Form duplications - php

I am having a tough time figuring out how to write an if function in my code. I am trying to prevent my PHP form from allowing duplicates being submitted to my MySQL database. I am wanting to prevent a submission based on the email address being inputted into my form. Can someone guide me in the right direction? Thanks.
<?php
$dbc = mysqli_connect('n/a', 'n/a', 'n/a', 'n/a')
or die('Error connecting to MySQL server.');
$store_name = $_POST['storename'];
$full_name = $_POST['fullname'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
$fax = $_POST['fax'];
$email = $_POST['email'];
$url = $_POST['url'];
$query = "INSERT INTO store_location (store_name, full_name, address, city, state, zip, phone, fax, email, url) VALUES ('$store_name', '$full_name', '$address', '$city', '$state', '$zip', '$phone', '$fax', '$email', '$url')";
mysqli_query($dbc, $query)
or die('Error querying database.');
echo 'New TeachPro store added.';
echo '<br/><br/>';
mysqli_close($dbc);
?>


You should use a unique key on the email column on your database table. Now, if you try to insert the same email address twice, the MySQL responds with an according error message. You may catch those error message and present a useful error message text to the user.
I used that approach for checking usernames:
try
{
/** #var $userInsertUpdateStmt PDOStatement */
$userInsertUpdateStmt->execute();
}
catch(PDOException $e)
{
if($e->errorInfo[1] == 1062)
{
/* username already used */
return User::ERR_USERNAME_ASSIGNED;
}
return User::ERR_SQL;
}


SELECT count(*) FORM ... WHERE store_name = ... OR full_name=...
If you have 0 rows as a result of this query, you're good to go.
Also, your query is vulnerable to SQL-injection (google that).

Related

Issue with PHP and MySQL Database

Here is my main PHP code:
<?php
define('dbServer', 'localhost');
$dbUsername = 'root';
$dbPassword = '';
define('dbName', '1');
$dbConnection = mysqli_connect(dbServer, $dbUsername, $dbPassword, dbName);
if(!$dbConnection){
die("Unsuccessful Connection: " . mysqli_connect_error());
}
// All user data will be taken from the form //
$emailAddress = $_POST['emailaddress'];
$firstName = $_POST['firstname'];
$lastName = $_POST['lastname'];
$streetAddress = $_POST['streetaddress'];
$phoneNumber = $_POST['phonenumber'];
$comments = $_POST['comments'];
$sql = "INSERT INTO user-submission (email, firstName, lastName, address, phoneNumber, comment) VALUES ('$emailAddress', '$firstName', '$lastName', '$streetAddress', '$phoneNumber', '$comments')";
$result = mysqli_query($dbConnection, $sql);
if (!$result){
die('Error: ' . mysqli_connect_error());
}
?>
My SQL database contains the rows ID, email, firstName, lastName, address, phoneNumber, comment. They are in a database called '1' (for testing purposes) and a table called 'user-submission'.
I have been unable to query this information into my table. I have been successful prior to this on other SQL and PHP pairings. What am I doing wrong this time?

Add this right below the opening php tag at the top then the server will tell you what the error is. Copy the error here if you need help decyfering
error_reporting( E_ALL );

First you need to make changes so hackers don't abuse your code.
Just wait till johnny;drop tables; comes by and wipes out your database.
// All user data will be taken from the form //
$emailAddress = mysqli_real_escape_string($dbConnections,$_POST['emailaddress']);
$firstName = mysqli_real_escape_string($dbConnections,$_POST['firstname']);
$lastName = mysqli_real_escape_string($dbConnections,$_POST['lastname']);
$streetAddress = mysqli_real_escape_string($dbConnections,$_POST['streetaddress']);
$phoneNumber = mysqli_real_escape_string($dbConnections,$_POST['phonenumber']);
$comments = mysqli_real_escape_string($dbConnections,$_POST['comments']);
$sql = "INSERT INTO `user-submission` (email, firstName, lastName, address, phoneNumber, comment) VALUES (?,?,?,?,?,?)";
$prep=$dbConnections->prepare($sql);
$prep->bind_param("ssssss",$emailAddress,$firstName,$lastName,$streetAddress,$phoneNumber,$comments);
#actually puts everything together, and puts it in the database
$prep-execute();

