FUDforum: comp.lang.php » Adding a record to a database

Home » Imported messages » comp.lang.php » Adding a record to a database

Show: Today's Messages :: Polls :: Message Navigator

Re: Adding a record to a database [message #175102 is a reply to message #175100]

Mon, 15 August 2011 12:46

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma:

Senior Member

On 8/15/2011 8:35 AM, Charles wrote:
> I'm trying to add a record to a database, and it's not working
> properly.
>
> The general thought is to call a data entry form, fill in the form,
> and use the $_POST(array) process to pass the data from the form to a
> php script that handles adding the record to the database.
>
> The only trick part of the php script is using a hidden field to pass
> the name of the data entry form to a SWITCH statement. I'm trying to
> keep the site directory uncluttered and the scripting organized, and I
> understand this works.
>

It is also very insecure and will can leave your site wide open to hackers.

> I'm getting Error 500 as I test the script, so I think I have
> something coded incorrectly in the script, or I have something
> missing. Other php-based web applications wrok fine, so I suspect I
> have php correctly installed.
>

Enable errors and display them. In your php.ini file for your test
system you should have:

error_reporting=E_ALL // or E_ALL | E_NOTICE
display_errors=on

> Here's the coding:
>
> =====================
>
> <?php
>
> /*<!-- This starts the switch statement. The variable passed to
> control iteration
> is the $_Push(switch) variable set in the first (hidden) field in a
> data entry form.
> The value contained in the variable is the case predicate
>
> */
>
>
> switch ($_Push(switch)) {
>

Where is $_Push(switch) coming from? And BTW it should be 'switch'.

What is in the $_Push array? I suspect it's empty.

> /*======================================================*/
>
> case "cab_vehicle_data_entry_add_a_vehicle":
>
>
>
> $con = mysql_connect("*********","****","******");<<These are fine
> if (!$con)
> {
> die('Could not connect: ' . mysql_error());

Bad practice. Handle the error - don't terminate the script with an
error message.

> }
>
> mysql_select_db("taxicab", $con);
>
> $sql="INSERT INTO
> cab_vehicle (cab_vehicle_make, cab_vehicle_model,
> cab_vehicle_edition,
> cab_vehicle_month, cab_vehicle_year, cab_vehicle_VIN,
> cab_vehicle_registration_number,
> cab_vehicle_reg_exp_month, cab_vehicle_reg_exp_year,
> cab_vehicle_pax_capacity,
> cab_vehicle_cubic_feet_cargo, cab_vehicle_cargo_weight)
>
> VALUES
>
>
> ('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST[Month]','$_POST[y ear]',
> '$_POST[VIN]','$_POST[Registration]','$_POST[reg_exp_month]','$_POST[reg_ex p_year]',
> '$_POST[pax_capacity]','$_POST[cargo_cubic_feet]','$_POST[cargo_weight_lbs] ') ";
>

Google for 'SQL Injection'. Then see how a hacker could easily wipe out
your database.

> if (!mysql_query($sql,$con))
> {
> die('Error: ' . mysql_error());

Same comment as before.

> }
> echo "1 record added";
>
> mysql_close($con)
>
> break;
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
>
> }
>
>
> ?>

So find your problem - then straighten out your code per the other
comments I made above.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

[Message index]

		Adding a record to a database By: Charles on Mon, 15 August 2011 12:35
		Re: Adding a record to a database By: Jerry Stuckle on Mon, 15 August 2011 12:46
		Re: Adding a record to a database By: JohnT on Mon, 15 August 2011 13:45
		Re: Adding a record to a database By: A.Reader on Mon, 15 August 2011 18:11
		Re: Adding a record to a database By: sheldonlg on Tue, 16 August 2011 01:02
		Re: Adding a record to a database By: Jerry Stuckle on Tue, 16 August 2011 01:50
		Re: Adding a record to a database By: Charles on Tue, 16 August 2011 08:30
		Re: Adding a record to a database By: A.Reader on Tue, 16 August 2011 09:41
		Re: Adding a record to a database By: Jerry Stuckle on Tue, 16 August 2011 10:23
		Re: Adding a record to a database By: A.Reader on Tue, 16 August 2011 13:11
		Re: Adding a record to a database By: Tim Streater on Tue, 16 August 2011 13:51
		Re: Adding a record to a database By: A.Reader on Tue, 16 August 2011 14:42
		Re: Adding a record to a database By: Tim Streater on Tue, 16 August 2011 15:58
		Re: Adding a record to a database By: Jerry Stuckle on Tue, 16 August 2011 21:21
		Re: Adding a record to a database By: Jerry Stuckle on Tue, 16 August 2011 10:17
		Re: Adding a record to a database By: sheldonlg on Tue, 16 August 2011 20:13
		Re: Adding a record to a database By: Jerry Stuckle on Tue, 16 August 2011 21:24

Previous Topic:	PHP 4 vs 5 timings
Next Topic:	Re: ftp with win-filenames with chr#32 ?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Nov 22 22:12:09 GMT 2024

Total time taken to generate the page: 0.03832 seconds