Forums

by **Morpheous** » Wed Sep 29, 2004 8:11 pm

Hey,

Anyone know how I could go about making a PHP script that took a form variable, and used it in a mySQL query?

One that looked at a variable already in the table, incremented it by 1, and then put that into the query, would be even better.

Ideas? :mrgreen:

by **Lachlan** » Wed Sep 29, 2004 8:18 pm

What part are you needing help with? Doing the query or using the variable? Keep in mind that it's a very bad idea to use any kind of user input directly in a sql query without sanitizing it. That's how sql injections hapen.

by **Morpheous** » Wed Sep 29, 2004 8:36 pm

Lachlan wrote:What part are you needing help with? Doing the query or using the variable? Keep in mind that it's a very bad idea to use any kind of user input directly in a sql query without sanitizing it. That's how sql injections hapen.

Pretty much everything

And it's only using user input for one part of the query, not the whole thing

Edit: Check out my new 404 page: http://icarusnetworks.co.uk/idontfuckingexist

by **Lachlan** » Wed Sep 29, 2004 8:53 pm

Morpheous wrote:Pretty much everything

K.. let me whip something up real quick..

Morpheous wrote:And it's only using user input for one part of the query, not the whole thing

doesn't matter, someone could encode a quote into their user input, add a union to the sql statement, and change any table they want. That's how Eyejabber.com got hacked.

by **Lachlan** » Wed Sep 29, 2004 9:01 pm

Code: Select all: $dbserver = "localhost"; $dbname = "mydb"; $dbuname = "dbuser"; $dbpass = "letmein"; $database = mysql_connect($dbserver, $dbuname, $dbpass); mysql_select_db($dbname); $query = "select * from dummy_table where dummy_field = \'".$user_input."\'"; $result = mysql_query($query); $xnum = mysql_num_fields($result); $rowNum = mysql_num_rows($result); // Read all the data in the table for ($j = 0; $j<$rowNum; ++$j) { $row = mysql_fetch_array($result); $currTable[$j]=$row; }

That's real quick, off-the-cuff and includes no sanitizing or error checking.. I haven't tested it, but I think it'll work

by **VampeD** » Thu Sep 30, 2004 1:41 am

I want to be morph. when i was 12 i umm. I cant remember when i was 12.

by **Morpheous** » Thu Sep 30, 2004 5:20 pm

Lachlan, I wub you

Edit: Think I got that, I got a form on the page- how do I get it to load it? Or might using 2 pages and a HTTP POST form be best with a get_url_var tag?

And yeah Vamped, it's good to be 12. Except the whole legal side of life. Damn the under-18s-cant-sign-nda shit :banghead:

by **Lachlan** » Thu Sep 30, 2004 5:29 pm

Morpheous wrote:Edit: Think I got that, I got a form on the page- how do I get it to load it? Or might using 2 pages and a HTTP POST form be best with a get_url_var tag?

There's two ways you can do that. You can either use a form that has your PHP script as it's "action" or you can have some kind of flag that if not set will make your php script actually put the form and call itself as the "action" ($PHP_SELF).

Either way, it's as simple as setting a named input in your form and then referencing that name with a dollar sign in front of it.

In html:

<input name="test">

In php:

echo $test;

by **Morpheous** » Thu Sep 30, 2004 5:54 pm

Lachlan wrote:
Morpheous wrote:Edit: Think I got that, I got a form on the page- how do I get it to load it? Or might using 2 pages and a HTTP POST form be best with a get_url_var tag?

There's two ways you can do that. You can either use a form that has your PHP script as it's "action" or you can have some kind of flag that if not set will make your php script actually put the form and call itself as the "action" ($PHP_SELF).

Either way, it's as simple as setting a named input in your form and then referencing that name with a dollar sign in front of it.

In html:

<input name="test">

In php:

echo $test;

After experimentation, I have decided that my server must have some kinda thing against variables.

Code: Select all: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Database insert test</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <p>  </p> <form action="testdb.php" method="get" onSubmit="<?php $username = username $dbserver = "localhost"; $dbname = "icarus_codevault"; $dbuname = "icarus_codevault"; $dbpass = "codevault"; // Don't lecture me about security, that's the test pwd :) $database = mysql_connect($dbserver, $dbuname, $dbpass); mysql_select_db($dbname); $query = "INSERT INTO `codevault_users` (`userid`, `username`, `password`, `fullname`, `email`, `theme`, `admin`) VALUES ('', '"$username"', '4cb9c8a8048fd02294477fcb1a41191a', '', '', 'facade', '0');"; $result = mysql_query($query); $xnum = mysql_num_fields($result); $rowNum = mysql_num_rows($result); // Read all the data in the table [Removed because i'm writing... :x] //for ($j = 0; $j<$rowNum; ++$j) //{ // $row = mysql_fetch_array($result); //$currTable[$j]=$row; //} ?>"> <input name="username" type="text" id="username"> <input type="submit" name="Submit" value="Submit"> </form> </body> </html>

by **Lachlan** » Thu Sep 30, 2004 6:12 pm

Try this:

Code: Select all: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Database insert test</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <p>  </p> <?php if ($username == "") { echo "<form action=\"testdb.php\" method=\"POST\">\n"; echo "<input name=\"username\" type=\"text\" id=\"username\">\n"; echo "<input type=\"submit\" name=\"Submit\" value=\"Submit\">"\n; echo "</form>\n"; } else { $dbserver = "localhost"; $dbname = "icarus_codevault"; $dbuname = "icarus_codevault"; $dbpass = "codevault"; // Don't lecture me about security, that's the test pwd :) $database = mysql_connect($dbserver, $dbuname, $dbpass); mysql_select_db($dbname); $query = "INSERT INTO `codevault_users` (`userid`, `username`, `password`, `fullname`, `email`, `theme`, `admin`) VALUES ('', '"$username"', '4cb9c8a8048fd02294477fcb1a41191a', '', '', 'facade', '0');"; $result = mysql_query($query); if (mysql_num_rows($result) > 0) { echo "Insert successful"; } else { echo "Insert failed"; } ?> </body> </html>

by **Morpheous** » Thu Sep 30, 2004 6:19 pm

Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/icarus/public_html/testdb.php on line 17

Parse error: parse error, unexpected T_STRING, expecting ',' or ';' in /home/icarus/public_html/testdb.php on line 17

Btw you are God

by **Lachlan** » Thu Sep 30, 2004 6:31 pm

Morpheous wrote:Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/icarus/public_html/testdb.php on line 17

Parse error: parse error, unexpected T_STRING, expecting ',' or ';' in /home/icarus/public_html/testdb.php on line 17

Change this line:

Code: Select all: echo "<input type="submit" name="Submit" value="Submit">"\n;

to

Code: Select all: echo "<input type="submit" name="Submit" value="Submit">\n";

(quote goes after \n)..

also, to be better code, change

Code: Select all: echo "<form action="testdb.php" method="POST">\n";

to

Code: Select all: echo "<form action="$PHP_SELF" method="POST">\n";

by **Morpheous** » Thu Sep 30, 2004 6:43 pm

SEX

Parse error: parse error, unexpected T_VARIABLE in /home/icarus/public_html/testdb.php on line 32

Back to square one on that front
:banghead:

by **[TgR]KILLER** » Thu Sep 30, 2004 6:45 pm

guys.. won't it be easyer to both install and use irc or msn or something to that effect ? ;x

by **Morpheous** » Thu Sep 30, 2004 6:48 pm

[TgR]KILLER wrote:guys.. won't it be easyer to both install and use irc or msn or something to that effect ? ;x

Both have limits on message length

Forums

Search

PHP and mySQL

PHP and mySQL

Who is online