Shared login session between EasyAppointments and Bootstrap website

This is my first post on stackoverflow, though I have done extensive research using it along with other sources on a regular basis (including the subject I need help with here.)
To be concise, I am working on a shared session/login/register between a client's site and the EasyAppointments scheduling application. While compiling the config.php for the registration form on my client's site I received this error. I have searched everywhere, please help me understand this:
INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles) VALUES(testing, test, 000000000, 000000000, 123 example street, Birmington, Alabama, 00000, , )INSERT INTO `ea_user_settings` (username, password, salt, working_plan, notifications, google_sync, google_token, google_calendar, sync_past_days, sync_future_days) VALUES(TestUser, 0000000000, , , 0, , , , , )
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , 0, , , , , )' at line 2
Here is my config.php code (please excuse my unorthodox variables for sql1/sql2):
<?php
define('DB_HOST', 'localhost');
define('DB_NAME', '####');
define('DB_USER','####');
define('DB_PASSWORD','####');
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error());
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$mobile_number = $_POST['mobile_number'];
$phone_number = $_POST['phone_number'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip_code = $_POST['zip_code'];
$noteboy = $_POST['notes'];
$privs = $_POST['id_roles'];
$email = $_POST['email'];
$nick = $_POST['nick'];
$password = $_POST['password'];
$salt = $_POST['salt'];
$working_plan = $_POST['working_plan'];
$notifications = $_POST['notifications'];
$google_sync = $_POST['google_sync'];
$google_token = $_POST['google_token'];
$google_calendar = $_POST['google_calendar'];
$sync_past_days = $_POST['sync_past_days'];
$sync_future_days = $_POST['sync_future_days'];
$bang = "INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles)
VALUES($first_name, $last_name, $mobile_number, $phone_number, $address, $city, $state, $zip_code, $noteboy, $privs)";
echo $bang;
$banger = "INSERT INTO `ea_user_settings` (username, password, salt, working_plan, notifications, google_sync, google_token, google_calendar, sync_past_days, sync_future_days)
VALUES($nick, $password, $salt, $working_plan, $notifications, $google_sync, $google_token, $google_calendar, $sync_past_days, $sync_future_days)";
echo $banger;
$result = mysql_query($bang); mysql_query($banger);
if($result) {
echo "Successfully updated database";
} else {
die('Error: '.mysql_error($con));
}
mysql_close($con);

I doubt you're storing phone numbers as integers, so you should be quoting all those zeroes. SQL doesn't like missing values in the VALUES clause, so you need to fix that to default to a format that's appropriate for your fields, such as empty string, a zero or a NULL. You also need to think about escaping too to avoid errors and SQL injection vulnerabilities - using PDO might be good idea if you're early on in your project, and you should definitely switch to mysqli at the very least.
Your check for query failure only looks at your first query - you should check both.
Anyway, here's how you might apply escaping and quoting to avoid the error you're seeing using your current approach:
$bang = "INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles)
VALUES('".
mysql_real_escape_string($first_name)."','".
mysql_real_escape_string($last_name)."','".
mysql_real_escape_string($mobile_number)."','".
mysql_real_escape_string($phone_number)."','".
mysql_real_escape_string($address)."','".
mysql_real_escape_string($city)."','".
mysql_real_escape_string($state)."','".
mysql_real_escape_string($zip_code)."','".
mysql_real_escape_string($noteboy)."','".
mysql_real_escape_string($privs)."')";

PHP white screen of death every time. What am I doing wrong?

I'm a complete noob to PHP and working with mysql so you know I do however have a great deal of experience with HMTL and CSS. All I need is for a form on my site to upload the information in the form to my database. The problem is that clicking the "submit" button just opens up a blank tab with the address of my .php file in it and displays a blank white screen. The .php is below.
<?php
$hostname = "myHostName";
$username = "PreRegCustomers";
$dbname = "PreRegCustomers";
$password = "myPassword";
$usertable = "CustomerInfo";
mysql_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
mysql_select_db($dbname);
$sql = "INSERT INTO $usertable (firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
$sql="INSERT INTO $usertable (firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('".$_POST[firstName]."', '".$_POST[lastName]."', '".$_POST[streetAddress]."', '".$_POST[city]."', '".$_POST[state]."', '".$_POST[zip]."', '".$_POST[country]."', '".$_POST[email]."', '".$_POST[phone]."', '".$_POST[badgeName]."')";
?>
Now from what I've read this is usually caused by some kind of error in the code. This is difficult for me as I don't know PHP very well and almost everything in the page was taken from other peoples code. Most of it from the code helps from godaddy.com (where the site and database are hosted).
I've tested to make sure that PHP is supported and enabled and it is. I have a form mailer that already functions just fine. I have setup a DNS, I have tried multiple different syntaxes, I have called tech support to see if it is something on their end, I've migrated my sites from windows to linux and every thing I change results in the exact same blank white screen. I have no doubt that after all this it's going to be something that's stupidly easy to fix or blatantly obvious but if anybody could take a look and see what I'm missing I would be very grateful.
My new code after taking in some of the answers posted. I'm still getting a NOTICE and it's still not inserting anything into my database.
<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
$hostname = "myHostName";
$username = "PreRegCustomers";
$dbname = "PreRegCustomers";
$password = "myPassword";
$usertable = "CustomerInfo";
//connect to mysql
$link_id = mysql_connect($hostname, $username, $password);
if (!$link_id) {
die("Unable to connect to database! Please try again later. error:".mysql_errno());
}
//make sure your DB exists
if (!mysql_select_db($dbname)) die ("Connected to mysql but could not connect to the DB. error:".mysql_errno());
//avoid sql_injection
$firstName = mysql_real_escape_string($_POST['firstName']);
$lastName = mysql_real_escape_string($_POST['lastName']);
$streetAddress = mysql_real_escape_string($_POST['streetAddress']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$country = mysql_real_escape_string($_POST['country']);
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone']);
$badgeName = mysql_real_escape_string($_POST['badgeName']);
//write the query
$sql = "INSERT INTO $usertable
(firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
//then you'll need to execute the query :)
mysql_query($sql);
?>

From what I can tell, this code just connects to a database and sets a variable $sql. Are you actually executing the query anywhere? Are you doing anything to print something on the screen?

$_POST[firstName] should be $_POST['firstName'] and so on and
mysql_query($sql) or die('MySQL Error: ', mysql_error());
echo 'Data inserted';
You shouldn't not be using mysql_ now, its deprecated. Do it with PDO

first of all
$_POST[firstname] should be $_POST['firstname']
third
mysql_query($sql,$conn);
second
$conn=mysql_connect(your parameters);

Include this two lines at the very top of your php code:
error_reporting(E_ALL);
ini_set('display_errors', '1');
It is going to enable error reporting and so you will be able to debug your script.
Maybe the problem is that the reading of $_POST variables (and of any array type variable) should be made with 'quotes' when using string index names:
$_POST[firstName] must be written as follows:
$_POST['firstName']
A good way of making this query more secure (against sql injection attacks for example) is to scape the values in POST instead of passing it directly to the query.
$firstName = mysql_real_escape_string($_POST['firstName']);
The value in POST will be scaped so you can pass it to your SQL.
Try to make that will all your variables:
$sql = "INSERT INTO $usertable
(firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
Finally you need to actually execute the query:
mysql_query($sql);
If it goes ok you'll see no errors, but be shure to enable error reporting to this script. When everything it's ok remember to remove the error reporting.

