I am making a script for a guy and he uses Advanced Outgoing API (not familiar). He gives me this URL where the POST variable will be stored in http://example.com/your_script.php?email_address={u_email}&firstname={u_firstname}. So here is my php code. The problem is it cannot read the post values. When I echo it, it's empty.
NOTE: This is the instruction from the API Manual.
Advanced Outgoing API
You can have up to 5 URLs for each Product/Podcast/RSS Feed/Membership be notified whenever a subscriber event happens. You can enter these URLs by clicking on "Edit Notifications/Custom Fields" for a particular item. The system will then POST the following variables to the URLs you've entered. You can also include any of the variables below as a "tags" in your URL and the system will replace the tag with the actual value. This way you can post the values to an existing script that expects a variable name to be different than the ones listed below. For example, your notification URL could be: http://example.com/your_script.php?email_address={u_email}&firstname={u_firstname} . The system would then post all the variables below to: http://example.com/your_script.php?email_address=joe#example.com&firstname=Joe
$con = mysql_connect("localhost","xyz","xyz","xyz"); // Establish connection to insert in the first table.
$username = $_POST['paypal_email']; // username of the user.
$rawpass = $_POST['access_code']; // Raw password.
$pass = md5($rawpass); // Password of the user encrypted with md5.
$email = $_POST['email_address']; // E-mail of the user.
$time = date("Y-m-d H:i:s");
echo $username;
echo $pass;
echo $email;
echo $time;
mysql_query("INSERT INTO wpinrootusers ('user_login', 'user_pass', 'user_email', user_registered, 'user_status') VALUES ('$username', '$pass', '$email', '$time', 0), $con"); // Insertion into wpinrootusers table.
mysql_close($con); // Close connection.
$con = mysql_connect("localhost","xyz","xyz","xyz"); // Establish connection to insert in the second table.
mysql_query("INSERT INTO customers ('receipt', 'prod_num', 'email') VALUES ('$rawpass', '6', '$email')", $con); // Insertion into customers table.
mysql_close($con); // Close second connection.
With mysql you have to do:
$con = mysql_connect("localhost","xyz","xyz");
and then select the database:
$db = mysql_select_db("xyz");
The code you used to connect to database works with mysqli (i stands for improved) and you should consider switching from mysql to mysqli
When you send the variable as GET parameters you have to use $_GET of course.
Related
I'm sending data to a db from a web form but every time I run it the data is stored in the db in six new rows rather than just one.
The form is just a standard form with inputs for email/password and a submit button. The action of the form runs this:
<?php
// connect to db
$link = new mysqli("localhost", "root", "", "db_name");
if (!$link) {die('Database Error: Could not connect: ' . mysql_error());}
// username and password sent from form
$email = $_POST['email'];
$password = ($_POST['password']);
// encrypt
$salt = substr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), 0, 16);
$em = crypt($email, '$6$'.$salt);
$pw = crypt($password, '$6$'.$salt);
// insert to db
$insert = "INSERT INTO users (email, password) VALUES ('$em', '$pw')";
$link -> query($insert);
// check succes/fail
if ($link->query($insert) === TRUE) {
echo "New record created successfully";}
else {
echo "Error: " . $sql . "<br>" . $link->error;
}
// close the db connection
$link->close();
I know this brings up a question about sanitizing inputs with encryption/salting. This page says that it's a reasonable method. Please feel free to bring that up, but I'm not really looking for an argument over best practices for sanitizing user inputs.
I'm wondering if anyone cal tell me why the data would be stored 6 times instead of just once. I changed the $6$ to $1$ but it still added 6 rows.
You have some silly seo-friendly links implementation on your site that makes it run your php code on every reques, and 5 links to non-existent resources in your html.
I have a sign up page that has input boxes where you would enter your name, email address and password. After submitting that form there is a sign in page where it checks to see if you are in the database by SELECT * FROM users WHERE name = '$_POST[name]' AND email = '[email]'. This all works fine, but when you actually get into the site on your account i want to have a message at the top that says 'Welcome back (name from database). To do this i used $name = mysql_query("SELECT first_name FROM users WHERE email = $email"); and had <?php echo $name ?> at the top. This won't work though. Why?
