homepage Welcome to WebmasterWorld Guest from 54.197.19.35
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
mysql insert not working
generic




msg:4533101
 1:57 am on Jan 4, 2013 (gmt 0)

I've been debugging the bajeezus out of this for at least two hours and I can't for the life of me figure out why it won't insert into mysql so I turn it over to you fine folks. The variables are passing but not saving. Any ideas?

HTML

<form enctype="multipart/form-data" action="inc/news_add.php" method="POST">

<div>
<label for="news_title">News Title:</label><br />
<input type="text" name="news_title" />
</div>

<div>
<label for="news_body">News Body:</label><br />
<textarea name="news_body"></textarea>
</div>

<div>
<label for="news_image">Upload Image</label><br />
<input name="news_image" type="file" />
</div>

<div>
<input type="submit" name="submit" value="Add News" />
</div>

</form>


PHP

//
// add news
//

// grab vars
$news_title = $_POST['news_title'];
$news_body = $_POST['news_body'];
$news_image = $_FILES['news_image']['name'];


// if file has been changed, resize file before save
if (isset($_FILES['news_image']['name'])){

# resize file
$im = ImageCreateFromJpeg($_FILES['news_image']['tmp_name']);

$ox = imagesx($im);
$oy = imagesy($im);

$height = 600;
$width = 600;

# check if portrait
if($ox < $oy) {
$ny = $height;
$nx = floor($ox * ($ny / $oy));

# check if landscape
} else {
$nx = $width;
$ny = floor($oy * ($nx / $ox));
}

$nm = imagecreatetruecolor($nx, $ny);
imagecopyresampled($nm, $im, 0, 0, 0, 0, $nx, $ny, $ox, $oy);

$folder = '/public_html/uploads/news_photos/';
imagejpeg($nm, $folder.$news_image, 90);
}


// save data to mysql

# if file field wasn't updated
if (!isset($_FILES['news_image']['name'])) {
mysql_query("INSERT INTO news (news_title, news_added, news_body VALUES ('$news_title', NOW(), '$news_body')");

# if everything was updated
} else {
mysql_query("INSERT INTO news (news_title, news_body, news_added, news_image VALUES ('$news_title', '$news_body', NOW(), '$news_image')");
}


 

swa66




msg:4533130
 4:42 am on Jan 4, 2013 (gmt 0)

There are quite a bit of security issues in the code
- sql injection (obviously as you do not escape nor use calls that don't need it)
- file tree walking ( what if $news_image were to contain ../../index.php ? - and that's a mild one)
- overwriting files
- ...

The trick to debug SQL statements is to type them in an interactive mysql session. It would tell you you have a syntax error :-) -- or failing that to check the results / errors returned to php.

tip: add a ")" before the VALUES ...

generic




msg:4533147
 6:23 am on Jan 4, 2013 (gmt 0)

LOL I can't believe I missed that. Thanks for poking me with a blunt stick, I obviously needed it ;)

As for the glaring security holes, I realize that my code straight up sucks. I'm typically a front end designer and this will only be used internally, so in the future I'll either do some more reading up on SQL, or leave this stuff to the actual back end developers in the office and stick to the UI work I was hired for.

Cheers and thanks again!

brotherhood of LAN




msg:4533152
 7:01 am on Jan 4, 2013 (gmt 0)

>reading up

mysql_real_escape_string [php.net] in the short term will prevent SQL injections for your statements but you'll want to verify the input is 'good'... which in this case would be well before the query for all the reasons swa66 listed.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved