Member Avatar for DaveyMoyes

hi all - can anyone help with the following -
I am unable to upload any data to my database -
I can connect successfully as i have changed the password, database name and got the error's i was expecting.

but for some reason, the data just doesn't seem to want to get to my database...???/

Any pointers would be very helpful,

<?
include('autoconfig.php');

$tbl_name=temp_members_db;

// Random confirmation code 
$confirm_code=md5(uniqid(rand())); 

// values sent from form 
$name=$_POST['name'];
$email=$_POST['email'];
$password=$_POST['password'];
$country=$_POST['country'];
$city=$_POST['city'];
$mobnum=$_POST['mobnum'];
$mobnet=$_POST['mobnet'];
$mobpro=$_POST['mobpro'];
$atype=$_POST['atype'];
$datetime=date('l jS F Y h:i:s'); //create date time
$uipa = $_SERVER["REMOTE_ADDR"];
$ref = $_SERVER['HTTP_REFERER'];
$browser = $_SERVER['HTTP_USER_AGENT'];

// Insert data into database 
$sql= "INSERT INTO $tbl_name(confirm_code, name, email, password, country, city, mobnum, mobnet, mobpro, automotive, datetime, uipa, ref, browser)VALUES('$confirm_code', '$name', '$email', '$password', '$country', '$city', '$mobnum', '$mobnet', '$mobpro', '$atype', '$datetime', '$uipa', '$ref', '$browser')";
$result=mysql_query($sql);
  • 2 Contributors
  • 5 Replies
  • 68 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by kireol
Member Avatar for DaveyMoyes

your code is VERY susceptible to hacking.

you need to escape every variable that you are inserting.
http://us.php.net/manual/en/function.mysql-real-escape-string.php

which also might be why your SQL is failing.

first add that code in to escape, then check for an error code from your sql result

if you could show me how to escape one ? im willing to learn

Member Avatar for kireol 
$name=mysql_real_escape_string($_POST['name']);
$email=mysql_real_escape_string($_POST['email']);
$password=mysql_real_escape_string($_POST['password']);
$country=mysql_real_escape_string($_POST['country']);
$city=mysql_real_escape_string($_POST['city']);
$mobnum=mysql_real_escape_string($_POST['mobnum']);
$mobnet=mysql_real_escape_string($_POST['mobnet']);
$mobpro=mysql_real_escape_string($_POST['mobpro']);
$atype=mysql_real_escape_string($_POST['atype']);
$datetime=date('l jS F Y h:i:s'); //create date time
$uipa = $_SERVER["REMOTE_ADDR"];
$ref =mysql_real_escape_string( $_SERVER['HTTP_REFERER']);
$browser = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);

// Insert data into database 
$sql= "INSERT INTO $tbl_name(confirm_code, name, email, password, country, city, mobnum, mobnet, mobpro, automotive, datetime, uipa, ref, browser)VALUES('$confirm_code', '$name', '$email', '$password', '$country', '$city', '$mobnum', '$mobnet', '$mobpro', '$atype', '$datetime', '$uipa', '$ref', '$browser')";
$result=mysql_query($sql)or die ("Insert failed : ".mysql_error());;

try something like this.

Member Avatar for DaveyMoyes 
$name=mysql_real_escape_string($_POST['name']);
$email=mysql_real_escape_string($_POST['email']);
$password=mysql_real_escape_string($_POST['password']);
$country=mysql_real_escape_string($_POST['country']);
$city=mysql_real_escape_string($_POST['city']);
$mobnum=mysql_real_escape_string($_POST['mobnum']);
$mobnet=mysql_real_escape_string($_POST['mobnet']);
$mobpro=mysql_real_escape_string($_POST['mobpro']);
$atype=mysql_real_escape_string($_POST['atype']);
$datetime=date('l jS F Y h:i:s'); //create date time
$uipa = $_SERVER["REMOTE_ADDR"];
$ref =mysql_real_escape_string( $_SERVER['HTTP_REFERER']);
$browser = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);

// Insert data into database 
$sql= "INSERT INTO $tbl_name(confirm_code, name, email, password, country, city, mobnum, mobnet, mobpro, automotive, datetime, uipa, ref, browser)VALUES('$confirm_code', '$name', '$email', '$password', '$country', '$city', '$mobnum', '$mobnet', '$mobpro', '$atype', '$datetime', '$uipa', '$ref', '$browser')";
$result=mysql_query($sql)or die ("Insert failed : ".mysql_error());;

try something like this.

Excellent, Many thanks - I'm looking forward to understanding more.

Just a quick question. ? please

Am i right in saying that this will help against all sql injection attacks ??

sorry if this is a daft question but I am still learning,

Many thanks again for your input....

Member Avatar for kireol

that's exactly what it does :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.