);
$username = isset($_POST['fpuser1']);
$username =strip_tags($username);
$email = isset($_POST['fpuser2']);
$email =strip_tags($email);
$password = isset($_POST['fpuser3']);
$password =strip_tags($password);
$passwordc = isset($_POST['fpuser4']);
$passwordc =strip_tags($passwordc);
$address = isset($_POST['address']);
$address =strip_tags($address);
$county = isset($_POST['county']);
$county =strip_tags($county);
$country = isset($_POST['country']);
$country =strip_tags($country);
$postcode = isset($_POST['postcode']);
$postcode =strip_tags($postcode);
$title = isset($_POST['title']);
$title =strip_tags($title);
$fname = isset($_POST['fname']);
$fname =strip_tags($fname);
$lname = isset($_POST['lname']);
$lname =strip_tags($lname);
$dob = isset($_POST['dob']);
$dob =strip_tags($dob);
$sql = "INSERT INTO liningdata ( userdata, ipaddress, username,email, password, passwordc , address, county, country, postcode, title,fname, lname, dob ) VALUES ( :useragent, :ip, :username, :email,:password, :passwordc, :address, :county,:country, :postcode, :title,:fname, :lname, :dob )";
$query = $db->prepare( $sql );
$query->execute( array( ':useragent'=>$useragent , ':ip'=>$ip ':username'=>$username , ':email'=>$email , ':password'=>$password':passwordc'=>$passwordc , ':address'=>$address ,':county'=>$county ,':country'=>$country , ':postcode'=>$postcode , ':title'=>$title ,':fname'=>$fname , ':lname'=>$lname , ':dob'=>$dob ) );
if ($query){
}
else{
}
?>
Can anyone help me fix this problem? I am so stuck onto why my table only contains the digit 1 in all columns.
isset return 1, so you have to change :
$ip = (isset($_POST['ipaddress']))?strip_tags($_POST['ipaddress']):'';
$useragent = strip_tags($_SERVER['HTTP_USER_AGENT']);
$username = (isset($_POST['fpuser1']))?strip_tags($_POST['fpuser1']):'';
and so on...
Related
Whenever I tried to update my table am getting this error.
My SQL file where I have update function has this code:
function updateUser($userid, $firstname, $lastname, $phone, $email, $address, $zip, $city, $state, $password)
{
$firstname = str_replace('\'', '\'\'', trim($firstname));
$lastname = str_replace('\'', '\'\'', trim($lastname));
$phone = str_replace('\'', '\'\'',trim($phone));
$email = str_replace('\'', '\'\'',trim($email));
$address = str_replace('\'', '\'\'',trim($address));
$zip = str_replace('\'', '\'\'',trim($zip));
$city = str_replace('\'', '\'\'',trim($city));
$state = str_replace('\'', '\'\'',trim($state));
$password = str_replace('\'', '\'\'',trim($password));
$query = <<<STR
Update tbl_users
Set firstname = '$firstname', lastname = '$lastname', phone = $phone, email = $email,
address = '$address', zip = '$zip', city = '$city', state = '$state', password = '$password'
Where userid = $userid
STR;
executeQuery($query);
}
My profile page where am trying to update has the following code:
if (isset($_SESSION['user_id']))
{
// get the details for the movie to be edited
$userdetails = getUserDetailsByID($_SESSION['user_id']);
$_SESSION['userdetails'] = $userdetails;
}
$lastname = $_SESSION['userdetails'][0]['lastname'];
$firstname = $_SESSION['userdetails'][0]['firstname'];
$phone = $_SESSION['userdetails'][0]['phone'];
$email = $_SESSION['userdetails'][0]['email'];
$address = $_SESSION['userdetails'][0]['address'];
$zip = $_SESSION['userdetails'][0]['zip'];
$city = $_SESSION['userdetails'][0]['city'];
$state = $_SESSION['userdetails'][0]['state'];
$password = $_SESSION['userdetails'][0]['password'];
if (isset($_POST['register']) && count($userdetails)){
updateUser((int)$_POST['userid'], $_POST['firstname'], $_POST['lastname'], $_POST['phone'],
$_POST['email'], $_POST['address'], $_POST['zip'],$_POST['city'], $_POST['state'], $_POST['password']);
header("Location: profile.php");
echo '<h2>Thank you for Registering. You will now be redirected to the login page.<h2>';
die();
}
?>
Is this code prone to SQL Injection? Can you suggest something to improve the security? Is it right to use mysqli_real_escape_string? And do you think it's alright to use this for project?
<?php
require 'db.php';
if(isset($_POST['pawnshopName'])&&isset($_POST['street'])&&isset($_POST['barangay'])&&isset($_POST['city'])&&isset($_POST['dtiPermitNo'])&&isset($_POST['mayorPermitNo'])&&isset($_POST['firstName'])&&isset($_POST['lastName'])&&isset($_POST['middleName'])&&isset($_POST['contactNumber'])&&isset($_POST['email'])&&isset($_POST['password'])&&isset($_POST['confirmPassword']))
{
$options = ['cost' => 11, 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),];
$pawnshopName = mysqli_real_escape_string($connection, $_POST['pawnshopName']);
$street = mysqli_real_escape_string($connection, $_POST['street']);
$barangay = mysqli_real_escape_string($connection, $_POST['barangay']);
$city = mysqli_real_escape_string($connection, $_POST['city']);
$dtiPermitNo = mysqli_real_escape_string($connection, $_POST['dtiPermitNo']);
$mayorPermitNo = mysqli_real_escape_string($connection, $_POST['mayorPermitNo']);
$firstName = mysqli_real_escape_string($connection, $_POST['firstName']);
$lastName = mysqli_real_escape_string($connection, $_POST['lastName']);
$middleName = mysqli_real_escape_string($connection, $_POST['middleName']);
$contactNumber = mysqli_real_escape_string($connection, $_POST['contactNumber']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = mysqli_real_escape_string($connection, password_hash($_POST['password'], PASSWORD_BCRYPT, $options));
$confirmPassword = mysqli_real_escape_string($connection, $_POST['confirmPassword']);
if(password_verify($confirmPassword,$password))
{
echo 'Password Match';
}else
{
echo 'Password mismatch';
}
$sql = "INSERT INTO pawnshop ".
"(Pawnshop_ID, Pawnshop_Name, Street, Barangay, City, DTI_Permit_No, Mayor_Permit_No, Firstname, Middlename, Lastname, Contact_Number, Email_Address, Password) ".
"VALUES ".
"('','".$pawnshopName."', '".$street."', '".$barangay."', '".$city."', '".$dtiPermitNo."', '".$mayorPermitNo."', '".$firstName."', '".$lastName."', '".$middleName."', '".$contactNumber."', '".$email."', '".$password."' )";
mysqli_query($connection, $sql);
mysqli_close($connection);
}
?>
No, you must use prepare method. Then on every place where you want to add a value place a ?. Than you must use the bind_param method. Finally, you can execute it and get the results whit get_results. An example:
$stmt = $connection->prepare("INSERT INTO Customers (CustomerName, Address, CityID) VALUES (?, ?, ?)");
$stmt->bindParam('ssi', $name, $address, $cityId);
$stmt->execute();
$results = $stmt->get_results();
The 'ssi' are corresponding variable the types of the attributes.
i are integers
d are doubles
s are strings
b is a blob and will be sent in packets
My resources are: w3schools and php.net
I am creating an android app with a php Rest server with firebird database. I can get information from the database via json with php server but I can't update anything. Here is my code.
public function update_user_info (){
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$home = $_POST['home'];
$cell = $_POST['cell'];
$birthdate = $_POST['birthdate'];
$weekly = $_POST['weekly'];
$email = $_POST['email'];
$users_id = $_POST[users_id];
$last_active = date("m/d/Y", time());
$last_act_time = date("h:i:s", time());
$acct_email = strtolower($email);
//make email all lowercase
horse_connect();
$query = ibase_prepare("UPDATE USERS SET FIRST_NAME = ?,
LAST_NAME = ?, ADDRESS = ?, CITY = ?,
STATE = ?, ZIP = ?, HOME_PHONE = ?, CELL_PHONE = ?,
BIRTHDATE = ?, HTML_EMAIL = ?,
LAST_ACTIVE = ?,
LAST_ACT_TIME = ?, EMAIL_NEWS = ?, EMAIL_LIVE_SCORES = ?
WHERE USERS_ID = ?");
$result = ibase_execute($query, $fname, $lname,
$address, $city, $state, $zip,
$home, $cell, $birthdate,
$acct_email, $last_active, $last_act_time,
$weekly, $live, $users_id);
//$final_array = array('user id' => $fname);
if($Result)
$json = array("status" => 1);
else
$json = array("status" =>0);
echo json_encode($json);
} //end: update_user_info
I am using Advanced rest client for testing.
Try using ibase_commit after execute. If possible try to use PDO when working with database.
Thanks everyone but I found the Problem. HTML_EMAIL should be ACCT_EMAIL. HTML_EMAIL is a bit field, true or false. ACCT_EMAIL is a string
I am trying to sign up a new user to my website, but I am having trouble with the actual signup_process.php page. I currently have sign up form within signup.php and the form action within the signup_process.php. My signup page lists the sports as follows;
<label for="Archery"> Archery</label> <input type="checkbox" id="Archery" name="sport[]"value="1">"
My database shows the following;
User table:
user_id
user_email
user_username
user_password
user_firstname
user_surname
user_dob
user_gender
user_city
user_active
User sport table
usersport_id
usersport_user_id
usersport_sport_id
Here is the code on my signup_process.php
<?php
session_start();
$_SESSION['loggedin'];
$_SESSION['id'];
include "includes/connect.php";
include "includes/lists.php";
include "includes/functions.php";
?>
<?php
$_SESSION['username'] = $_POST['username'];
$_SESSION['fname'] = $_POST['fname'];
$_SESSION['surname'] = $_POST['surname'];
$_SESSION['dob'] = $_POST['dob'];
$_SESSION['emailaddress'] = $_POST['emailaddress'];
$_SESSION['password'] = $_POST['password'];
$_SESSION['gender'] = $_POST['gender'];
$_SESSION['city'] = $_POST['city'];
$_SESSION['sports'] = $_POST['sports'];
$username = $_POST['username'];
$fname = $_POST['fname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$emailaddress = $_POST['emailaddress'];
$password = $_POST['password'];
$gender = $_POST['gender'];
$city = $_POST['city'];
$query = "INSERT INTO user (
user_username,
user_firstname,
user_surname,
user_dob,
user_email,
user_password,
user_gender,
user_city,
user_active
)
VALUES(
'".$_POST['username']."',
'".$_POST['firstname']."',
'".$_POST['surname']."',
'".$_POST['dob']."',
'".$_POST['email']."',
'".$_POST['password']."',
'".$_POST['gender']."',
'".$_POST['city']."',
'1' ) ";
mysql_query($query) or die (mysql_error());
$lastid = mysql_insert_id();
$sports = $_POST['sports'];
foreach ($sports as $key => $value){
$query2 = " INSERT INTO usersport
(
usersport_user_id, usersport_sport_id
)
VALUES(
'".$lastid."',
'".$value."'
) ";
mysql_query($query2) or die (mysql_error());
}
My signup process seemed to work before I added this which is for the allocation of sports to the new user;
$lastid = mysql_insert_id();
$sports = $_POST['sports'];
foreach ($sports as $key => $value){
$query2 = " INSERT INTO usersport
(
usersport_user_id, usersport_sport_id
)
VALUES(
'".$lastid."',
'".$value."'
) ";
mysql_query($query2) or die (mysql_error());
}
?>
Could anyone please tell me where I've gone wrong?
i'm creating a site for a client and i get an error message saying "undefined index". I'm trying to upload data to a database from 3 multi form pages and they are handled by cv.php.
The form details are stored on page 2
<?php
session_start();
if(isset($_SESSION['FirstName'])){
$_SESSION['FirstName'] = $_POST['FirstName'];}
if(isset($_SESSION['LastName'])){
$_SESSION['LastName'] = $_POST['LastName'];}
if(isset($_SESSION['dob'])){
$_SESSION['dob'] = $_POST['dob'];}
if(isset($_SESSION['Age'])){
$_SESSION['Age'] = $_POST['Age'];}
if(isset($_SESSION['AddressLine1'])){
$_SESSION['AddressLine1'] = $_POST['AddressLine1'];}
if(isset($_SESSION['AddressLine2'])){
$_SESSION['AddressLine2'] = $_POST['AddressLine2'];}
if(isset($_SESSION['City'])){
$_SESSION['City'] = $_POST['City'];}
if(isset($_SESSION['County'])){
$_SESSION['County'] = $_POST['County'];}
if(isset($_SESSION['PostCode'])){
$_SESSION['PostCode'] = $_POST['PostCode'];}
if(isset($_SESSION['Country'])){
$_SESSION['Country'] = $_POST['Country'];}
if(isset($_SESSION['Telephone'])){
$_SESSION['Telephone'] = $_POST['Telephone'];}
if(isset($_SESSION['Mobile'])){
$_SESSION['Mobile'] = $_POST['Mobile'];}
if(isset($_SESSION['Email'])){
$_SESSION['Email'] = $_POST['Email'];}
?>
Page 3
<?php
session_start();
if(isset($_SESSION['Skills'])) {
$_SESSION['Skills'] = $_POST['Skills'];}
if(isset($_SESSION['ReasonApp'])){
$_SESSION['ReasonApp'] = $_POST['ReasonApp'];}
if(isset($_SESSION['WorkName'])){
$_SESSION['WorkName'] = $_POST['WorkName'];}
if(isset($_SESSION['WorkDesc'])){
$_SESSION['WorkDesc'] = $_POST['WorkDesc'];}
if(isset($_SESSION['W_AddressLine1'])){
$_SESSION['W_AddressLine1'] = $_POST['W_AddressLine1'];}
if(isset($_SESSION['W_AddressLine2'])){
$_SESSION['W_AddressLine2'] = $_POST['W_AddressLine2'];}
if(isset($_SESSION['W_City'])){
$_SESSION['W_City'] = $_POST['W_City'];}
if(isset($_SESSION['W_Telephone'])){
$_SESSION['W_Telephone'] = $_POST['W_Telephone'];}
?>
And my CV.php
<?
session_start();
ini_set('display_errors',1);
error_reporting(E_ALL);
//include connection profile
require_once("Sql/con.php");
include("config.php");
//declare variables with sessions
$FirstName = $_SESSION['FirstName'];
$LastName = $_SESSION['LastName'];
$dob = $_SESSION['dob'];
$Age = $_SESSION['Age'];
$AddressLine1 = $_SESSION['AddressLine1'];
$AddressLine2 = $_SESSION['AddressLine2'];
$PostCode = $_SESSION['PostCode'];
$City = $_SESSION['City'];
$County = $_SESSION['County'];
$Country = $_SESSION['Country'];
$Mobile = $_SESSION['Mobile'];
$Telephone = $_SESSION['Telephone'];
$Email = $_SESSION['Email'];
$Skills = $_SESSION['Skills'];
$ReasonApp = $_SESSION['ReasonApp'];
$SchoolName = $_SESSION['SchoolName'];
$Course = $_SESSION['Course'];
$Certificate = $_SESSION['Certificate'];
$DateFrom = $_SESSION['DateFrom'];
$DateTo = $_SESSION['DateTo'];
$CollName = $_SESSION['CollName'];
$CollQualification = $_SESSION['CollQualification'];
$CollYear = $_SESSION['CollYear'];
$WorkName = $_SESSION['WorkName'];
$WorkDesc = $_SESSION['WorkDesc'];
$W_AddressLine1 = $_SESSION['W_AddressLine1'];
$W_AddressLine2 = $_SESSION['W_AddressLine2'];
$W_PostCode = $_SESSION['PostCode'];
$W_City = $_SESSION['City'];
$W_Telephone = $_SESSION['Telephone'];
//database connection
$dblink = mysqli_connect($mysql_host,$mysql_user,$mysql_pw,$mysql_db) OR DIE ("Unable to
connect to database! Please try again later.");
//inserting information into tables
$order = "INSERT INTO CV_personal
(FirstName,LastName,dob,Age,AddressLine1,AddressLine2,PostCode,City,County,Country,Mobile,Telephone,Email,Skills,ReasonApp,SchoolName,Course,Certificate,DateFrom,DateTo,CollName,CollQualification,CollYear,WorkName,WorkDesc,W_AddressLine1,W_AddressLine2,W_City,W_Telephone)
VALUES
('$FirstName',
'$LastName',
'$dob',
'$Age',
'$AddressLine1',
'$AddressLine2',
'$PostCode',
'$City',
'$County',
'$Country',
'$Mobile',
'$Telephone',
'$Email',
'$Skills',
'$ReasonApp',
'$SchoolName',
'$Course',
'$Certificate',
'$DateFrom',
'$DateTo',
'$CollName',
'$$CollQualification',
'$ColYear',
'$WorkName',
'$WorkDesc',
'$W_AddressLine1',
'$W_AddressLine2',
'$W_PostCode',
'$W_City',
'$W_Telephone',)";
//declare in the order variable
$result = mysqli_query($dblink, $order); //order executes
?>
On my final page do i need to had my form into the session because i declared a variable for them on Cv.php ?
Thank you
In your first two blocks of code, you should be checking if the $_POST[...] is set, not the $_SESSION[...] because that it what you are assigning, so it won't cause an error.
On CV.php you should check whether the $_SESSION[...] exists before assigning it to a variable or else it WILL cause an error.
Tip:
If you are going to name your variables exactly the name of all your keys in the $_SESSION array. You can just substitute you many lines with this single line:
extract($_SESSION);
More on extract: http://www.php.net/extract