#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    4
    Rep Power
    0

    Problems with form uploading to MySQL db


    Hello from the newbie! I have a form that I need to post the data to my MySQL db and it is not working. It says that it uploaded it, but it doesn't upload the data. Strange thing is that when I go to re-enter the information, it says that the serial number is already in the system.

    Here is the php process:
    PHP Code:
        <?php
        
    if($_POST['doSubmit'] == 'Add')
        {
        
    $rs_dup mysql_query("select count(*) as total from firearms where serialNumber='$post[serialNumber]'") or die(mysql_error());
        list(
    $dups) = mysql_fetch_row($rs_dup);
         
        if(
    $dups 0) {
        die(
    "That Serial Number already exists in the system.");
        }
         
        
    mysql_query("INSERT INTO `firearms` (`manufacturer`,`model`,`serialNumber`,`caliber`,`type`,`receiptDate`)
        VALUES ('
    $post[manufacturer]','$post[model]','$post[serialNumber]','$post[caliber]','$post[type]',now())
        "
    ) or die(mysql_error());
        echo 
    "<div class=\"msg\">New Firearm Added....done.</div>";    
        }
        
    ?>
    Here is the form:
    PHP Code:
        <p><?php
        
    if(!empty($msg)) {
        echo 
    $msg[0];
        } 
    ?></p>
        <table width="100%" border="0" cellpadding="5" cellspacing="2" class="myaccount">
        <tr>
        <td width="50%" style="text-align:right"><form name="addNew" id="addNew" method="post" action=xxxxxx">Name of Manufacturer and/or Importer:&nbsp;</td>
        <td width="50%" style="text-align:left"><input name="manufacturer" type="text" id="manufacturer"></td>
        </tr>
        <tr>
        <td style="text-align:right">Model of Firearm:&nbsp;</td>
        <td style="text-align:left"><input name="model" type="text" id="model" class="required"></td>
        </tr>
        <tr>
        <td style="text-align:right">Firearm Serial Number:&nbsp;</td>
        <td style="text-align:left"><input name="serialNumber" type="text" id="serialNumber" class="required"></td>
        </tr>
        <tr>
        <td style="text-align:right">Caliber or Gauge of Firearm:&nbsp;</td>
        <td style="text-align:left"><input name="caliber" type="text" id="caliber" class="required"></td>
        </tr>
        <tr>
        <td style="text-align:right">Type of Firearm (pistol, revolver, shotgun, rifle,etc.):&nbsp;</td>
        <td style="text-align:left"><input name="type" type="text" id="type" class="required"></td>
        </tr>
        <tr>
        <td colspan="2" style="text-align:center"><input name="doSubmit" type="submit" id="doSubmit" value="Add"></form></td>
        </tr>
        </table>
    Here is the db structure:
    Code:
    CREATE TABLE IF NOT EXISTS `firearms` (
      `id` bigint(20) NOT NULL AUTO_INCREMENT,
      `manufacturer` varchar(200) COLLATE latin1_general_ci NOT NULL DEFAULT '',
      `model` varchar(200) COLLATE latin1_general_ci NOT NULL DEFAULT '',
      `serialNumber` varchar(200) COLLATE latin1_general_ci NOT NULL DEFAULT '',
      `caliber` varchar(200) COLLATE latin1_general_ci NOT NULL DEFAULT '',
      `type` varchar(200) COLLATE latin1_general_ci NOT NULL DEFAULT '',
      `receiptDate` date NOT NULL DEFAULT '0000-00-00',
      PRIMARY KEY (`id`),
      UNIQUE KEY `serialNumber` (`serialNumber`)
    ) ENGINE=MyISAM  DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci AUTO_INCREMENT=1 ;
    Attached is an image of what whose up when the form is processed. It is making an entry, but only populates the 'id' and 'date' fields.

    The image can be found at http://www.tacticaloffense.com/img/mysql.jpg

    Any help would be greatly appreciated!!!

    Thanks,

    Clint
  2. #2
  3. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,551
    Rep Power
    2337
    It's not $post it's $_post.

    Other notes:
    1. The mysql_* functions are deprecated, you should move to mysqli_* or PDO.
    2. Your SQL is inherently insecure and prone to SQL injection; using one of the newer libraries above, combined with proper use prepared statements, will alleviate that.
    3. Using die() is inappropriate outside of a development environment, as it reveals details of your DB to the caller, which is another security hole.

    Comments on this post

    • Jacques1 agrees
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Since that code (or similar code) already seems to be online on the website you linked to, you need to fix those vulnerabilities now. This is a public forum, so anybody can read about your security issues and try to exploit them. Check the security tutorial in my signature.

    To be honest, I find it quite insane to write code for a live shop without proper PHP knowledge. But that's none of my business, of course ...

    Comments on this post

    • ptr2void agrees : Sigh...it's hopeless.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    4
    Rep Power
    0
    Originally Posted by ptr2void
    It's not $post it's $_post.

    Other notes:
    1. The mysql_* functions are deprecated, you should move to mysqli_* or PDO.
    2. Your SQL is inherently insecure and prone to SQL injection; using one of the newer libraries above, combined with proper use prepared statements, will alleviate that.
    3. Using die() is inappropriate outside of a development environment, as it reveals details of your DB to the caller, which is another security hole.
    Thank you for your prompt response!

    I changed the $post to $_post and still get the same problem.

    As for being subject to sql injections, there are other processes in place to prevent this, for starters, this form is not open to the public and behind 2 layers of passwords.

    I will consider upgrading to mysqli_* or PDO but that not only would take a lot of work as there are about 60 pages of code using mysql_, and since I am such a newb when it comes to php, it would take a lot of learning (which I am not against, I just need to get this up and running asap).

    Any other ideas why it would not be posting?
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7170
    It's actually not $post or $_post, it's $_POST. Variable names in PHP are case-sensitive.

    As for being subject to sql injections, there are other processes in place to prevent this, for starters, this form is not open to the public and behind 2 layers of passwords.
    Not being open to the public and being password protected has nothing to do with SQL injections, it just limits who is able to exploit them.

    However, malicious SQL injection is not the only problem there. What happens when you decide to add a firearm from Colt's Manufacturing Company? It's not going to work because the single quote will cause the INSERT query to fail.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around

IMN logo majestic logo threadwatch logo seochat tools logo