Like the other guys said, put the comments in the array reference. That being said you really need to escape the $_POST variables to avoid SQL Injection, its also easier to debug if the code is clearly ordered :)
With ordered code you can type echo "some text"; at any touch point you want to so you can see where the code breaks.
Also switching on error reporting in your php.ini or in code (http://php.net/manual/en/function.error-reporting.php) would be the best bet for watching the errors that you can't predict.
<?php
$hostname = "myHostName";
$username = "PreRegCustomers";
$dbname = "PreRegCustomers";
$password = "myPassword";
$usertable = "CustomerInfo";
//connect to mysql
$link_id = mysql_connect($hostname, $username, $password);
if (!$link_id) {
die("Unable to connect to database! Please try again later. error:".mysql_errno());
}
echo "connected to mysql";
//make sure your DB exists
if (!mysql_select_db($dbname)) die ("Connected to mysql but could not connect to the DB. error:".mysql_errno());
echo "connected to database";
//avoid sql_injection
$firstName = mysql_real_escape_string($_POST['firstName']);
$lastName = mysql_real_escape_string($_POST['lastName']);
$streetAddress = mysql_real_escape_string($_POST['streetAddress']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$country = mysql_real_escape_string($_POST['country']);
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone']);
$badgeName = mysql_real_escape_string($_POST['badgeName']);
echo "sanitised input";
//write the query
$sql = "INSERT INTO $usertable
(firstName, lastName, streetAddress, city, state, zip, country, email, phone, badgeName)
VALUES ('$firstName', '$lastName', '$streetAddress', '$city', '$state', '$zip', '$country', '$email', '$phone', '$badgeName')";
echo "build query: ".$sql;
//then you'll need to execute the query :)
if (mysql_query($sql))
echo "query success";
else
echo "query failed";
//ps you can ignore the last? >

PHP&MYSQL - Failed inserting data in database

II created a form for inserting a new company and also on this page it is the PHP script which insert the data into the database.
I don`t know where it is the mistake in this code.
<?php
if (isset($_POST['submit']))
{
// Form has been submitted.
$query = mysql_query("INSERT INTO companies (name, subdomain0, subdomain1, subdomain2,
position, country, city, district, contact, set_up_date, address, phone, area_phone_code, website, fax, email)
VALUES ('{$_POST['name']}', '{$_POST['domain']}', '{$_POST['subdomain1']}',
'{$_POST['subdomain2']}', '{$_POST['position']}', '{$_POST['country']}', '{$_POST['city']}',
'{$_POST['district']}', '{$_POST['contact']}', '{$_POST['setdate']}', '{$_POST['address']}', '{$_POST['phone']}',
'{$_POST['areacode']}, '{$_POST['website']}', '{$_POST['fax']}', '{$_POST['email']}')");
$result = mysql_query($query, $connection);
if (!$result) {
echo "The company was not created.";
} else {
echo "The company was successfully created.";
}
}
?>

