Problems with MYSQL database
I edited the code and now the page loads and everything, but it does not insert into the database:
<body>
<?php
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
require("serverInfo.php");
mysql_query("UPDATE `cardLists` SET `AmountLeft` = `AmountLeft` + ".mysql_real_escape_string($_POST['Add'])." WHERE `cardID` = '".mysql_real_escape_string($_POST['Cards'])."'");
echo "\"" .$_POST['Add'] ."\" has been added to the inventory amount for the card \"". $_POST['Cards']. "\"";
mysql_query("INSERT INTO `log` (`changes`, `amount`, `cardID`, `person`, `date`)VALUES('ADDED',".mysql_real_escape_string($_POST['Add']).",
".mysql_real_escape_string($_POST['Cards']).",".mysql_real_escape_string($_POST['Person']).", NOW())") or die (mysql_error());
mysql_close($link);
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<?php require("serverInfo.php"); ?>
<?php
$res = mysql_query("SELECT * FROM cardLists order by cardID") or die(mysql_error());
echo "<select name = 'Cards'>";
while($row=mysql_fetch_assoc($res)) {
echo "<option value=\"$row[cardID]\">$row[cardID]</option>";
}
echo "</select>";
?>
Amount to Add: <input type="text" name="Add" maxlengt开发者_开发问答h="8" />
Changes Made By: <select name="Person">
<option value="justin">Justin</option>
<option value="chris">Chris</option>
<option value="matt">Matt</option>
<option value="dan">Dan</option>
<option value="tim">Tim</option>
<option value="amanda">Amanda</option>
</select>
<input type="submit" name ="submit" onClick= "return confirm(
'Are you sure you want to add this amount?');">
</form>
<br />
<input type="button" name="main" value="Return To Main" onclick="window.location.href='index.php';" />
</body>
</html>
In addition to the Date reserved word pointed out by dnagirl:
....VALUES('ADDED','$_POST['Add']'....
You can't use ['x'] here. You might try:
....VALUES('ADDED','{$_POST['Add']}'....
Or this, which is OK in a string literal, but questionable because it's wrong outside one:
....VALUES('ADDED','$_POST[Add]'....
But that's still an SQL injection. You'd need:
....VALUES('ADDED','".mysql_real_escape_string($_POST['Add'])."'....
And this:
"... + ".mysql_real_escape_string($_POST['Add'])." ... "
You've not put single quotes around that literal, so despite the escape call, you've still got SQL injection. Either put quotes around it, or if you want to ensure it's always an integer, use intval.
(Parameterised queries are good, you know.)
mysql_close($link);
What's that supposed to be doing? Where has $link come from?
... action="<?php echo $_SERVER['PHP_SELF']; ?>" ...
echo "<option value=\"$row[cardID]\">$row[cardID]</option>";
echo "\"" .$_POST['Add'] ."\" has been added ..."
HTML injection (XSS risk). Remember your htmlspecialchars.
onClick= "return confirm('Are you sure you want to add this amount?');"
Use form onsubmit for this.
INSERT INTO `log`
(`changes`, `amount`, `cardID`, `person`, Date) //PROBLEM: Date is a reserved word
VALUES
('ADDED','$_POST['Add']','$_POST['Cards']', '$_POST['Person']', NOW())
The column Date is a reserved word. Either quote it or change it to a non-reserved word.
I would echo the line
"INSERT INTO `log` (`changes`, `amount`, `cardID`, `person`, Date)VALUES('ADDED','$_POST['Add']','$_POST['Cards']', '$_POST['Person']', NOW())"
with parameter values filled in, and Date replaced of course, and then put it manually in the database.
And use the return value of mysql_query, and use mysql_error:
if (!mysql_query("SELECT * FROM nonexistenttable", $link)) {
echo mysql_errno($link) . ": " . mysql_error($link) . "\n";
}
EDIT
$var="INSERT INTO `log` (`changes`, `amount`, `cardID`, `person`, Date)VALUES('ADDED','$_POST['Add']','$_POST['Cards']', '$_POST['Person']', NOW())";
echo $var; // will show up in logs
mysql_query($var);
加载中,请稍侯......
精彩评论