I'm a complete noob to PHP and working with mysql so you know I do however have a great deal of experience with HMTL and CSS. All I need is for a form on my site to upload the information in the form to my database. The problem is that clicking the "submit" button just opens up a blank tab with the address of my .php file in it and displays a blank white screen. The .php is below.
<?php
$hostname = "myHostName";
$username = "PreRegCustomers";
$dbname = "PreRegCustomers";
$password = "myPassword";
$usertable = "CustomerInfo";
mysql_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
mysql_select_db($dbname);
$sql = "INSERT INTO $usertable (firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
$sql="INSERT INTO $usertable (firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('".$_POST[firstName]."', '".$_POST[lastName]."', '".$_POST[streetAddress]."', '".$_POST[city]."', '".$_POST[state]."', '".$_POST[zip]."', '".$_POST[country]."', '".$_POST[email]."', '".$_POST[phone]."', '".$_POST[badgeName]."')";
?>
Now from what I've read this is usually caused by some kind of error in the code. This is difficult for me as I don't know PHP very well and almost everything in the page was taken from other peoples code. Most of it from the code helps from godaddy.com (where the site and database are hosted).
I've tested to make sure that PHP is supported and enabled and it is. I have a form mailer that already functions just fine. I have setup a DNS, I have tried multiple different syntaxes, I have called tech support to see if it is something on their end, I've migrated my sites from windows to linux and every thing I change results in the exact same blank white screen. I have no doubt that after all this it's going to be something that's stupidly easy to fix or blatantly obvious but if anybody could take a look and see what I'm missing I would be very grateful.
My new code after taking in some of the answers posted. I'm still getting a NOTICE and it's still not inserting anything into my database.
<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
$hostname = "myHostName";
$username = "PreRegCustomers";
$dbname = "PreRegCustomers";
$password = "myPassword";
$usertable = "CustomerInfo";
//connect to mysql
$link_id = mysql_connect($hostname, $username, $password);
if (!$link_id) {
die("Unable to connect to database! Please try again later. error:".mysql_errno());
}
//make sure your DB exists
if (!mysql_select_db($dbname)) die ("Connected to mysql but could not connect to the DB. error:".mysql_errno());
//avoid sql_injection
$firstName = mysql_real_escape_string($_POST['firstName']);
$lastName = mysql_real_escape_string($_POST['lastName']);
$streetAddress = mysql_real_escape_string($_POST['streetAddress']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$country = mysql_real_escape_string($_POST['country']);
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone']);
$badgeName = mysql_real_escape_string($_POST['badgeName']);
//write the query
$sql = "INSERT INTO $usertable
(firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
//then you'll need to execute the query :)
mysql_query($sql);
?>
From what I can tell, this code just connects to a database and sets a variable $sql. Are you actually executing the query anywhere? Are you doing anything to print something on the screen?
$_POST[firstName] should be $_POST['firstName'] and so on and
mysql_query($sql) or die('MySQL Error: ', mysql_error());
echo 'Data inserted';
You shouldn't not be using mysql_ now, its deprecated. Do it with PDO
first of all
$_POST[firstname] should be $_POST['firstname']
third
mysql_query($sql,$conn);
second
$conn=mysql_connect(your parameters);
Include this two lines at the very top of your php code:
error_reporting(E_ALL);
ini_set('display_errors', '1');
It is going to enable error reporting and so you will be able to debug your script.
Maybe the problem is that the reading of $_POST variables (and of any array type variable) should be made with 'quotes' when using string index names:
$_POST[firstName] must be written as follows:
$_POST['firstName']
A good way of making this query more secure (against sql injection attacks for example) is to scape the values in POST instead of passing it directly to the query.
$firstName = mysql_real_escape_string($_POST['firstName']);
The value in POST will be scaped so you can pass it to your SQL.
Try to make that will all your variables:
$sql = "INSERT INTO $usertable
(firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
Finally you need to actually execute the query:
mysql_query($sql);
If it goes ok you'll see no errors, but be shure to enable error reporting to this script. When everything it's ok remember to remove the error reporting.
Like the other guys said, put the comments in the array reference. That being said you really need to escape the $_POST variables to avoid SQL Injection, its also easier to debug if the code is clearly ordered :)
With ordered code you can type echo "some text"; at any touch point you want to so you can see where the code breaks.
Also switching on error reporting in your php.ini or in code (http://php.net/manual/en/function.error-reporting.php) would be the best bet for watching the errors that you can't predict.
<?php
$hostname = "myHostName";
$username = "PreRegCustomers";
$dbname = "PreRegCustomers";
$password = "myPassword";
$usertable = "CustomerInfo";
//connect to mysql
$link_id = mysql_connect($hostname, $username, $password);
if (!$link_id) {
die("Unable to connect to database! Please try again later. error:".mysql_errno());
}
echo "connected to mysql";
//make sure your DB exists
if (!mysql_select_db($dbname)) die ("Connected to mysql but could not connect to the DB. error:".mysql_errno());
echo "connected to database";
//avoid sql_injection
$firstName = mysql_real_escape_string($_POST['firstName']);
$lastName = mysql_real_escape_string($_POST['lastName']);
$streetAddress = mysql_real_escape_string($_POST['streetAddress']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$country = mysql_real_escape_string($_POST['country']);
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone']);
$badgeName = mysql_real_escape_string($_POST['badgeName']);
echo "sanitised input";
//write the query
$sql = "INSERT INTO $usertable
(firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
echo "build query: ".$sql;
//then you'll need to execute the query :)
if (mysql_query($sql))
echo "query success";
else
echo "query failed";
//ps you can ignore the last? >
Related
I was trying to insert data into multiple data tables. It's only working for single data tables, I'm just wondering how I would be able to insert data into two data tables. I've been struggling with this issue for the past few hours and can't seem to get to the bottom of it. If anyone has any advice please let me know. :)
<?php
/* Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
$link = mysqli_connect("localhost","ivodatat","","");
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Inputs for security
$fname = mysqli_real_escape_string($link, $_REQUEST['fname']);
$sname = mysqli_real_escape_string($link, $_REQUEST['sname']);
$address = mysqli_real_escape_string($link, $_REQUEST['address']);
$email = mysqli_real_escape_string($link, $_REQUEST['email']);
$phone = mysqli_real_escape_string($link, $_REQUEST['phone']);
$mac = mysqli_real_escape_string($link, $_REQUEST['mac']);
$installer = mysqli_real_escape_string($link, $_REQUEST['installer']);
$status = mysqli_real_escape_string($link, $_REQUEST['status']);
// Insert Query
$sql1 = "INSERT INTO leadlist (fname, sname, address, email, phone, mac, installer, status) VALUES ('$fname', '$sname', '$address', '$email', '$phone', '$mac', '$installer', '$status')";
$sql2 = "INSERT INTO $installer (fname, sname, address, email, phone, mac, installer, status) VALUES ('$fname', '$sname', '$address', '$email', '$phone', '$mac', '$installer', '$status')";
if (mysqli_multi_query($link, $sql1, $sql2)){
mysqli_close($conn);
header("Location: installercontrol.php");
exit;
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// Close The Connection
mysqli_close($link);
?>
To use mysqli_multi_query you need to append the queries to each other as it only takes one query argument. From the manual:
Executes one or multiple queries which are concatenated by a semicolon.
Try this instead:
mysqli_multi_query($link, $sql1 . ';' . $sql2)
You should probably also update your error message:
echo "ERROR: Could not able to execute $sql1;$sql2. " . mysqli_error($link);
Here is my main PHP code:
<?php
define('dbServer', 'localhost');
$dbUsername = 'root';
$dbPassword = '';
define('dbName', '1');
$dbConnection = mysqli_connect(dbServer, $dbUsername, $dbPassword, dbName);
if(!$dbConnection){
die("Unsuccessful Connection: " . mysqli_connect_error());
}
// All user data will be taken from the form //
$emailAddress = $_POST['emailaddress'];
$firstName = $_POST['firstname'];
$lastName = $_POST['lastname'];
$streetAddress = $_POST['streetaddress'];
$phoneNumber = $_POST['phonenumber'];
$comments = $_POST['comments'];
$sql = "INSERT INTO user-submission (email, firstName, lastName, address, phoneNumber, comment) VALUES ('$emailAddress', '$firstName', '$lastName', '$streetAddress', '$phoneNumber', '$comments')";
$result = mysqli_query($dbConnection, $sql);
if (!$result){
die('Error: ' . mysqli_connect_error());
}
?>
My SQL database contains the rows ID, email, firstName, lastName, address, phoneNumber, comment. They are in a database called '1' (for testing purposes) and a table called 'user-submission'.
