• Advertisement
Sign in to follow this  

[web] PHP/SQL Help

This topic is 3295 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I'm trying to set up a user base for my website and I'm not completely sure how. Right now I have this code to be executed once the registration form is submitted:
Quote:
<html><?php
$con = mysql_connect("mysql2.freehostia.com","...","...");
if($_POST["username"] == "")
{
	die("The username field cannot be empty.");
}
if(($_POST["password"] == "") || ($_POST["password"] != $_POST["confirmpassword"]))
{
	die("The password field cannot be empty and both password fields must match.");
}
if($_POST["email"] == "")
{
	die("The email field cannot be empty.");
}
$mdy = explode("/", $_POST["dob"]);
if(!checkdate((int)$mdy[0], (int)$mdy[1], (int)$mdy[2]))
{
	die("The date format is incorrect. Please use MM/DD/YYYY, example 7/8/1975");
}
echo $_POST["username"] . " " . $_POST["password"] . " " . $_POST["fname"] . " " . $_POST["lname"] . " " . $_POST["email"] . " " . $_POST["dob"];
$username = $_POST["username"];
$password = $_POST["password"];
$fname = $_POST["fname"];
$lname = $_POST["lname"];
$email = $_POST["email"];
$dob = $_POST["dob"];
$sex = $_POST["sex"];
mysql_select_db("chrsno_wmhao",$con);
mysql_query("INSERT INTO users
VALUES ($username, $password, $fname, $lname, $email, $dob, $sex, 'datejoined', '0')",$con);
?><br />Click here to return to the register page.</html>
I need to know how to correctly: -Connect to the SQL database -Add the user to the SQL table I have set up Here is a link to the register page: http://isnooky.freehostia.com/register.html NO ERROR MESSAGES! That problem has been resolved, but as before, the new user does not get added to the database. I need much help with this (hint: Am I using the sql_query function right? I don't really know...). [Edited by - redfeild on January 13, 2009 12:16:58 PM]

Share this post


Link to post
Share on other sites
Advertisement
The username and password you have for the database server is incorrect. If the database user can't connect to the database, your whole program is moot.

Share this post


Link to post
Share on other sites
Quote:
Original post by leiavoia
The username and password you have for the database server is incorrect. If the database user can't connect to the database, your whole program is moot.


No, the username and password are both right...
Am I using the right line of code to connect? I really just guessed with all that stuff...

Share this post


Link to post
Share on other sites
Quote:
Original post by redfeild
No, the username and password are both right...
Your database disagrees.
Quote:
Warning: mysql_connect(): Access denied for user 'chrsno_wmhao'@'66.40.52.29' (using password: YES) in /home/www/isnooky.freehostia.com/adduser.php on line 2


Share this post


Link to post
Share on other sites
I tried changing the line of code that connects to the database:
Quote:
$con = mysql_connect("isnooky.freehostia.com","*removed*","*blah*");


But now I get this error:
Quote:
Warning: mysql_connect(): Can't connect to MySQL server on 'isnooky.freehostia.com' (111) in /home/www/isnooky.freehostia.com/adduser.php on line 2


I think the problem is the first argument that identifies the server, I'll try some more stuff...

Share this post


Link to post
Share on other sites
Quote:
Original post by redfeild
$username = $_POST["username"];
$password = $_POST["password"];
$fname = $_POST["fname"];
$lname = $_POST["lname"];
$email = $_POST["email"];
$dob = $_POST["dob"];
$sex = $_POST["sex"];
mysql_query("INSERT INTO `users` VALUES ('$username', '$password', '$fname', '$lname', '$email', '$dob', '$sex', 'datejoined', '0')",$con);
8
[/quote]

This is very very very bad. You're leaving yourself wide open to SQL injection. Look up mysql_escape_string.

