i would like to ask if someone knows what went wrong with my program.
you see, after i upload a file, the uploaded file is moved to the created folder document, the the other information like, uploadname and employee id that is supposed to be inserted in the database did not insert it. the file was copied to the document but info did not insert. i hope someone could help me. no errors where found in my code
*CASE CLOSED, but thanks for the help
First: You have only written insert query, you don't actually call mysql_query($insert_query);
Second: Are you sure all those inputs are valid? Try putting $company_id in single quotes too.
Also is there any error or warning message showing up?
NOTE: Remember to escape and validate your input! Look through this page: http://php.net/manual/en/security.database.sql-injection.php
You should add the following line at the end of the code.
mysql_query ($insert_query, $conn) or die (mysql_error());
It will try to insert the record otherwise will show the error in the page, so you can debug to identify the issue and fix easily.
Related
I have a HTML page for updating a mysql table, and when the user is finished modifying it clicks a "submit" button at the bottom of the page, named 'valider'. I use POST method and the action leads to a php page with the UPDATE request but it won't update. I've tried putting the values from the previous page into variables before using them in the request but it still won't work. Here is the php code:
<?php
include_once("connexionMysql.php");
if(isset($_POST['valider'])){
$titreIci=$_POST["titre"];
$idIci=$_POST["id"];
$envoie= "UPDATE AY_albums SET titre='$titreIci' WHERE id='".$idIci."'";
}
header("Location: pageDaccueilAdmin.php");
?>
The "id" must be an int in your database and you are casting it as string this may cause issue also check your config file:
remove the header redirection to see if there is an error.
CAREFUL !! You have a BIG mistake in you code: you don't control the $idIci parameter!! so it is highly vulnerable about SQL injection attacks!! Anyone can wipe you database or deface you website...
Firstly, I suggest to control $idIci:
$idIci = $_POST['id']
if (!is_numeric($idIci))
{
echo "Bad parameter!!";
exit;
}
Or use PDO->bindParam() method... And where do you execute the query?
You should send $invoie variable to some function which send it to database server. Like PDO::query($invoie);
The code shown in the question is simply assigning a string value to a variable.
That's all it's doing.
There's no execution of a SQL statement.
The contents of that variable are not getting sent to the database to be executed as a SQL statement. That's not happening, no matter how much you make the string look like a SQL statement. It's not going to be executed as a SQL statement unless your code makes that happen.
And fair warning... when the code does send that string to the database as a SQL statement, the code is going to be vulnerable to SQL Injection.
Check var_dump($_POST); and see what data you have before SQL update line. You probably sent the wrong data. Also, use $idIci = (int) $_POST["id"]; because of security reasons.
i am creating a CMS and have php creating a page. i have a while loop like this
while($row = mysql_fetch_array($results)) {
echo "some html code" . $row['name'];
its shortend but hopefully you get the point. i have the full thing in my page working just as it should and i wanted to move it to a function include as i want to reuse it. the problem is i do that and it stops working.
i did some testing and found that the function is getting the query result and after doing a var dump both were identical the problem comes when i try to assign it to an array. it comes back as false so in the above code, for example,
$row = false;
im toatly lost in this and if my explanation is confusing i appologise but i am a bit of a newbie i have tried searching but....i dont really know where to begin
any thoughts.
the query you are doing is basically wrong, try posting exactly the code which you have in $query and then let us see the problem.
also, it is better to use mysqli functions.
but for this, edit the question and type the query, or simply put a die(mysql_error()) at the end of your query which is in $query. It will show your exact error.
i fugured it out
when i was testing the function i commented out the original code on the main page but for some reason i had not comented out enough (it was a mix of php and html clearly the php had not been commented out properly) this must have been causing a clash of some kind as when i put the function above the code on my page the function worked and the long code below it did not
sorry for wasting your time guys
I'm creating a form where the user should be able to enter any text (used to change articles on the site), Html, JavaScript or literally anything is allowed to type in and post, and so far everything worked. But today I suddenly got this strange error.
When I try to save text with Html to a MySQL database like this:
google
nothing goes wrong, but when I try it like this:
<img src="http://www.google.com/" />
The page does not load (forbidden error) and the database does not contain any of the text is should contain (the Html).
Instead the page shows the following error:
Forbidden
You do not have permission to access this document.
The same problem occurs when I try to post the following data:
src="http:
Why do I get a forbidden error when the post contains that specific piece of text, whats going on here?
Code I'm using:
if($_SERVER['REQUEST_METHOD']=="POST" && !empty($_POST['save'])){
$text = mysql_real_escape_string($_POST['textarea']);
$title = mysql_real_escape_string($_POST['title']);
$query = "INSERT INTO articles (text, title) VALUES ('".$text."','".$title."')";
When I remove the MySQL query I still get the error so it has nothing to do with the database. PHP safe mode is on, could that make a difference?
