Member Avatar for ncis_sg1

I need help with an assignment. I have been working of this the better part of a week and still do not really understand what I am meant to do. This is my first week using PHP and I am really confused. Here are the instructions:

Write a PHP script that obtains a URL and its description from a user and stores the information into a database using MySQL. Create and run a SQL script with a database named URL and a table named Urltable. The first field of the table should countain an actual URL, and the second, which is named Description, should contain a description of the URL. Use www.deitel.com as the first URL, and input Cool site! as its description. The second URL should be www.php.net, and the description should be The official PHP site. After each new URL is submitted, print the contents of the database in a table.

Also here are some added instructions from my proffesor.

The scripts of database for this chapter are attached here.

Please create a user account as the video in course materials to connect mySQL. We should use:

username: iw3htp

password: password

So the connection codes should be something like:

if ( !( $database = mysql_connect( "localhost", "iw3htp", "password" ) ) )
         die( "<p>Could not connect to database</p>" );

I have the account and every thing it is just the code that is confusing me.

<!DOCTYPE html>
<html>
<head>
<meta charset ="utf-8";
<title>19.9</title>
</head>
<body>

<?php 
if(!($database=mysql_connect("localhost","iw3htp","password"))) 
    die("<p> Could not connect to database</p>"); 
$dbsel=@mysql_select_db("URl",$con); 
if(!$dbsel) 
die("error selecting database".mysql_error()); 
$ul=$_POST['ul']; 
$de=$_POST['de']; 
$q="insert into urltable values("$ul","$de")"; 
mysql_query($q); 
$qw="select * from urltable"; 
$qwa=mysql_query($qw); 
while($result =@mysql_fetch_array($qwa)) 
{ 


echo $result['urlname']; 
echo $result['urldescription']; 
} 


?> 
<form action="re.php" method="post"> 
url:<input type="text" name="ul"><br> 
description:<input type="text" name="de"> 
<input type="submit" value="click here!"> 
</form> 
</body>
</html>

Is this even close to being right? If it is could someone point me in the right direction of completing this assignment. If not I would love some help on making it right so that I am able to finish my assignment for the week.
Thanky you in advance.

  • 3 Contributors
  • 4 Replies
  • 1K Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by ncis_sg1
Member Avatar for Atli

You've got some big problems there. The most urgent of which would be your INSERT statement. The syntax is incorrect, and it's also extremely insecure. I'll explain both briefly:

The Syntax

When you want to insert string values, you want the INSERT command to look something like this:

INSERT INTO tbl(field1, field2) VALUES('string1', 'string2');

Notice one critical part there: the single-quotes surrounding the strings. Those are missing from your INSERT. Without them, MySQL will assume the string values are actually meant to be a part of the command syntax, and will therefore fail with a syntax parse error.

The Security

What you always want to look out for when using the outdated MySQL API functions is SQL Injection. The only real protection against that with those functions is the mysql_real_escape_string function. Pretty much all values that are to be put into a MySQL query should go through that function first.

Modern database libraries like the MySQLi (Improved MySQL extension) and PDO support Parameterized Queries through Prepared Statements, which nullifies this particular security issue. I would highly recommend that approach.

Note that only outdated tutorials and other teaching matterial teach the old MySQL API functions as the primary method for connecting to MySQL. It should only really be used in the context of maintaining or upgrading legacy code, not for new code.

Edited by Dani because: Typo in URL
Member Avatar for ncis_sg1

Thanks for the information. I have fixed my code and made it more like in my text and for the most part it is running. The only problem I am having is to get my table to populate with the information that I enter. How can I fix this problem? Here is the code:

