Page 1 of 1

php prob

Posted: Wed Jan 29, 2003 6:05 am
by forgun

Code: Select all

@$lk =  mysql_connect($serv , $user , $pass) or die (mysql_error());
while ($lk == false) {
	@$lk =  mysql_connect($serv , $user , $pass) or die (mysql_error());
}
$db = mysql_select_db($dbname , $lk); 
$qur = "INSERT INTO news (id,title, date, time, by, body, email, icq, icon, sing) VALUES (';
$qur .= ' , $_POSTї'title'], CURDATE(), CURTIME(), $by, $_POSTї'body'], $email, $icq, $_POSTї'how'], $_POSTї'how'])";
$res = mysql_query($qur);
i try many times to change or what ever plz help me

Posted: Wed Jan 29, 2003 7:01 am
by DaZZleD
first of all you have a while statement there that does nothing. if the script fails to connect to the db, it exists, else it passes the while because $lk is not false. you should drop that while statement.

second of all you use double quotes (") to create the $qur variable and you never close them. try this:

Code: Select all

<?php
$qur = "INSERT INTO news (id,title, date, time, by, body, email, icq, icon, sing) VALUES ("; 
$qur .= "'" . $_POST['title'] . "', CURDATE(), CURTIME(), '" . $by . "', '" . $_POST['body'] . "', '" . $email . "', '" . $icq . "', '" . $_POST['how'] . "', '" . $_POST['how'] . "')";
$res = mysql_query($qur);
?>
the thing is mysql needs data that are not functions or numbers entered between quotes. this means that every PHP variable of the query string has to be enclosed between quotes. simple quotes however make the PHP treat variable names as strings and not variables. that's why you need to use concatenation.

and by the way... you missed the $id there... the table requires 10 fields and you provide 9. and the last 2 arguments point to the same variable. 8O

good luck!

Posted: Wed Jan 29, 2003 8:01 am
by Stoker
..and another thing regarding security, using $_POST directly in any type of query or file handling is insane.. ALWAYS check for syntax, or at least escape correctly with strings and make sure numerics are so..

if (!is_numeric($_POST['somenum'])) { /* Do something to fix or abort */ }

$query = 'BLA BLA BLA '.mysql_escape_string(stripslashes($_POST['somestr']));

(Skip stripslashes if your server doesnt have magic_quotes_gpc enabled..)

Posted: Wed Jan 29, 2003 8:28 am
by forgun
mm there is the fix agine the info is not going to the db i dont know why

Code: Select all

@$lk =  mysql_connect($serv , $user , $pass) or die (mysql_error());
$db = mysql_select_db($dbname , $lk);
$qur = "INSERT INTO news (title, date, time, by, body, email, icq, icon, sing) VALUES (";
$qur .= "'" . $_POST&#1111;'title'] . "', CURDATE(), CURTIME(), '" . $by . "', '" . $_POST&#1111;'body'] . "', '" . $email . "', '" . $icq . "', '" . $_POST&#1111;'how'] . "', '" . $_POST&#1111;'how'] . "')";
$res = mysql_query($qur);

Posted: Wed Jan 29, 2003 9:54 am
by DeGauss

Code: Select all

@$lk=mysql_connect($serv,$user,$pass) or die (mysql_error());
$db=mysql_select_db($dbname , $lk); 
$qur = "INSERT INTO news (title, date, time, by, body, email, icq, icon, sing) VALUES ('".$_POST&#1111;'title']."',CURDATE(),CURTIME(),'".$by."','".$_POST&#1111;'body']."','".$email."','".$icq."','".$_POST&#1111;'how']."','".$_POST&#1111;'how']."')"; 
$res = mysql_query($qur);
*shrug*

Looks fine to me. Everything has been escaped properly... What's the specific MySQL error that it throws up?

Posted: Wed Jan 29, 2003 11:48 am
by forgun
that is the point nothing form the data i been subimt goes to the db and no kind of error is been showed so far but the data on the db still the some

Posted: Wed Jan 29, 2003 12:05 pm
by Stoker
What does it produce if you add something like this at the end

Code: Select all

<?php

   if (!$res) die ('Query failed ('.htmlentities($qur).') -> '.htmlentities(mysql_error()));
   echo mysql_affected_rows(). ' rows affected.<br>';

?>