rewrite your code and remove those {} from the variables like that
VALUES ('$_POST['name']','$_POST['domain']', '$_POST['subdomain1']',...
1- be sure to escape them before you send them to database .
2-dont use mysql , use pdo or mysqli
to escape them do like that:
$name = mysql_real_escape_string($_POST['name']) ;
and then pass it to ur query like that
VALUES ('$name', .... <-- same with other columns
EDIT-
Try this
if (isset($_POST['submit'])) { // Form has been submitted.
$name = mysql_real_escape_string($_POST['name']) ;
$subdomain0 = mysql_real_escape_string($_POST['subdomain0']) ;
$subdomain1 = mysql_real_escape_string($_POST['subdomain1']) ;
$subdomain2 = mysql_real_escape_string($_POST['subdomain2']) ;
$position = mysql_real_escape_string($_POST['position']) ;
$country = mysql_real_escape_string($_POST['country']) ;
$city = mysql_real_escape_string($_POST['city']) ;
$district = mysql_real_escape_string($_POST['district']) ;
$contact = mysql_real_escape_string($_POST['contact']) ;
$set_up_date = mysql_real_escape_string($_POST['setdate']) ;
$address = mysql_real_escape_string($_POST['address']) ;
$phone = mysql_real_escape_string($_POST['phone']) ;
$areacode = mysql_real_escape_string($_POST['areacode']) ;
$website = mysql_real_escape_string($_POST['website']) ;
$fax = mysql_real_escape_string($_POST['fax']) ;
$email = mysql_real_escape_string($_POST['email']) ;
$query = mysql_query("INSERT INTO companies (name, subdomain0, subdomain1, subdomain2,
position, country, city, district, contact, set_up_date, address, phone, area_phone_code, website, fax, email)
VALUES ('$_POST['name']', '$subdomain0', '$subdomain1',
'$subdomain2', '$position', '$country', '$city',
'$district', '$contact', '$set_up_date', '$address', '$phone',
'$areacode, '$website', '$fax', '$email')");
echo "The company was successfully created.";
else {
echo "The company was not created.";
}
}
?>

you have to be careful with sql injections. you can go through the link to know of other options to mysql_* functions, as it is deprecated.
also its always better to try to find out the error by using mysql_error function to print out the error. (check the link for alternatives as this too is getting deprecated)

INSERT INTO companies
SET name = $name,
subdomain0 = $domain,
subdomain1 = $doamin1
so on

PHP MySQL Post Form

So I've been wrestling with this issue all day. I can't seem to post anything into my table and I'm not sure why.
I've got a form built that has all the values that are being transferred for the _POST. Any pointers would be great.
elseif ($request == 'POST') {
include 'header_post.php'; include 'topmain.php';
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$dlnum = $_POST['dlnum'];
$dob = $_POST['dob'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
$height = $_POST['height'];
$weight = $_POST['weight'];
$hair = $_POST['hair'];
$eyes = $_POST['eyes'];
$ethnicity = $_POST['ethnicity'];
}
$query3 = "insert into ".$db_prefix."customer_det (fname, lname, dlnum, dob, address, city, state, zip, phone, height, weight, hair, eyes, ethnicity)
values ('".$fname."', '".$lname."', '".$dlnum."', '".$dob."', '".$address."', '".$city."', '".$state."',
'".$zip."', '".$phone."', '".$height."', '".$weight."', '".$hair."', '".$eyes."', '".$ethnicity."')";

Using MySQL connection in PHP:
mysql_connect('DB_HOST','DB_USER','DB_PASS');
#mysql_select_db('DB_NAME');
$query='insert into ...';
mysql_query($query);
But your query is prone to SQL injections, and you are advised to use MySQLi extension.
$mysql = new mysqli('DB_HOST', 'DB_USER', 'DB_PASS', 'DB_NAME');
$query = 'insert into customer_det (
fname,
lname,
dlnum,
.......
) values (?,?,?,....,?)';
$statement = $mysql->prepare($query);
$statement->bind_param('sss...', //How many ever fields are there, those many sssss. For Integer use i. s is for string fields. Example ssssisssi....
$fname,
$lname,
$dlnum,
.....);
$statement->execute();
$statement->close();
$mysql->close();

you should use mysql_query :
$query3 = mysql_query("insert..");
you should also add this before $fname = $_POST['fname']; to prevent the query at page load :
if(isset($_POST['fname'])){
$fname = $_POST['fname'];
....
$query3 = mysql_query("insert..");
}

You are not performing query
use $result=mysql_query($query3);

There must be a query called.
use mysql_query();
As mentioned above, any variable using user inputted text that is stored in a database should be contained within the mysql_real_escape_string() to prevent SQL Injection.

Categories