<!DOCTYPE html>
<html>
<head>
  <meta charset = "utf-8">
  <title>Search Results</title>
<style type = "text/css">
     body  { font-family: sans-serif;
             background-color: lightyellow; } 
     table { background-color: lightblue; 
             border-collapse: collapse; 
             border: 1px solid gray; }
     td    { padding: 5px; }
     tr:nth-child(odd) {
             background-color: white; }
  </style>
 </head>
 <body>
  <?php
   $URL = isset($_POST["URL" ]) ? $_POST["URL" ] : "";
   $Description = isset($_POST["Description" ]) ? $_POST["Description" ] : "";
   $iserror = false;
   $formerrors = 
      array( "URLerror" => false, "Descriptionerror" => false);
   $inputlist = array( "URL" => "URL", "Description" => "Description" );

   if ( isset( $_POST["submit"] ) )
    {
      if ( $URL == "" )
      {
         $formerrors[ "URLerror" ] = true;
         $iserror = true;
      }

      if ( $Description == "" )
      {
         $formerrors[ "Descriptionerror" ] = true;
         $iserror = true;
      }

      $query = "INSERT INTO urltable ".
           "( URL, Description )".
           "VALUES ( '$URL', '$Description')";

      if( !( $database = mysql_connect( "localhost",
           "iw3htp", "password" ) ) )
         die( "<p>Could not connect to database</P>");

      if ( !mysql_select_db( "URLs", $database ) )
         die( "<p>Could not open URLs database</p>" );

      if ( !( $result = mysql_query( $query, $database ) ) )
      {
          print( "<p>Could not execute query!</P>" );
          die( mysql_error() );

      } 

      mysql_close( $database );
      die();
    }

  print( "<h1>URL Description Form</h1>
      <p>Please fill in all fields and click Register.</p>" );

  if ( $iserror )
  {
    print( "<p class = 'error'>Fields with * need to be filled in properly.</p>" );
  }

  print( "<!-- post form data to table.php -->
      <form method = 'post' action = 'table.php'>
      <h2> Required Information</h2>" );

  foreach ( $inputlist as $inputname => $inputalt)
  {
    print( "<div><label>$inputalt:</label><input type = 'text'
           name = '$inputname' value = '". $$inputname. "'>" );
    if ( $formerrors[ ( $inputname ). "error" ] == true )
       print( "<span class = 'error'>*</span>" );
    print( "</div>" );
  }
    print("<p class = 'head'><input type = 'submit' name = 'submit' 
           value = 'Register'></p></form></body></html> ");
?>
</body>
</html>

Here is the code for the table.php

<!DOCTYPE html>
<html>
<head>
  <meta charset = "utf-8">
  <title>Search Results</title>
<style type = "text/css">
     table { background-color: lightblue; 
             border-collapse: collapse; 
             border: 1px solid gray; }
     th, td { padding: 5px; border: 1px solid gray; }
     tr:nth-child(even) { background-color: white; }
     tr: first-child { background-color: lightgreen; }
  </style>
 </head>
 <body>
  <?php
        $query = "SELECT * FROM urltable";


        if( !( $database = mysql_connect( "localhost",
           "iw3htp", "password" ) ) )
         die( "<p>Could not connect to database</P>");

       if ( !mysql_select_db( "URLs", $database ) )
         die( "<p>Could not open URLs database</p></body></html>" );
       if ( !( $result = mysql_query( $query, $database ) ) )
       {
          print( "<p>Could not execute query!</P>" );
          die( mysql_error() );

       } 
   ?>

   <h1>URL Descriptions</h1>
   <table>
      <caption>Descriptions stored in the database</caption>
      <tr>
          <th>URL</th>
          <th>Description</th>
      </tr>
   <?php
     for ( $counter = 0; $row = mysql_fetch_row( $result ); ++$counter )
     {
       foreach ( $row as $key => $value )
          print( "<td>$value</td>" );
       print( "</tr>" );
     }
       mysql_close( $database );
   ?>
   </table>
  </body>
</html>

Like I said at the top how can I populate the table with the information I must enter.

Member Avatar for diafol

MySQL also allows the SET syntax. I find it easier than the VALUES syntax, but it can't be used to insert more than one record at a time unlike VALUES.

$query = "INSERT INTO urltable SET URL = '$URL', Description = '$Description'";

However, you still haven't addressed the issue of SQL injection as mentioned by Atli. If you insist on using mysql_* functions, (which you shouldn't), you must escape input with mysql_real_escape_string().

Member Avatar for ncis_sg1

Thank you for this you have made my day. My program is now working correctly.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.