Hi everyone
This is my first post on a forum ever so let me know if im doing something wrong...
Having trouble with a php form. I want to use a form to insert data into a mysql database with 3 rows, username, password & url, so I have three field boxes. The problem is I also want a folder created on my server with the same name as one of the fields. Heres my code so far...
<?php
$con = mysql_connect("localhost","user","pass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("test", $con);
$sql="INSERT INTO dbase (username, password, address)
VALUES
('$_POST[username]','$_POST[password]','$_POST[address]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
$ftpstream = @ftp_connect('localhost');
$login = @ftp_login($ftpstream, 'ftpuser', 'pass');
if($login) {@ftp_mkdir($ftpstream, '/public_html/clients/ THIS BIT I CANT GET TO WORK');
}
ftp_close($ftpstream);
echo "record added";
mysql_close($con)
?>
Any help would be greatly appreciated!
Thanks
Help 4 a noob Pls
Moderator: General Moderators
Re: Help 4 a noob Pls
If you're doing something on the same server PHP is running on, you don't need FTP at all.
Just mkdir.
Also,
is very insecure. If someone put in O'Reilly for the username then the query would be
That will break the query. If they really wanted to, they could ruin your database with SQL injection.
Also, unless you actually plan on looking up passwords and not just doing basic login username/password checking, you should always hash passwords.
All together, using mysql_real_escape_string (to protect the query) and sha1 (to hash the password),
Just mkdir.
Also,
Code: Select all
$sql="INSERT INTO dbase (username, password, address)
VALUES
('$_POST[username]','$_POST[password]','$_POST[address]')";Code: Select all
INSERT INTO dbase (username, password, address) VALUES ('O'Reilly', 'password', 'address')
Also, unless you actually plan on looking up passwords and not just doing basic login username/password checking, you should always hash passwords.
All together, using mysql_real_escape_string (to protect the query) and sha1 (to hash the password),
Code: Select all
$sql="INSERT INTO dbase (username, password, address) VALUES (" .
"'" . mysql_real_escape_string($_POST["username"]) . "'," .
"'" . sha1($_POST["password"]) ."'," . // sha1 is safe and is no threat to SQL injection
"'" . mysql_real_escape_string($_POST["address"]) . "')";-
ihavemyownpaddedcell
- Forum Newbie
- Posts: 2
- Joined: Tue Jan 12, 2010 5:16 pm
Re: Help 4 a noob Pls
Thank you very much for your help on the matter. I wasnt aware of sql injection or being able to hash pws. As for my problem, solved thanks to your reply dude!tasairis wrote:If you're doing something on the same server PHP is running on, you don't need FTP at all.
Just mkdir.
Also,is very insecure. If someone put in O'Reilly for the username then the query would beCode: Select all
$sql="INSERT INTO dbase (username, password, address) VALUES ('$_POST[username]','$_POST[password]','$_POST[address]')";That will break the query. If they really wanted to, they could ruin your database with SQL injection.Code: Select all
INSERT INTO dbase (username, password, address) VALUES ('O'Reilly', 'password', 'address')
Also, unless you actually plan on looking up passwords and not just doing basic login username/password checking, you should always hash passwords.
All together, using mysql_real_escape_string (to protect the query) and sha1 (to hash the password),Code: Select all
$sql="INSERT INTO dbase (username, password, address) VALUES (" . "'" . mysql_real_escape_string($_POST["username"]) . "'," . "'" . sha1($_POST["password"]) ."'," . // sha1 is safe and is no threat to SQL injection "'" . mysql_real_escape_string($_POST["address"]) . "')";
Thanks heaps