How can this be fixed?
Edit: Tried the complete application on my xampp server and it did not show the error, but on my hosting server I use the script in a password protected map. could that be the problem? Anyway I'm going to contact my hosting company.
It sounds a bit like mod_security, switched on and in its most aggressive mode, and it thinks you're trying to hack the site. The reason I say it only sounds a bit like that is because no-one should normally configure it to check POST data because that causes far too many false positives. But check the error log(s) as it will probably be listed there if it's that. If so you'll need to turn it off in the hosting settings or nag your host to do it.
Also try a bare minimum script: <?php var_dump($GLOBALS); ?> to see if the data reaches PHP at all.
try:
if($_POST && !empty($_POST['save'])){
$text = mysql_real_escape_string(htmlentities($_POST['textarea']));
$title = mysql_real_escape_string(htmlentities($_POST['title']));
Send this into your db
<a href=www.google.com>Google</a>
or
When called from db
echo "http://".$row_TabelName['RowName'];
It should solve your issue.
if you wish to use the following
base64encode() and insert ,after read base64decode()
I apologize if this has been answered, but I haven't been able to find anything about it. I've been having trouble with a certain block of PHP code on my server and have finally realized that it doesn't like single line comments. With this code, the method get_all_articles is never called.
<?php
$article_class = new Articles();
// Fetch all articles
$articles = $article_class->get_all_articles();
?>
However, removing the comment or converting it to a block comment allows the page to render perfectly. I realize that I've already figured out what's causing the problem, but what I'm looking for is why or how I might be able to fix it. Any help would be greatly appreciated. Thanks!
Maybe the formatting is getting lost on upload to where line breaks are being deleted? Try downloading the PHP file after you've uploaded it and see if the line breaks are still intact.
This can be frustrating... One time I had an if statement that would ALWAYS execute, no matter what the values were...
Started out as this, where $x was equal to 5 (I verified this with debugging)
if($x > 10);
{
....
}
Eventually, I had it down to this:
if(false);
{
echo("This should never happen");
echo("but it does!!!!!!!");
}
After much loss of hair, I realized that I had a semi-colon at the end of the if() line, therefore translating into:
if(false)
/*do nothing*/;
{
//Nice block that always executes
}
The moral of this story is that while the problem you percieve is actually giving you a problem, it is not a PHP problem. Try to find out the root cause by first verifying that the actual code that is executing is EXACTLY what you typed. Re-download the file, publish with different protocol, publish as binary, check sha1sum() on files to make sure the same... Look and look and you will find it.
Let us know.
I am using CodeCharge Studio to finish a large PHP application. This question isn't really CCS related, but a bit more general. I have a web form that is supposed to allow CRUD capabilities with a certain SQL Server table, but the Inserts keep failing without throwing any errors. What would be the best way to debug this?
When I'm having trouble with dynamically generated SQL queries, I typically echo out the query and try running that query on the console for the DB. Or alternatively, you could write a simple PHP function that writes out strings to a file, and that way you don't have to display the query directly on your page, but instead in a log file.
See what the actually query is and then try doing that query directly on the DB. Then you know whether it's a PHP issue or a DB issue.
Then go from there, depending on the outcome.
If the query looks OK, double check that the user running the query has insert rights to the database.
I've been caught out by that before.
You can monitor all sql queries in mysql as shown in this site, once you enable logging, run the query manually and see why its failing..this should be good starting point.
In addition to what's mentioned before, I can add my recent discovery:
trigger_error(print_r($your_var,1),E_USER_ERROR);
So you can output and debug your variable, even if it's a complex script with redirects, where simple echo would not help.
Dmitri.
You should try using FirePHP and log all the SQL to your Firebug:
An Example would be:
$sql = "SELECT * FROM table"
if (!mysql_query($sql)) {
// In un successfull log to FireBug
FB::error($data, "SQL error: ".mysql_error());
}
You can also implement the FB::error call from your own function, so you can later deactivate this behaviour modifying your function:
function log_error($data, $msg){
//dont forget to deactivate in case the application goes live!
FB::error($data, $msg);
}
if (!mysql_query($sql)) {
// In un successfull log to FireBug
log_error($data, "SQL error: ".mysql_error());
}
Most of the database connection classes in CodeCharge have a 'debug' flag which will automatically write all the page's database commands at the top of the page.
For example, in an old PHP project of mine, 'Common Files' the file 'db_mysql.php' (line 27):
public $Debug = 0; ## Set to 1 for debugging messages.
Change to '1' and publish that file. Load the web page. Change back and re-publish when done.
I've used this in CCS for PHP and ASP projects, and is likely in the other languages (not sure if or where to find in .NET projects).