homepage Welcome to WebmasterWorld Guest from 54.226.10.234
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP error
kaz_devil



 
Msg#: 4504882 posted 4:13 pm on Oct 6, 2012 (gmt 0)

<?php
include once('config.php');

$link=mysql_connect(DB_HOST,DB_USERNAME,DB_PASSWORD);

if (!$link)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db(DB_DATABASE);

$query="INSERT INTO".data_feedback."(First Name,Last Name,Email,Telephone,Comments)
VALUES
('". $_POST['firstname']."','". $_POST['lastname']."','". $_POST['email']."',". $_POST['telephone']."','". $_POST['comments']."')"

$data=mysql_query($query);
if($data)
{
echo"Feedback is recieved";
}
else{
echo"There is an error";
}

?>


Ive got a syntax error on line 17.
This is the part:$data=mysql_query($query);
Im new to php so i cant figure it out,can anyone help

 

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4504882 posted 5:10 pm on Oct 6, 2012 (gmt 0)

Try a semicolon on the previous line.

But your code is a pretty good example of how not to access a database from a security perspective.
ref: [xkcd.com...]
You have to do input validation.

I'd also suggest to not learn to program using the mysql interface anymore (it's obsolete) and use the mysqli one instead (note the i), and prepared statements instead.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4504882 posted 4:07 am on Oct 8, 2012 (gmt 0)

This is one of the few times a syntax error was doing you a favor by stopping unfiltered web input from getting to your SQL server.

Matthew1980

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4504882 posted 7:40 pm on Oct 8, 2012 (gmt 0)

^^^

I agree with Incredibill & Swa66;

But just to clarify, you've got a concatination issue:-

'". $_POST['firstname']."',
'". $_POST['lastname']."',
'". $_POST['email']."',
". $_POST['telephone']."',
'". $_POST['comments']."'

Splitting it like this REALLY highlights your syntax error. And it's just one char too..

I prefer giving a clue to a problem, rather than telling you that you're fundamentally flawed for the third time :)

Cheers,
MRb


incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4504882 posted 11:03 pm on Oct 8, 2012 (gmt 0)

Now that it's Monday I'll get serious here as there's other issues such as directly accessing the values without testing to see if they were passed:
$_POST['lastname']

You need to test variable presence using isset() or empty() first to make sure all the parameters were passed otherwise you'll get errors accessing them in the SQL statement as well.

Even if you're doing data validation on the page using Javascript it's insufficient, especially for those of us using NoScript in Firefox or other browser equivalents, and leaves vulnerabilities in the server side code.

Matthew1980

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4504882 posted 6:41 pm on Oct 9, 2012 (gmt 0)

^^^

To add to this, you can sort out ALL of your $_POST vars by passing them through the array_map() - and using it's callback mechanisim will save time and lines of code too.

Then using something like mysql_real_escape_string, strip_tags, trim you can make the data a little safer.

Cheers,
MRb

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved