#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    8
    Rep Power
    0

    PHP call to MySQL not working......?


    Ok so I'm kinda new to this and rather confused why this code isn't working. The table, and database is set up. But it's not inserting. Syntax error?

    PHP Code:
     $con=mysqli_connect('localhost','root','12345''$_COOKIE[User]');
        if(
    mysql_errno()){
          echo 
    "<script>alert('Conenction Error')</script>";
        }
        else{
          
    $FName=$_FILES['file']['name'];
          
    $UName=$_COOKIE['User'];
          
    $sql="INSERT INTO $UName VALUES ('$FName')";

          if(!
    mysqli_query($con,$sql)){
               echo 
    "<script>alert('failed to insert into DB')</script>";
               echo 
    mysqli_errno($this->db_link);
               echo 
    mysqli_errno();
          }
        } 
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    299
    Rep Power
    9
    Good evening,

    The 4th parameter of mysqli_connect() is meant to be the name of the database.

    Also, your first if statement is checking mysql_errno() instead of mysqli_errno();

    Kind regards,

    NM.

    Comments on this post

    • truebluecougar agrees
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    8
    Rep Power
    0
    You're a boss. I totally should have caught that one. Thank you!!
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    299
    Rep Power
    9
    No problem,

    I edited the post also, see the update!

    Kind regards,

    NM.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    8
    Rep Power
    0
    that however didn't fix it..... :/ any other ideas?
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    8
    Rep Power
    0
    ahh....I had to specify which column it was going into. Got it. Thanks again.
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Congratulations, you've managed to make your code vulnerable to SQL injections using a database library specifically designed for security.

    This piece of code is an open invitation for any script kiddie and criminal on this planet to break into your server:

    PHP Code:
    $FName=$_FILES['file']['name'];
          
    $UName=$_COOKIE['User'];
          
    $sql="INSERT INTO $UName VALUES ('$FName')"
    You do not insert raw user data into a query, because this allows anybody to write their own query. How about I promote myself an admin? All I need to do is send you a query in the User cookie, and you'll happily execute it. And if your database system is just as secure as your code, I can probably gain access to your server and maybe capture it.

    If hope this isn't online yet, because if it is, you're in deep trouble.

    You must secure your code! You need to learn how to write secure code. You can't just take anything the user sends you and pass it right to the database system.

    I mean, have you not heard of all the servers getting hacked day in, day out? Do you leave your front door open with a sign saying you're on vacation for a month?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    8
    Rep Power
    0
    hey man calm down. I'm learning how to work with php and mysql. It's a practice exercise. Chill.
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by truebluecougar
    I'm learning how to work with php and mysql.
    And that's why I'm warning you that you're about to kill yourself.

    I'm pretty sure that you don't just wanna keep practicing on your local webserver for your whole life. As soon as you actually put your code only, it must be secure, because nobody will be gentle with you just because you're new to PHP. So don't even start using unsecure practices, regardless of whether it's for practicing, for your sister's home page or for a major banking software.

    Comments on this post

    • gw1500se agrees : Amen!
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  18. #10
  19. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    299
    Rep Power
    9
    Your link has now been pinned

    Regards,

    NM.

IMN logo majestic logo threadwatch logo seochat tools logo