Tech Haven Network

Hey,

Anyone know how I could go about making a PHP script that took a form variable, and used it in a mySQL query?

One that looked at a variable already in the table, incremented it by 1, and then put that into the query, would be even better.

Ideas?

What part are you needing help with? Doing the query or using the variable? Keep in mind that it's a very bad idea to use any kind of user input directly in a sql query without sanitizing it. That's how sql injections hapen.

Lachlan wrote:What part are you needing help with? Doing the query or using the variable? Keep in mind that it's a very bad idea to use any kind of user input directly in a sql query without sanitizing it. That's how sql injections hapen.

Pretty much everything

And it's only using user input for one part of the query, not the whole thing

Edit: Check out my new 404 page: http://icarusnetworks.co.uk/idontfuckingexist

Morpheous wrote:Pretty much everything

K.. let me whip something up real quick..

Morpheous wrote:And it's only using user input for one part of the query, not the whole thing

doesn't matter, someone could encode a quote into their user input, add a union to the sql statement, and change any table they want. That's how Eyejabber.com got hacked.

Code: Select all


$dbserver = "localhost";
$dbname = "mydb";
$dbuname = "dbuser";
$dbpass = "letmein";

$database = mysql_connect($dbserver, $dbuname, $dbpass);

mysql_select_db($dbname);

$query = "select * from dummy_table where dummy_field = \'".$user_input."\'";

$result = mysql_query($query);
$xnum = mysql_num_fields($result);
$rowNum = mysql_num_rows($result);

// Read all the data in the table
for ($j = 0; $j<$rowNum; ++$j)
{
    $row = mysql_fetch_array($result);
    $currTable[$j]=$row;
}



That's real quick, off-the-cuff and includes no sanitizing or error checking.. I haven't tested it, but I think it'll work

I want to be morph. when i was 12 i umm. I cant remember when i was 12.

Lachlan, I wub you

Edit: Think I got that, I got a form on the page- how do I get it to load it? Or might using 2 pages and a HTTP POST form be best with a get_url_var tag?


And yeah Vamped, it's good to be 12. Except the whole legal side of life. Damn the under-18s-cant-sign-nda shit

Morpheous wrote:Edit: Think I got that, I got a form on the page- how do I get it to load it? Or might using 2 pages and a HTTP POST form be best with a get_url_var tag?

There's two ways you can do that. You can either use a form that has your PHP script as it's "action" or you can have some kind of flag that if not set will make your php script actually put the form and call itself as the "action" ($PHP_SELF).

Either way, it's as simple as setting a named input in your form and then referencing that name with a dollar sign in front of it.

In html:

<input name="test">

In php:

echo $test;

Lachlan wrote:

Morpheous wrote:Edit: Think I got that, I got a form on the page- how do I get it to load it? Or might using 2 pages and a HTTP POST form be best with a get_url_var tag?

There's two ways you can do that. You can either use a form that has your PHP script as it's "action" or you can have some kind of flag that if not set will make your php script actually put the form and call itself as the "action" ($PHP_SELF).

Either way, it's as simple as setting a named input in your form and then referencing that name with a dollar sign in front of it.

In html:

<input name="test">

In php:

echo $test;

After experimentation, I have decided that my server must have some kinda thing against variables.

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Database insert test</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<p>&nbsp; </p>
 <form action="testdb.php" method="get" onSubmit="<?php
$username = username
$dbserver = "localhost";
$dbname = "icarus_codevault";
$dbuname = "icarus_codevault";
$dbpass = "codevault";
// Don't lecture me about security, that's the test pwd :)

$database = mysql_connect($dbserver, $dbuname, $dbpass);

mysql_select_db($dbname);

$query = "INSERT INTO `codevault_users` (`userid`, `username`, `password`, `fullname`, `email`, `theme`, `admin`) VALUES ('', '"$username"', '4cb9c8a8048fd02294477fcb1a41191a', '', '', 'facade', '0');";

$result = mysql_query($query);
$xnum = mysql_num_fields($result);
$rowNum = mysql_num_rows($result);

// Read all the data in the table [Removed because i'm writing... :x]
//for ($j = 0; $j<$rowNum; ++$j)
//{
  //  $row = mysql_fetch_array($result);
    //$currTable[$j]=$row;
//}
?>">
  <input name="username" type="text" id="username">
  <input type="submit" name="Submit" value="Submit">
</form>
</body>
</html>


Try this:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Database insert test</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<p>&nbsp; </p>

<?php

if ($username == "")
{

   echo "<form action=\"testdb.php\" method=\"POST\">\n";
   echo "<input name=\"username\" type=\"text\" id=\"username\">\n";
   echo "<input type=\"submit\" name=\"Submit\" value=\"Submit\">"\n;
   echo "</form>\n";
}
else
{
   $dbserver = "localhost";
   $dbname = "icarus_codevault";
   $dbuname = "icarus_codevault";
   $dbpass = "codevault";
   // Don't lecture me about security, that's the test pwd :)

   $database = mysql_connect($dbserver, $dbuname, $dbpass);

   mysql_select_db($dbname);

   $query = "INSERT INTO `codevault_users` (`userid`, `username`, `password`, `fullname`, `email`, `theme`, `admin`) VALUES ('', '"$username"', '4cb9c8a8048fd02294477fcb1a41191a', '', '', 'facade', '0');";
 
   $result = mysql_query($query);
   
   if (mysql_num_rows($result) > 0)
   {
       echo "Insert successful";
   }
   else
   {
       echo "Insert failed";
    }
?>

</body>
</html>


Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/icarus/public_html/testdb.php on line 17

Parse error: parse error, unexpected T_STRING, expecting ',' or ';' in /home/icarus/public_html/testdb.php on line 17

Btw you are God

Morpheous wrote:Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/icarus/public_html/testdb.php on line 17

Parse error: parse error, unexpected T_STRING, expecting ',' or ';' in /home/icarus/public_html/testdb.php on line 17

Change this line:

Code: Select all

echo "<input type="submit" name="Submit" value="Submit">"\n;


to

Code: Select all

echo "<input type="submit" name="Submit" value="Submit">\n";


(quote goes after \n)..

also, to be better code, change

Code: Select all

echo "<form action="testdb.php" method="POST">\n";


to

Code: Select all

echo "<form action="$PHP_SELF" method="POST">\n";


SEX

Parse error: parse error, unexpected T_VARIABLE in /home/icarus/public_html/testdb.php on line 32

Back to square one on that front

guys.. won't it be easyer to both install and use irc or msn or something to that effect ? ;x

[TgR]KILLER wrote:guys.. won't it be easyer to both install and use irc or msn or something to that effect ? ;x

Both have limits on message length