Hi guys, This should be simple and I know it, but for some reason it's throwing no errors. Anyway script below and it's inserting nothing into the database. I've checked the table name, and the row names etc. I just don't see where it's going wrong... any ideas would be appreciated. Note: I am getting the correct data in the variables $created_uid & $sql <?php //start session session_start(); require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //pull session data and create variable $created_uid = $_SESSION['SESS_MEMBER_UID']; echo $created_uid; //insert into database $sql = "INSERT INTO nid_table (uid_owner, webserver) VALUES ('$created_uid','1')"; echo $sql; ?> PHP:
How was that the best answer? he just told you that you are only echoing not actually telling you how to resolve this. Nevermind, after I re read the entire conversation I realized how it was the best answer. However he still should have provided you with a code snippit.
KangBroke, for my level of knowledge and skill. I found that the answer provided was perfect. It highlighted to me what I was "actually doing" rather than providing me with a "here's the right code". I only wish a lot more answers when I get stuck, will be in this form. As it is very educational. Thanks for looking though.
Well IMO I like to try and leave code snippits when applicable because sometimes beginners using google stumble across these forums and then are left wondering how you got your answer. However I do understand what you mean, after a long night of coding I sometimes can just use a quick pointer and be back on track.
One should also point out that: mysql_connect Code (markup): Do we SEE the problem here? Do we? I think we do... This is 2015 not 2005... But yeah, not actually calling the query is a bigger flub... but not by much... just like outdated nonsense like: $sql = "INSERT INTO nid_table (uid_owner, webserver) VALUES ('$created_uid','1')"; Code (markup): That shouldn't be done EITHER. OF cousre it also looks like you put your connection info into global scope as DEFINE -- (since they're upper case) -- that too shouldn't be done.
I did consider asking why he was not using mysqli_connect. Just figured some people are still stuck in the past, ya know some guys still rock mullets and shit.
I prefer PDO as I like not being tied to one engine, but yeah... It's more fun now that PHP 5.6 is logging mysql_connect as a warning. Be even more fun when it FINALLY goes the way of the dodo. Which honestly I thought they should have done when PHP 5.2 was introduced.
Hey guys, I am stuck in the past... not played with php for about 10 years, since I left uni, and even then I wasn't very good. I'm simply playing with some stuff on my computer (bashing out an idea). I can imagine that all of my attempt at coding is bad, but I have to start from somewhere...
Well, ten years would be about right for what you had. That's about when we started being told the mysql_ functions weren't very safe and to STOP in languages like PERL, Python or PHP putting data/variables into the query strings. Sadly it wasn't until about 8 years ago that said concepts became real world deployable, and six years ago common enough to find anyone actually teaching how to do it... But that's still six to eight years of "that method is a insecure mess, stop doing that" which you missed out on. the old mysql_ functions have been "replaced" (literally as of PHP 7) with either mysqli (which has object or function methodology -- stick with the object, the latter is just a wrapper) or PDO (which is entirely object driven). I personally prefer PDO as you can use the one interface to talk to many different SQL engines, not just mysql. Done "right" you can even make an extensible codebase where by simply loading a different wrapper/extension of the PDO object and pointing at different static strings for the queries, you can make a single core code that works with ALL the supported engines. Connecting a PDO object is easy, for now leaving your insecure/outdated use of DEFINE intact, we would create our unique PDO connection thus: try { $db = new PDO( 'mysql:host=' . DB_HOST . ';dbname=' . DB_DATABASE, DB_USER, DB_PASSWORD ); } catch (PDOException $e) { die('Connection failed: ' . $e->getMessage(); } Code (markup): Which also nabs your table connection in the process. Because the connection is assigned to a variable as an object, you can isolate it's scope so that the connection can't be passed to functions that shouldn't have access to it. That too is why putting things like the hostname, database name, username and password into DEFINE is a bad idea -- should you accidentally have a code elevation; a situation bad enough in and of itself, putting the database connection much less the un/pw for it into the global namespace is like hanging the keys to the kingdom next to the front gate. One of the big features of modern SQL methodologies is "prepared queries" where you don't blindly paste the values into your query string - you create a query string with labels or ? marks that is sent to the engine first (assuming prepare emulation is off). You then send the data separately where the engine can plug it in safely. This means no more fretting about sanitation, and a really handy feature that if you want to run the same query multiple times with different values, you can do so by just sending the different data. Your query rewritten to run properly as of PHP 5.5 using PDO would go something like this: $statement = $db->prepare(' INSERT INTO nid_table ( uid_owner, webserver ) VALUES ( :owner, :webServer ) '); $statement->execute([ ':owner' => $_SESSION['SESS_MEMBER_UID'], ':webServer' => 1 ]); Code (markup): Prepare, then execute. That could also be written with question marks thus: $statement = $db->prepare(' INSERT INTO nid_table ( uid_owner, webserver ) VALUES ( ?, ? ) '); $statement->execute([$_SESSION['SESS_MEMBER_UID'], 1]); Code (markup): I prefer to use the labels for clarity sake when there's more than two values being passed. *NOTE* I'm using PHP 5.5 arrays there, which like in JS you just say with [] instead of having to say "array" first in the code. I would probably NOT waste memory making a copy of the session value into it's own variable... and finally I'd suggest that EVERY time you start a session, you regenerate it's ID: session_start(); session_regenerate_id(); Code (markup): With the cookie/id constantly changing the time window in which a man in the middle attack can be pulled off is narrowed. also, do you really need a comment // session start before a function named session_start? Honestly, if you felt you sucked at it, I'm willing to bet you didn't. I bet your teacher did. If it's been a decade since you last played with PHP in any manner, despite the faux-pas and outdated code, you're not doing THAT bad -- it's just that programming like the rest of computing is one of those pesky places where 3 years is obsolete, 5 years is the scrap heap; something made worse by the constant need for updates in methodology for security reasons. Updates a LOT of people working 24/7 in it professionally can't even keep up with... so for a relative rookie? Ouch.
Hey deathshadow, Thanks for the reply. I never expected someone to give me so much detail. It's good to see that you're so helpful though. I'll figure out if I can go any further with what I'm thinking of, and then if it seems like something that could be feasible, I guess I'll have to go pick up some new books and start studying again. Last thing I want is something that's a massive vulnerability.