Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updated email.php #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

updated email.php #3

wants to merge 1 commit into from

Conversation

mlawday
Copy link
Owner

@mlawday mlawday commented Feb 10, 2015

Added mysql code to the form. However, the information entered in the form is not being saved in the database. I have tried changing my code, but with no success. The code connects to the database but does not store the user information

@mlawday
updated email.php
d2e9314 
Added mysql code to the form.  However, the information entered in the form is not being saved in the database.  I have tried changing my code, but with no success.  The code connects to the database but does not store the user information
@trevynmeyer
Copy link

echo out the $query value;

Paste that SQL into phpMyAdmin to see if your SQL is accepted or not.

This is a scenario you can learn about SQL injection.

If my email comment was DROP * tables; or domethign, it could in fact make your SQL run something malicious.

There are functions in PHP like htmlspcecialchars() or addslashes() that can be run to proect the content from being interpreted as SQL commands.

Paste your SQL statement and response here.

@mlawday
Copy link
Owner Author

mlawday commented Feb 10, 2015

Oh ok that makes sense. I know about the mysqli_real_escape_string. Would it be appropriate to put that in the VALUES code to prevent malicious attacks?

Here is the message it gave back to me when I put the SQL code in: #1327 - Undeclared variable: users

@trevynmeyer
Copy link

Paste me the entire SQL command.

@mlawday
Copy link
Owner Author

mlawday commented Feb 10, 2015

SELECT * FROM users WHERE 1INSERT INTO users (name, email, subject, message) VALUES ('mark', '', 'mark', 'mark');

@mlawday
Copy link
Owner Author

mlawday commented Feb 10, 2015

whoops. Just realized it never deleted the previous code. It took the code INSERT INTO users (name, email, subject, message) VALUES ('mark', '', 'mark', 'mark');

@trevynmeyer
Copy link

do you have a table created called users?

users is a special word for SQL

try users

the back ticks make it know its not a special mysql variable.

The other thing may be that you are connected to mysql, but not the specific database.

@mlawday
Copy link
Owner Author

mlawday commented Feb 10, 2015

removed the back ticks, still didn't take. I have a table called users. I created a new user to the database as well and that is what I am using in my code. I can log in with that username and password and mysql connects just fine. I even tried deleting the database and creating a new one.

@trevynmeyer
Copy link

hmm, lets do a screnshare on hangout tonight and get this figuredout. Give me FTP access to your new hosts? or cpanel access. Email it to me. I got to run to some meetings but we will chase this down.

Maybe make a new script to test connecting to mysql, selecting a database, and inserting a row into a table.

Just to seperate a working example from your script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mlawday @trevynmeyer