I have been unable to query this information into my table. I have been successful prior to this on other SQL and PHP pairings. What am I doing wrong this time?
Add this right below the opening php tag at the top then the server will tell you what the error is. Copy the error here if you need help decyfering
error_reporting( E_ALL );
First you need to make changes so hackers don't abuse your code.
Just wait till johnny;drop tables; comes by and wipes out your database.
// All user data will be taken from the form //
$emailAddress = mysqli_real_escape_string($dbConnections,$_POST['emailaddress']);
$firstName = mysqli_real_escape_string($dbConnections,$_POST['firstname']);
$lastName = mysqli_real_escape_string($dbConnections,$_POST['lastname']);
$streetAddress = mysqli_real_escape_string($dbConnections,$_POST['streetaddress']);
$phoneNumber = mysqli_real_escape_string($dbConnections,$_POST['phonenumber']);
$comments = mysqli_real_escape_string($dbConnections,$_POST['comments']);
$sql = "INSERT INTO `user-submission` (email, firstName, lastName, address, phoneNumber, comment) VALUES (?,?,?,?,?,?)";
$prep=$dbConnections->prepare($sql);
$prep->bind_param("ssssss",$emailAddress,$firstName,$lastName,$streetAddress,$phoneNumber,$comments);
#actually puts everything together, and puts it in the database
$prep-execute();
This is my first post on stackoverflow, though I have done extensive research using it along with other sources on a regular basis (including the subject I need help with here.)
To be concise, I am working on a shared session/login/register between a client's site and the EasyAppointments scheduling application. While compiling the config.php for the registration form on my client's site I received this error. I have searched everywhere, please help me understand this:
INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles) VALUES(testing, test, 000000000, 000000000, 123 example street, Birmington, Alabama, 00000, , )INSERT INTO `ea_user_settings` (username, password, salt, working_plan, notifications, google_sync, google_token, google_calendar, sync_past_days, sync_future_days) VALUES(TestUser, 0000000000, , , 0, , , , , )
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , 0, , , , , )' at line 2
Here is my config.php code (please excuse my unorthodox variables for sql1/sql2):
<?php
define('DB_HOST', 'localhost');
define('DB_NAME', '####');
define('DB_USER','####');
define('DB_PASSWORD','####');
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error());
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$mobile_number = $_POST['mobile_number'];
$phone_number = $_POST['phone_number'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip_code = $_POST['zip_code'];
$noteboy = $_POST['notes'];
$privs = $_POST['id_roles'];
$email = $_POST['email'];
$nick = $_POST['nick'];
$password = $_POST['password'];
$salt = $_POST['salt'];
$working_plan = $_POST['working_plan'];
$notifications = $_POST['notifications'];
$google_sync = $_POST['google_sync'];
$google_token = $_POST['google_token'];
$google_calendar = $_POST['google_calendar'];
$sync_past_days = $_POST['sync_past_days'];
$sync_future_days = $_POST['sync_future_days'];
$bang = "INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles)
VALUES($first_name, $last_name, $mobile_number, $phone_number, $address, $city, $state, $zip_code, $noteboy, $privs)";
echo $bang;
$banger = "INSERT INTO `ea_user_settings` (username, password, salt, working_plan, notifications, google_sync, google_token, google_calendar, sync_past_days, sync_future_days)
VALUES($nick, $password, $salt, $working_plan, $notifications, $google_sync, $google_token, $google_calendar, $sync_past_days, $sync_future_days)";
echo $banger;
$result = mysql_query($bang); mysql_query($banger);
if($result) {
echo "Successfully updated database";
} else {
die('Error: '.mysql_error($con));
}
mysql_close($con);
I doubt you're storing phone numbers as integers, so you should be quoting all those zeroes. SQL doesn't like missing values in the VALUES clause, so you need to fix that to default to a format that's appropriate for your fields, such as empty string, a zero or a NULL. You also need to think about escaping too to avoid errors and SQL injection vulnerabilities - using PDO might be good idea if you're early on in your project, and you should definitely switch to mysqli at the very least.
Your check for query failure only looks at your first query - you should check both.
Anyway, here's how you might apply escaping and quoting to avoid the error you're seeing using your current approach:
$bang = "INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles)
VALUES('".
mysql_real_escape_string($first_name)."','".
mysql_real_escape_string($last_name)."','".
mysql_real_escape_string($mobile_number)."','".
mysql_real_escape_string($phone_number)."','".
mysql_real_escape_string($address)."','".
mysql_real_escape_string($city)."','".
mysql_real_escape_string($state)."','".
mysql_real_escape_string($zip_code)."','".
mysql_real_escape_string($noteboy)."','".
mysql_real_escape_string($privs)."')";
When my form is submitted (via Ajax), I'm getting the following error message:
[17-Oct-2012 11:46:29] PHP Warning: mysqli_query() [<a href='function.mysqli-query'>function.mysqli-query</a>]: Empty query in /home1/xenongro/public_html/testing/enrolment/thanks.php on line 32
I have a suspicion that it's something to do with the if/else statements, but not sure what the actual problem is.
Can anyone help?
<?php
$firstname = htmlspecialchars(trim($_POST['fname']));
$lastname = htmlspecialchars(trim($_POST['lname']));
$worktel = htmlspecialchars(trim($_POST['worktel']));
$dbc = mysqli_connect('localhost', 'xxxxx', '<xxxx>', 'xxxx')
or die ('Could not connect to MySQL server.');
if ($level != "IOSH Managing Safely"){
if ($funding == "Self Funding"){
$query = "INSERT INTO enrolments (fname, lname, worktel)" .
"VALUES ('$firstname', '$lastname', '$worktel')";
}
else if ($funding == "Employer Funding"){
$query = "INSERT INTO enrolments (fname, lname, worktel)" .
"VALUES ('$firstname', '$lastname', '$worktel')";
}
}
else if ($level == "IOSH Managing Safely"){
if ($funding == "Self Funding"){
$query = "INSERT INTO enrolments (fname, lname, worktel)" .
"VALUES ('$firstname', '$lastname', '$worktel')";
}
else if ($funding == "Employer Funding"){
$query = "INSERT INTO enrolments (fname, lname, worktel)" .
"VALUES ('$firstname', '$lastname', '$worktel')";
}
}
$result = mysqli_query($dbc, $query)
or die ('error querying database');
mysqli_close($dbc);
?>
try
var_dump($query);
var_dump($funding);
just before
$result = mysqli_query($dbc, $query);
it'll give you more information
I suspect that $funding might have slight variation to your constant strings
might be typo / extra space / cap case
There are two situation where no query is being set:
the level does not match the string, or the funding does not match the string.
It might be a problem with the spaces.
Worse, you don't use mysql_real_escape_string and unless magic_quotes_gpc is on, this allows an attacker to inject his SQL.
$funding doesn't appear to be defined in the code example provided, so none of your if's will match.
Query is running however not being sent to SQL server.
My Current Register Script.
$link = mysqli_connect("$server", "$user", "$pass", "$webdb");
$username = mysqli_real_escape_string($link, (string) $_POST['username']);
$displayname = mysqli_real_escape_string($link, (string) $_POST['display_name']);
$email = mysqli_real_escape_string($link, (string) $_POST['email']);
$password = sha1((string) $_POST['password']);
$query="INSERT INTO user (`username`, `nicename`, `email`, `password`)
VALUES ('$username', '$displayname', '$email', '$password', '1')";
mysqli_query($link, $query);
mysqli_close($link);
echo $query;
?>
The output I recieve from the Query:
INSERT INTO user (username, nicename, email, password) VALUES ('orion5814', 'Orion5814', 'my#abc.com', '72f2ac484bee398758e769530dd56228d905884d', '1')
I've checked all my link variables and they're all set correctly as far as having the right information in place, so I don't know where else to go from here. Sorry for all the questions; you can view it at doxramos.org if you think it would help at all.
The query is flawed. You name 4 columns (username, nicename, email, password), but you list 5 values ('orion5814','Orion5814','my#abc.com','72f2ac484bee398758e769530dd56228d905884d','1')
If you remove the last value, the query should work.
Also, you could simplify your code by using the object oriented interface to mysqli like this:
$username = $link->real_escape_string($_POST['username']);
and
$link->query($query);
$link->close();
You also don't need to explicitly cast the variables as strings since that is done automatically if needed for your code.
As jordi12100 suggested it is good pratice that you check errors while you connecting to database or executing queries.
You can do it like this:
$link = mysqli_connect("$server", "$user", "$pass", "$webdb") or die( "Error:" . mysqli_connect_error());
mysqli_query($link, $query) or die ("Error:" . mysqli_error($link));
This can give you idea what you did wrong.
Hope this helps.
Probarly an error in your query.
Catch the error with mysqli_error();