"mysql_query" has been deprecated, you want to use "mysqli_query" now. See here: http://php.net/manual/en/function.mysql-query.php
To answer your question, performing the query creates an array, you need to followup on that by fetching from the array.
If you are doing this in a procedural style then the final code should look something like this:
$link = mysqli_connect("localhost", "my_user", "my_password"); // connect to the database
$query="SELECT first_name FROM users WHERE email = '".$email."'"; // create the query. Note the quotes arounds the email variable.
$result=mysqli_query($link, $query); // run the query
$row=mysqli_fetch_array($result); // fetch the array that is returned from the query
$name=$row['first_name']; // assign the first_name field to the $name variable
echo "Hello ".$name.","; // output the variable
I've got an update query running so that events in the database can be updated.
For example, the event record table :
Now, when I want to edit the record, I import all the current data from one and show it on a webpage, so that the user can edit the data, as shown:
However, if I submit that page and the event description is more than a few characters long it does not update at all. Here is my PHP/MySQL Code:
$event_title=$_POST['event_title'];
$event_desc=$_POST['event_desc'];
$event_date_start = $_POST['event_date_start'];
$event_date_end = $_POST['event_date_end'];
$db = mysql_select_db("millyaca_events", $connection);
mysql_query("UPDATE events set event_title='$event_title', event_desc='$event_desc', event_date_start='$event_date_start', event_date_end='$event_date_end' where unique_ID='$ID'", $connection);
Only just started learning PHP and MySQL so apologies if it's a really stupid mistake.
Here is the complete submit button script:
if (isset($_POST['submit'])) {
$ID = $_GET['ID'];
$event_title=$_POST['event_title'];
$event_desc=$_POST['event_desc'];
$event_date_start = $_POST['event_date_start'];
$event_date_end = $_POST['event_date_end'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "removed username", "removed password");
// Selecting Database
$db = mysql_select_db("millyaca_events", $connection);
// SQL query to fetch information of registerd users and finds user match.
mysql_query("UPDATE events set event_title='$event_title', event_desc='$event_desc', event_date_start='$event_date_start', event_date_end='$event_date_end' where unique_ID='$ID'", $connection);
mysql_close($connection); // Closing Connection
header("location: https://www.millyacademy.com/admin-zone/events_management/"); // Redirecting To Other Page
}
From the comments we've debugged this to being an apostraphe/quote in the data being passed to the query. To resolve this with your current DB driver use, mysql_real_escape_string, http://php.net/manual/en/function.mysql-real-escape-string.php.
You should switch to MySQLi or PDO though in the future and use prepared statements.
Here's a functional usage (untested, so maybe not functional?) using your current code.
if (isset($_POST['submit'])) {
$ID = (int)$_GET['ID']; //force this to an int, or you could also escape
$event_title= mysql_real_escape_string($_POST['event_title']);
$event_desc= mysql_real_escape_string($_POST['event_desc']);
$event_date_start = mysql_real_escape_string($_POST['event_date_start']);
$event_date_end = mysql_real_escape_string($_POST['event_date_end']);
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "removed username", "removed password");
// Selecting Database
$db = mysql_select_db("millyaca_events", $connection);
// SQL query to fetch information of registerd users and finds user match.
mysql_query("UPDATE events set event_title='$event_title', event_desc='$event_desc', event_date_start='$event_date_start', event_date_end='$event_date_end' where unique_ID='$ID'", $connection);
mysql_close($connection); // Closing Connection
header("location: https://www.millyacademy.com/admin-zone/events_management/"); // Redirecting To Other Page
}
It is best to never pass user data directly to your queries.
Two Things.
Escape the data provided by user , that will take care of any quotation .
Ensure the db field you are trying to update has enough length.
Also it may be worth skipping the entire POST and do the update using hard coded values to see what is happening.
I am working on a program that takes HTML code made by a WYSIWYG editor and inserting it into a database, then redirecting the user to the completed page, which reads the code off the database. I can manually enter code in phpmyadmin and it works but in PHP code it will not overwrite the entry in the code column for the ID specified. I have provided the PHP code to help you help me. The PHP is not giving me any parse errors. What is incorrect with the following code?
<?php
//POST VARIABLES------------------------------------------------------------------------
//$rawcode = $_POST[ 'editor1' ];
//$code = mysqli_real_escape_string($rawcode);
$code = 'GOOD';
$id = "1";
echo "$code";
//SQL VARIABLES-------------------------------------------------------------------------
$database = mysqli_connect("localhost" , "root" , "password" , "database");
//INSERT QUERY DATA HERE----------------------------------------------------------------
$queryw = "INSERT INTO users (code) VALUES('$code') WHERE ID = '" . $id . "'";
mysqli_query($queryw, $database);
//REDIRECT TO LOGIN PAGE----------------------------------------------------------------
echo "<script type='text/javascript'>\n";
echo "window.location = 'http://url.com/users/" . $id . "/default.htm';\n";
echo "</script>";
?>
Your problem is that mysql INSERT does not support WHERE. Change the query to:
INSERT INTO users (code) VALUES ('$code')
Then to update a record, use
UPDATE users SET code = '$code' WHERE id = $id
Of course, properly prepare the statements.
Additionally, mysqli_query requires the first parameter to be the connection and second to be the string. You have it reversed. See here:
http://php.net/manual/en/mysqli.query.php
It should also be noted that this kind of procedure should be run before the output to the browser. If so, you can just use PHP's header to relocate instead of this js workaround. However, this method will still work as you want. It is just likely to be considered cleaner if queries and relocation is done at the beginning of the script.
Ok so let me start off by saying I'm pretty noob still with PHP. Basically I'm trying to design a user registration and login system that queries the user data from an Oracle SQL database, and the only tutorials that are helpful to me are all for MYSQL. I was wondering if anyone had the time to help me with some PHP coding to get it working.
Any help at all would be much appreciated.
EDIT: Sorry I forgot to mention, I'm trying to get a login page that sets a cookie to keep the users session until they logout. I have tried a few different variations and none of them work what so ever. I need it to work with the registration page I have below.
My code for the user registration at the moment, of which I'm fairly sure is pretty amateur is:
<?php
/* Set oracle user login and password info */
$dbuser = "xxxxxxx"; /* your login */
$dbpass = "xxxxxx"; /* your password */
$db = "xxxxx";
$connect = OCILogon($dbuser, $dbpass, $db);
$salt = "plants";
if (!$connect) {
echo "An error occurred connecting to the database";
exit;
}
// get the max ID in plants table and allocate $ID+1 for the new record
$max_id_stmt = "SELECT max(ID) FROM register_table";
// check the sql statement for errors and if errors report them
$stmt = OCIParse($connect, $max_id_stmt);
if(!$stmt) {
echo "An error occurred in parsing the sql string.\n";
exit;
}
OCIExecute($stmt);
$ID =0;
if(OCIFetch($stmt)) {
$ID= OCIResult($stmt,1); //return the data from column 1
}else {
echo "An error occurred in retrieving book id.\n";
exit;
}
$ID++;
// Extract form data
$username=$_REQUEST['username'];
$password=$_REQUEST['password'];
$email=$_REQUEST['email'];
$phone=$_REQUEST['phone'];
$address=$_REQUEST['address'];
global $salt;
// Create the SQL statement to add the data. Note: field value should be single quoted
'' if VARCHAR2 type.
$sql = "INSERT INTO register_table VALUES ($ID, '$username', '$password', '$email',
'$address', '$phone')";
$password = md5($salt.$password);
// Add the data to the database as a new record
$stmt = OCIParse($connect, $sql);
if(!$stmt) {
echo "An error occurred in parsing the sql string.\n";
exit;
}
OCIExecute($stmt);
echo ("<p>Your registration has been successful!</p>
<p>User ID: $ID</P>
<p>Username: $username</p>
<p>Phone: $phone</p>
<p>Address: $address</p>
</p>")
?>
Thank you!
Thank you for clarifying the problem. I think you are perhaps confusing PHP's $_REQUEST variables with the $_SESSION variables. You'll need to establish a new session in order to maintain a user's session state, which in turn (by default, anyway) sets a cookie. You can establish a new session using standard PHP code either by using session_start() or by configuring PHP to establish a new session automatically.
Of course, doing so doesn't marry the current user to the registration data you're passing into the database via the above code; you would do so by associating the generated session ID with that user data. I suggest taking a look at this page of the PHP documentation for a quick primer.