Help 4 a noob Pls

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ihavemyownpaddedcell
Forum Newbie
Posts: 2
Joined: Tue Jan 12, 2010 5:16 pm

Help 4 a noob Pls

Post by ihavemyownpaddedcell »

Hi everyone

This is my first post on a forum ever so let me know if im doing something wrong...

Having trouble with a php form. I want to use a form to insert data into a mysql database with 3 rows, username, password & url, so I have three field boxes. The problem is I also want a folder created on my server with the same name as one of the fields. Heres my code so far...

<?php
$con = mysql_connect("localhost","user","pass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("test", $con);


$sql="INSERT INTO dbase (username, password, address)
VALUES
('$_POST[username]','$_POST[password]','$_POST[address]')";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
$ftpstream = @ftp_connect('localhost');

$login = @ftp_login($ftpstream, 'ftpuser', 'pass');
if($login) {@ftp_mkdir($ftpstream, '/public_html/clients/ THIS BIT I CANT GET TO WORK');
}
ftp_close($ftpstream);

echo "record added";

mysql_close($con)

?>


Any help would be greatly appreciated!

Thanks
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Help 4 a noob Pls

Post by requinix »

If you're doing something on the same server PHP is running on, you don't need FTP at all.
Just mkdir.

Also,

Code: Select all

$sql="INSERT INTO dbase (username, password, address)
VALUES
('$_POST[username]','$_POST[password]','$_POST[address]')";
is very insecure. If someone put in O'Reilly for the username then the query would be

Code: Select all

INSERT INTO dbase (username, password, address) VALUES ('O'Reilly', 'password', 'address')
 
That will break the query. If they really wanted to, they could ruin your database with SQL injection.
Also, unless you actually plan on looking up passwords and not just doing basic login username/password checking, you should always hash passwords.
All together, using mysql_real_escape_string (to protect the query) and sha1 (to hash the password),

Code: Select all

$sql="INSERT INTO dbase (username, password, address) VALUES (" .
    "'" . mysql_real_escape_string($_POST["username"]) . "'," .
    "'" . sha1($_POST["password"]) ."'," . // sha1 is safe and is no threat to SQL injection
    "'" . mysql_real_escape_string($_POST["address"]) . "')";
ihavemyownpaddedcell
Forum Newbie
Posts: 2
Joined: Tue Jan 12, 2010 5:16 pm

Re: Help 4 a noob Pls

Post by ihavemyownpaddedcell »

tasairis wrote:If you're doing something on the same server PHP is running on, you don't need FTP at all.
Just mkdir.

Also,

Code: Select all

$sql="INSERT INTO dbase (username, password, address)
VALUES
('$_POST[username]','$_POST[password]','$_POST[address]')";
is very insecure. If someone put in O'Reilly for the username then the query would be

Code: Select all

INSERT INTO dbase (username, password, address) VALUES ('O'Reilly', 'password', 'address')
 
 
That will break the query. If they really wanted to, they could ruin your database with SQL injection.
Also, unless you actually plan on looking up passwords and not just doing basic login username/password checking, you should always hash passwords.
All together, using mysql_real_escape_string (to protect the query) and sha1 (to hash the password),

Code: Select all

$sql="INSERT INTO dbase (username, password, address) VALUES (" .
    "'" . mysql_real_escape_string($_POST["username"]) . "'," .
    "'" . sha1($_POST["password"]) ."'," . // sha1 is safe and is no threat to SQL injection
    "'" . mysql_real_escape_string($_POST["address"]) . "')";
Thank you very much for your help on the matter. I wasnt aware of sql injection or being able to hash pws. As for my problem, solved thanks to your reply dude!

Thanks heaps
Post Reply