开发者

simple html php insert mysql problem

问答 作者:

I am trying to insert som data from html forms into my mySql database server.

Here is my html-code: 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /开发者_开发知识库>
  <title>Add events</title>
</head>
<body>
<form action="addevents.php" method="post">
        id: <input type="text" name="eventID" />
        <br></br>
        larmkod: <input type="text" name="larmkod" />
        <br></br>
        idArduinoT: <input type="text" name="idArduinoT" />
        <br></br>
        handelse: <input type="text" name="handelse" />
        <br></br>
        tid: <input type="text" name="tid" />
        <br></br>
        rumNr: <input type="text" name="rumNr" />
        <br></br>
        inneboendeNamn: <input type="text" name="inneboendeNamn" />
        <br></br>
        overvakare: <input type="text" name="overvakare" />
        <input type="submit" />
</form>
</body>
</html>

Here is my php-code:

<?php
$con = mysql_connect("localhost","humhum","humhum");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("arduino_db",$con;

$sql="INSERT INTO events (eventID, larmkod, idArduinoT, handelse, tid, rumNr, inneboendeNamn, overvakare)
VALUES
('$_POST[eventID]', '$_POST[larmkod]', '$_POST[idArduinoT]', '$_POST[handelse]', '$_POST[tid]', '$_POST[rumNr]',
    '$_POST[inneboendeNamn]', '$_POST[overvakare]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>

I don´t see the problem do you? .. eventID is the primary key.

Let's see... Syntax errors:

mysql_select_db("arduino_db",$con;
                                 ^ missing )

SQL injection errors:

$sql="INSERT INTO events (eventID, larmkod, idArduinoT, handelse, tid, rumNr, inneboendeNamn, overvakare)
VALUES
('$_POST[eventID]', '$_POST[larmkod]', '$_POST[idArduinoT]', '$_POST[handelse]', '$_POST[tid]', '$_POST[rumNr]',
    '$_POST[inneboendeNamn]', '$_POST[overvakare]')";

If any of the form fields contain a ', your query statement will be invalid. As well, little Bobby Tables will have a field day with your system.

Your query is wrong ;)

Try this:

$sql="INSERT INTO events (eventID, larmkod, idArduinoT, handelse, tid, rumNr, inneboendeNamn, overvakare)
VALUES
('{$_POST['eventID']}', '{$_POST['larmkod']}', '{$_POST['idArduinoT']}', '{$_POST['handelse']}', '{$_POST['tid']}', '{$_POST['rumNr']}',
    '{$_POST['inneboendeNamn']}', '{$_POST['overvakare']}')";

Look @ your escaping

And edit

mysql_select_db("arduino_db",$con;

Into

mysql_select_db("arduino_db",$con);

You need to work on your security btw. This is really insecure!

$sql="INSERT INTO events (eventID, larmkod, idArduinoT, handelse, tid, rumNr, inneboendeNamn, overvakare)
VALUES
('$_POST[eventID]', '$_POST[larmkod]', '$_POST[idArduinoT]', '$_POST[handelse]', '$_POST[tid]', '$_POST[rumNr]',
    '$_POST[inneboendeNamn]', '$_POST[overvakare]')";

Each one of those references to POST is somewhat ambiguous, and raises a notice-level error due to the unquoted string. Less ambiguous syntax:

$sql="INSERT INTO events (eventID, larmkod, idArduinoT, handelse, tid, rumNr, inneboendeNamn, overvakare)
VALUES
('{$_POST['eventID']}', '{$_POST['larmkod']}', '{$_POST['idArduinoT']}', '{$_POST['handelse']}', '{$_POST['tid']}', '{$_POST['rumNr']}',
    '{$_POST['inneboendeNamn']}', '{$_POST['overvakare']}')";

However, this will still result in a SQL error, or even worse, SQL injection should any value contain a ' char (among others). These values should, at a minimum, be run through mysql_real_escape_string(). Alternately, used parameterized queries.

If there are other issues, your best bet will be turning up your error logging, and tailing the relevant log file. Your apache error_log may be a good place to start.

Also consider running php -l to detect parse-time errors (runtime errors still won't turn up until runtime, however)

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9