PHP Beginners Help

------=_Part_15063_6486506.1199329020163
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello, my name is Ben Stones. I am quite a beginner to PHP, and as a new
years resolution I am going to learn PHP (finally!)

Cut to the chase I have created a basic looping script that would display
anything submitted in a form, on seperate lines; here is the PHP code:

$con = mysql_connect("localhost","ben_test","------removed-----") or
die("con");
$db = mysql_select_db("ben_test") or die("db");
mysql_query("CREATE TABLE `comments` (messages varchar(255))");
$comments = $_POST['comment'];
$sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
($comments)");
$mysql_query_one = mysql_query("SELECT * FROM `comments`");
while($rows=mysql_fetch_array($mysql_query_one)) {
echo $rows['messages'] . "[br /]";
}

Everything went swell for the first half, and after I truncated the test
messages (or everything in the column, if you like), I tried doing one more
test run and upon clicking 'Submit', nothing would display except the
messages I added via phpMyAdmin.

Hope someone could help me.

PS: The password has been edited out of the preceding code as well as the
HTML code purposely for the mailing list.

------=_Part_15063_6486506.1199329020163--

RE: PHP Beginners Help

--_1926117b-3c5c-43f8-8f00-26258a4a82c7_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Hi ben,
=20
You are creating the same table each time you run the code which would thro=
w an error the second time you run the code since the table is already ther=
e.
=20
You have two choices here:
1. remove the table creation script and the call to create it since the tab=
le only needs to be created once.
=20
2. handle the errors that can happen on running a query. ex.
=20
$mysql_query_one =3D mysql_query("SELECT * FROM `comments`") or die(mysql_e=
rror());
=20
bastien> Date: Thu, 3 Jan 2008 02:57:00 +0000> From: bastones@googlemail.co=
m> To: php-db@lists.php.net> Subject: [PHP-DB] PHP Beginners Help> > Hello,=
my name is Ben Stones. I am quite a beginner to PHP, and as a new> years r=
esolution I am going to learn PHP (finally!)> > Cut to the chase I have cre=
ated a basic looping script that would display> anything submitted in a for=
m, on seperate lines; here is the PHP code:> > $con =3D mysql_connect("loca=
lhost","ben_test","------removed-----") or> die("con");> $db =3D mysql_sele=
ct_db("ben_test") or die("db");> mysql_query("CREATE TABLE `comments` (mess=
ages varchar(255))");> $comments =3D $_POST['comment'];> $sql1 =3D mysql_qu=
ery("INSERT INTO `comments` (`messages`) VALUES> ($comments)");> $mysql_que=
ry_one =3D mysql_query("SELECT * FROM `comments`");> while($rows=3Dmysql_fe=
tch_array($mysql_query_one)) {> echo $rows['messages'] . "[br /]";> }> > Ev=
erything went swell for the first half, and after I truncated the test> mes=
sages (or everything in the column, if you like), I tried doing one more> t=
est run and upon clicking 'Submit', nothing would display except the> messa=
ges I added via phpMyAdmin.> > Hope someone could help me.> > PS: The passw=
ord has been edited out of the preceding code as well as the> HTML code pur=
posely for the mailing list.
____________________________________________________________ _____
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=3DLIVEIDENCA006=

--_1926117b-3c5c-43f8-8f00-26258a4a82c7_--

Re: PHP Beginners Help

Ben:

First, using a $_POST value directly into a MySQL query is EXTREMELY
unsafe. Always filter data from any source to make sure it's what you
expect. SQL injection is one of the easiest ways to cause real damage
to a website. http://en.wikipedia.org/wiki/SQL_injection

Check out this fuction for making the string safe:
http://us2.php.net/manual/en/function.mysql-real-escape-stri ng.php
Also, try and strip out any characters that don't belong in the string
anyway, just as added security.

Good luck learning PHP.

--Another person who happens to be named Ben

I've also put a few edits in the code.
On Jan 2, 2008 9:57 PM, Ben Stones wrote:
> Hello, my name is Ben Stones. I am quite a beginner to PHP, and as a new
> years resolution I am going to learn PHP (finally!)
>
> Cut to the chase I have created a basic looping script that would display
> anything submitted in a form, on seperate lines; here is the PHP code:
>
> $con = mysql_connect("localhost","ben_test","------removed-----") or
> die("con");
> $db = mysql_select_db("ben_test") or die("db");
> mysql_query("CREATE TABLE `comments` (messages varchar(255))");
> $comments = $_POST['comment'];
> $sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
> ($comments)");
>
> $mysql_query_one = mysql_query("SELECT * FROM `comments`");
> while($rows=mysql_fetch_array($mysql_query_one)) {
> echo $rows['messages'] . "[br /]";
> }
>
> Everything went swell for the first half, and after I truncated the test
> messages (or everything in the column, if you like), I tried doing one more
> test run and upon clicking 'Submit', nothing would display except the
> messages I added via phpMyAdmin.
>
> Hope someone could help me.
>
> PS: The password has been edited out of the preceding code as well as the
> HTML code purposely for the mailing list.
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: PHP Beginners Help

------=_Part_15097_9066863.1199331087546
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thanks all for your replies. Much appreciated. I have edited the code and
took points into account:


$con = mysql_connect("localhost","ben_test","removed") or die("con");
$db = mysql_select_db("ben_test") or die("db");
$sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
($comments)") or die("insert");
$mysql_query_one = mysql_query("SELECT * FROM `comments`");
while($rows=mysql_fetch_array($mysql_query_one)) {
echo $rows['messages'] . "[br /]";

Okay, the browser outputted "insert" so it has to be something to do with
the insert sql syntax I have added. Not sure if its over-riding the same
content added as before or something.

Any help once again is appreciated.

Thank you,
Ben Stones.

On Jan 3, 2008 3:16 AM, Benjamin Darwin wrote:

> Ben:
>
> First, using a $_POST value directly into a MySQL query is EXTREMELY
> unsafe. Always filter data from any source to make sure it's what you
> expect. SQL injection is one of the easiest ways to cause real damage
> to a website. http://en.wikipedia.org/wiki/SQL_injection
>
> Check out this fuction for making the string safe:
> http://us2.php.net/manual/en/function.mysql-real-escape-stri ng.php
> Also, try and strip out any characters that don't belong in the string
> anyway, just as added security.
>
> Good luck learning PHP.
>
> --Another person who happens to be named Ben
>
> I've also put a few edits in the code.
> On Jan 2, 2008 9:57 PM, Ben Stones wrote:
> > Hello, my name is Ben Stones. I am quite a beginner to PHP, and as a new
> > years resolution I am going to learn PHP (finally!)
> >
> > Cut to the chase I have created a basic looping script that would
> display
> > anything submitted in a form, on seperate lines; here is the PHP code:
> >
> > $con = mysql_connect("localhost","ben_test","------removed-----") or
> > die("con");
> > $db = mysql_select_db("ben_test") or die("db");
> > mysql_query("CREATE TABLE `comments` (messages varchar(255))");
> > $comments = $_POST['comment'];
> > $sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
> > ($comments)");
> >
> > $mysql_query_one = mysql_query("SELECT * FROM `comments`");
> > while($rows=mysql_fetch_array($mysql_query_one)) {
> > echo $rows['messages'] . "[br /]";
> > }
> >
> > Everything went swell for the first half, and after I truncated the test
> > messages (or everything in the column, if you like), I tried doing one
> more
> > test run and upon clicking 'Submit', nothing would display except the
> > messages I added via phpMyAdmin.
> >
> > Hope someone could help me.
> >
> > PS: The password has been edited out of the preceding code as well as
> the
> > HTML code purposely for the mailing list.
> >
>

------=_Part_15097_9066863.1199331087546--

Re: PHP Beginners Help

Ben Stones wrote:
> Thanks all for your replies. Much appreciated. I have edited the code and
> took points into account:
>
>
> $con = mysql_connect("localhost","ben_test","removed") or die("con");
> $db = mysql_select_db("ben_test") or die("db");
> $sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
> ($comments)") or die("insert");
> $mysql_query_one = mysql_query("SELECT * FROM `comments`");
> while($rows=mysql_fetch_array($mysql_query_one)) {
> echo $rows['messages'] . "[br /]";
>
> Okay, the browser outputted "insert" so it has to be something to do with
> the insert sql syntax I have added. Not sure if its over-riding the same
> content added as before or something.

It's dieing when you try to insert, probably because of quotes. As the
other Ben mentioned you need to escape the data.

Try:

$query = "INSERT INTO comments(messages) VALUES ('" .
mysql_real_escape_string($_POST['comments']) . "')";

$insert_result = mysql_query($query);

if (!$insert_result) {
echo "Error with insert: ", mysql_error(), "
\n";
echo "Query I tried to run:
\n", $query, "
\n";
exit;
}

that way mysql will show you the error that occurred when you tried to
run the insert, and also you are escaping the comment you typed in so
things like quotes will be handled properly.


When you print the data out, you should use htmlspecialchars so if
someone enters javascript or any other 'bad' data it won't get printed
or executed.

For example:

$query = "SELECT * FROM comments";
$result = mysql_query($query);
while ($row = mysql_fetch_assoc($result)) {
echo "Comment was: ", htmlspecialchars($row['messages'], ENT_QUOTES),
"
\n";
}


There's some good info available here about this sort of stuff:

http://phpsec.org/projects/guide/

If something doesn't make sense, send us another email :)

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php