Share this post


Link to post
Share on other sites
Quote:
Original post by mpipe
Quote:
Original post by redfeild
$username = $_POST["username"];
$password = $_POST["password"];
$fname = $_POST["fname"];
$lname = $_POST["lname"];
$email = $_POST["email"];
$dob = $_POST["dob"];
$sex = $_POST["sex"];
mysql_query("INSERT INTO `users` VALUES ('$username', '$password', '$fname', '$lname', '$email', '$dob', '$sex', 'datejoined', '0')",$con);
8


This is very very very bad. You're leaving yourself wide open to SQL injection. Look up mysql_escape_string.


SQL injection? I'm not familiar with the term... and I'll look that up.

I'll also check the username and password. Do I use the same one I use to log in to my PHP MyAdmin?

Share this post


Link to post
Share on other sites
Quote:
Original post by redfeild
I tried changing the line of code that connects to the database:
Quote:
$con = mysql_connect("isnooky.freehostia.com","*removed*","*blah*");


But now I get this error:
Quote:
Warning: mysql_connect(): Can't connect to MySQL server on 'isnooky.freehostia.com' (111) in /home/www/isnooky.freehostia.com/adduser.php on line 2


I think the problem is the first argument that identifies the server, I'll try some more stuff...


if the webserver is the same server that the database server is on, all you need is localhost for the hostname.

as far as SQL injection it's a way to escape data in such a way that it can change data you don't want changed, delete data you don't want deleted, or expose your database to hacker. you should ALWAYS clean your data. either from a $_GET or other form.

the procedural way for cleaning MySQL data is like this:


$dbconnect = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname)
or die ('Error connecting to main database, is SQL running?');
mysqli_select_db($dbconnect, $dbname)
or die ('Could not select database main database, is SQL running?');

$to= mysqli_real_escape_string($dbconnect, $to);
$from= mysqli_real_escape_string($dbconnect, $from);
$subject= mysqli_real_escape_string($dbconnect, $subject);
$message= mysqli_real_escape_string($dbconnect, $textbody);
$qstring= "INSERT INTO pm(recipientid, fromid, postdate, msgsubject, msgtext)
VALUES('$to', '$from', NOW(), '$subject', '$message')";
mysqli_query($dbconnect, $qstring) or die ('Could not connect to store private message.');
mysqli_close($dbconnect) or die ('Failure to close database');

Share this post


Link to post
Share on other sites
OK, FIRST PROBLEM SOLVED (all caps to get your attention, not because I am a n00b).
I still need help with one other thing though (check first post).

Quote:
Original post by greentiger
Quote:
Original post by redfeild
I tried changing the line of code that connects to the database:
Quote:
$con = mysql_connect("isnooky.freehostia.com","*removed*","*blah*");


But now I get this error:
Quote:
Warning: mysql_connect(): Can't connect to MySQL server on 'isnooky.freehostia.com' (111) in /home/www/isnooky.freehostia.com/adduser.php on line 2


I think the problem is the first argument that identifies the server, I'll try some more stuff...


if the webserver is the same server that the database server is on, all you need is localhost for the hostname.

as far as SQL injection it's a way to escape data in such a way that it can change data you don't want changed, delete data you don't want deleted, or expose your database to hacker. you should ALWAYS clean your data. either from a $_GET or other form.

the procedural way for cleaning MySQL data is like this:


$dbconnect = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname)
or die ('Error connecting to main database, is SQL running?');
mysqli_select_db($dbconnect, $dbname)
or die ('Could not select database main database, is SQL running?');

$to= mysqli_real_escape_string($dbconnect, $to);
$from= mysqli_real_escape_string($dbconnect, $from);
$subject= mysqli_real_escape_string($dbconnect, $subject);
$message= mysqli_real_escape_string($dbconnect, $textbody);
$qstring= "INSERT INTO pm(recipientid, fromid, postdate, msgsubject, msgtext)
VALUES('$to', '$from', NOW(), '$subject', '$message')";
mysqli_query($dbconnect, $qstring) or die ('Could not connect to store private message.');
mysqli_close($dbconnect) or die ('Failure to close database');


Thank you, I have no clue what any of that does or means, but I will... Do stuff with that.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement