www.webdeveloper.com
Results 1 to 1 of 1

Thread: INSERT MySql and PHP

  1. #1
    Join Date
    May 2017
    Posts
    16

    INSERT MySql and PHP

    hi, i have this html code


    HTML Code:
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta http-equiv="X-UA-Compatible" content="ie=edge">
        <title>Document</title>
    </head>
    <body>
        
        <form method="post" action="join.php">
            username:
            <input name="name" type="text">
            <input type="submit">
        </form>
    </body>
    </html>
    using this script of php

    PHP Code:
    <?php
    require("db.php");
    $name $_POST["name"];

    if(!empty(
    $name)){
        
    $sql "INSERT INTO `invetario` ( `user`) VALUES ($name)";

        echo(
    "no esta vacio");

    }else{
        echo(
    "vacio esta");
    }


        echo 
    "dice ".$name;
    ?>
    the require("db.php"); is a script with my databse info, this should insert the text from the form of html, but is not doing it in my sql i have the table called "inventario" and then a structure row called user, with type of text, but this is not working, if i execute this code INSERT INTO `invetario` ( `user`) VALUES ("example") on the sql console of php my admin work fine, some help pls ? ty

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    22,327
    1. The value needs to be quoted in the SQL, and should be escaped as well to avoid SQL injection.*

    2. Assigning an SQL string to a variable ($sql in this case) does not actually do anything in the database: you have to actually execute the query using whichever database extension is set up in your db.php file.
    ____________
    * Preferably you are using either the MySQLi or PDO extensions (and not the deprecated MySQL extension), in which case you should use a prepared statement with a bound parameter, which will automatically take care of the escaping for you.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    22,327
    1. The value needs to be quoted in the SQL, and should be escaped as well to avoid SQL injection.*

    2. Assigning an SQL string to a variable ($sql in this case) does not actually do anything in the database: you have to actually execute the query using whichever database extension is set up in your db.php file.
    ____________
    * Preferably you are using either the MySQLi or PDO extensions (and not the deprecated MySQL extension), in which case you should use a prepared statement with a bound parameter, which will automatically take care of the escaping for you.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  4. #4
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    5,859
    You should improve this
    HTML Code:
        <form method="post" action="join.php">
    and use something like this which is better
    HTML Code:
        <form name="myform" action="join.php" method="post" enctype="multipart/form-data">
    Then in your PHP...

    PHP Code:
    require("db.php"); 
    // Sanitize the input, it will return the value or if it fails, the value will be a boolean false
    $name filter_var$_POST["name"], FILTER_SANITIZE_STRING );
    // check if name is false and if it is empty, if so, then die.
    if(!$name or empty($name) ) die("empty or failed validation");

    // Got here, passed validation, no if's needed, make your query string
    $sql sprintf("INSERT INTO `invetario`( `user`) VALUES ('%s')"mysqli_escape_string($name) ); 
    // make your query
    $results mysqli_query$db_link$sql );
    ... 
    In short, whatever it is that you use to link to and query the database with, NogDog has stated that you need to escape the strings for insertion, which is what mysqli_escape_string represents, the sprintf function allows for easier string production and confusion is removed with quotes because of the number of errors that creep in from losing track of if you need a quote, need to escape it or whatever.
    Last edited by \\.\; 01-12-2018 at 05:35 PM.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  5. #5
    Join Date
    May 2017
    Posts
    16
    Quote Originally Posted by NogDog View Post
    1. The value needs to be quoted in the SQL, and should be escaped as well to avoid SQL injection.*

    2. Assigning an SQL string to a variable ($sql in this case) does not actually do anything in the database: you have to actually execute the query using whichever database extension is set up in your db.php file.
    ____________
    * Preferably you are using either the MySQLi or PDO extensions (and not the deprecated MySQL extension), in which case you should use a prepared statement with a bound parameter, which will automatically take care of the escaping for you.

    what now ?


    PHP Code:
    <?php
    require("db.php");
    $name $_POST["name"];

    if(!empty(
    $name)){
        
    $sql "INSERT INTO `invetario` ( `user`) VALUES ($name)";
        
    $results mysqli_query$link$sql );

        echo(
    "no esta vacio");

    }else{
        echo(
    "vacio esta");
    }


        echo 
    "dice ".$name;
    ?>
    PHP Code:
    $link mysqli_init();
    $success mysqli_real_connect(
       
    $link
       
    $host
       
    $user
       
    $password
       
    $db,
       
    $port
    ); 

  6. #6
    Join Date
    May 2017
    Posts
    16
    fixed, error mysqli_query and the variable havent single quote, ty

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center

"

"

X vBulletin 4.2.2 Debug Information

  • Page Generation 0.13821 seconds
  • Memory Usage 2,919KB
  • Queries Executed 15 (?)
More Information
Template Usage (35):
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (3)bbcode_html
  • (4)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (6)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (73):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates