I'm working on an application but what i want to do is get the user likes and store it in my database
But when i try to save it in the database it won't insert it in my database
$likes = $facebook->api('/me/likes');
$fblikes = '';
foreach($likes['data'] as $like){
$fblikes .= $like['name'].', ';
}
$insert = "INSERT INTO users (name, email, gender, liked)
VALUES (
'$fbname',
'$fbemail',
'$fbgender',
'$fblikes'
)";
$add_bericht = mysql_query($insert);
But whenever i remove $fblikes from the insert sql it will insert into my database
Any idea's ?
I think there is an escaping problem in your query. You are (Very) susceptible to SQL Injection.
See this post on how to prevent it: How can I prevent SQL injection in PHP?
Related
I have problem my code not working
I need to write 5 columns
can you explain how to can I use this code right
$val="('".implode("'), ('",$student)."')";
$sql = "INSERT INTO `tbl_student`
(`student_name`) VALUES ".$val.";";
I think this is what you're trying to do:
$val = "('".implode("','", $student)."')";
$keys = "(".implode(",", array_keys($student)).")";
$sql = "INSERT INTO tbl_student ".$keys." VALUES ".$val.";";
Warning: you should make sure your code is not subject to mysql injection. Values coming from the $student array should be sanitized if they comes from user input.
trying to submit data from a form but does not seem to be working. Can't spot any problems?
//Include connect file to make a connection to test_cars database
include("prototypeconnect.php");
$proId = $_POST["id"];
$proCode = $_POST["code"];
$proDescr = $_POST["descr"];
$proManu = $_POST["manu"];
$proCPU = $_POST["cpu"];
$proWPU = $_POST["wpu"];
$proBarCode = $_POST["barcode"];
$proIngredients = $_POST["ingredients"];
$proAllergens = $_POST["allergenscon"];
$proMayAllergens = $_POST["allergensmay"];
//Insert users data in database
$sql = "INSERT INTO prototype.Simplex_List (id, code, descr, manu, cpu, wpu, barcode, ingredients, allergenscon, allergensmay)
VALUES ('$proId' , '$proCode', '$proDescr' , '$proManu' , '$proCPU' , '$proWPU' , '$proBarCode' , '$proIngredients' , '$proAllergens' , '$proMayAllergens')";
//Run the insert query
mysql_query($sql)
First and foremost, please do not use mysql_*** functions and please use prepared statements with
PDO http://php.net/manual/en/pdo.prepare.php
or mysqli http://php.net/manual/en/mysqli.quickstart.prepared-statements.php instead. Prepared statements help protect you against sql injection attempts by disconnecting the user submitted data from the query to the database.
You may want to try using mysql_real_escape_string http://php.net/manual/en/function.mysql-real-escape-string.php to ensure no stray " or ' is breaking your query.
$proId = mysql_real_escape_string($_POST["id"]);
$proCode = mysql_real_escape_string($_POST["code"]);
$proDescr = mysql_real_escape_string($_POST["descr"]);
$proManu = mysql_real_escape_string($_POST["manu"]);
$proCPU = mysql_real_escape_string($_POST["cpu"]);
$proWPU = mysql_real_escape_string($_POST["wpu"]);
$proBarCode = mysql_real_escape_string($_POST["barcode"]);
$proIngredients = mysql_real_escape_string($_POST["ingredients"]);
$proAllergens = mysql_real_escape_string($_POST["allergenscon"]);
$proMayAllergens = mysql_real_escape_string($_POST["allergensmay"]);
Additionally ensure your form is being submitted by calling var_dump($_POST) to validate the data
You can also see if the query is erroring by using mysql_error http://php.net/manual/en/function.mysql-error.php
if (!mysql_query($sql)) {
echo mysql_error();
}
advices about PDO, prepared statements were done.
1) Do you have a database and connection to it?
Look at your prototypeconnect.php and find database name there. check that its name and password is similar that u have.
2) Do you have a table named prototype.Simplex_List in your database?
a) IF YOU HAVE:
check if your mysql version >= 5.1.6
http://dev.mysql.com/doc/refman/5.1/en/identifiers.html
b) IF YOU HAVE BUT ITS NAME is Simplex_List:
b-1) if your database name IS NOT prototype:
replace your
$sql = "INSERT INTO prototype.Simplex_List
with
$sql = "INSERT INTO Simplex_List
b-2) if your database name IS prototype:
you should escape your $_POST data with mysql_real_escape_string as #fyrye said.
c) IF YOU HAVE NOT:
you should create it
3) Check your table structure
does it have all theese fields id, code, descr, manu, cpu, wpu, barcode, ingredients, allergenscon, allergensmay?
if you have there PRIMARY or UNIQUE keys you should be sure you are not inserting duplicate data on them
but anyway replace your
$sql = "INSERT INTO
with
$sql = "INSERT IGNORE INTO
PS: its not possible to help you without any error messages from your side
I am working on a joomla 2.5 website & I am trying to insert values in database entered in the form on form submit. But I dont know why they are not inserting in the DB. Please help me out guys.
I've tried many different ways but I am not getting where I am going wrong.
This is my code:
if(isset($_POST["buttonSubmit"]))
{
$name = $_POST["name"];
$location = $_POST["location"];
$email = $_POST["email"];
echo $name;
$db =& JFactory::getDBO();
echo $query = "INSERT INTO '#__pxa_map' ('name', 'location','email') VALUES ($name, $location,$email)";
$db->setQuery( $query );
$db->query();
}
How to insert values in to database in joomla 2.5
You should add error handling and use prepared statements (preferably, don't know how that works in Joomla 2.5), but your query is wrong:
You don't quote the table and field names, you escape them with a backtick if necessary;
You do quote your values if you don't use a prepared statement;
You need to run your input through $db->quote() to prevent sql injection.
So it should look like:
$db = JFactory::getDbo();
$name = $db->quote($_POST["name"]);
// etc.
$query = "INSERT INTO `#__pxa_map` (`name`, `location`,`email`) VALUES ('$name', '$location','$email')";
I'm trying to run the following code:
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");
where $friendUID is the user ID grabbed from Facebook, and $friendName is the name of the friend grabbed from Facebook. For some reason, $friendName just won't write to MySQL. $friendUID writes fine, and so does regular text. Does anyone have an idea why, or how to get this working? Relevant code is below:
$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = $value["id"];
$friendName = $value["name"];
echo $friendName;
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");
Thank you!
First, you should look into using MySQLi or PDO, as the PHP MySQL extension is quite old (and now deprecated in PHP5.5)
http://www.php.net/manual/en/mysqlinfo.api.choosing.php
The issue is that you are trying to insert raw text into the SQL query, which in addition to being an injection risk, causes an invalid statement:
Desired result:
INSERT INTO friend_data (UID, Name) VALUES (1234, "Friend Name");
Actual Result:
INSERT INTO friend_data (UID, Name) VALUES (1234, Friend Name);
You need to encapsulate the name value in quotes, as well as escape the values before inserting them:
$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = mysql_real_escape_string($value["id"]);
$friendName = mysql_real_escape_string($value["name"]);
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, \"$friendName\")");
I have read a lot about sql injection and I understand how it could cause problems (ie: DROP TABLE __ etc). But I am unsure how the tutorials I have followed actually prevent this from happening. I am just learning PDO and I think I understand it.
Is this code safe from SQL injection? and why is it? (It takes quite a bit more work using these prepared statements so I want to be sure I am not just wasting my time - also if the code can be improved please let me know!)
$conn = new PDO("mysql:host=$DB_HOST;dbname=$DB_DATABASE",$DB_USER,$DB_PASSWORD);
// Get the data
$firstname = $_POST["v_firstname"];
$lastname = $_POST["v_lastname"];
$origincountry = $_POST["v_origincountry"];
$citizenship = $_POST["v_citizenship"];
$gender = $_POST["v_gender"];
$dob = $_POST["v_dob"];
$language = $_POST["v_language"];
$landing = $_POST["v_landing"];
$email = $_POST["v_email"];
$phone = $_POST["v_phone"];
$cellphone = $_POST["v_cellphone"];
$caddress = $_POST["v_caddress"];
$paddress = $_POST["v_paddress"];
$school = $_POST["v_school"];
$grade = $_POST["v_grade"];
$smoker = $_POST["v_smoker"];
$referred = $_POST["v_referred"];
$notes = $_POST["v_notes"];
//Insert Data
$sql = "INSERT INTO clients (firstname, lastname, origincountry, citizenship, gender, dob, language, landing, email, phone, cellphone, caddress, paddress, school, grade, smoker, referred, notes)
VALUES (:firstname, :lastname, :origincountry, :citizenship, :gender, :dob, :language, :landing, :email, :phone, :cellphone, :caddress, :paddress, :school, :grade, :smoker, :referred, :notes)";
$q = $conn->prepare($sql);
$q->execute(array(':firstname'=>$firstname,
':lastname'=>$lastname,
':origincountry'=>$origincountry,
':citizenship'=>$citizenship,
':gender'=>$gender,
':dob'=>$dob,
':language'=>$language,
':landing'=>$landing,
':email'=>$email,
':phone'=>$phone,
':cellphone'=>$cellphone,
':caddress'=>$caddress,
':paddress'=>$paddress,
':school'=>$school,
':grade'=>$grade,
':smoker'=>$smoker,
':referred'=>$referred,
':notes'=>$notes));
Yes, the code is safe, as PDO will properly escape and quote the array of parameters for you.
Your code is safe from SQL injection because you're using paramaterized query, which basically means that once the query is being built and sent to the sql server, it's being escaped, same could be achieved by using php's built in function mysql_real_escape_string().
The following video is great informational video about sql injection from OWASP:
SQL Injection
The rule is: Do not construct sql by hand, in which you do something like:
sqlStatement = 'select field1, field2, field3 from mytable where index = '' + myVariable + ''
The above is dangerous, because if your app allows a user to pass data into myVariable, they could potentially send full SQL commands to your db server.
Using parameterized queries, as you do above, is the solution.