• Welcome to The Cave of Dragonflies forums, where the smallest bugs live alongside the strongest dragons.

    Guests are not able to post messages or even read certain areas of the forums. Now, that's boring, don't you think? Registration, on the other hand, is simple, completely free of charge, and does not require you to give out any personal information at all. As soon as you register, you can take part in some of the happy fun things at the forums such as posting messages, voting in polls, sending private messages to people and being told that this is where we drink tea and eat cod.

    Of course I'm not forcing you to do anything if you don't want to, but seriously, what have you got to lose? Five seconds of your life?

Comments System not Working...

42aruaour

42aruaour

Time: I come from the past. O.o
Pronoun
he
I want people to be able to add comments to my weblog, but I can't figure out why I can't update MySQL tables for it to work. I've spent quite a while working on this, but am unable to get it to work. Skip the next section if you don't care about specs.

I used HTML5, CSS3, PHP 5.3.25, Javascript (very minimal), and MySQL 5.1.68 in my blog so the code was minimal, only needing to put the blog entry into MySQL. It runs on Apache 2.2.2 and I do not have control over the server physically, I can only access it through cPanel.

The only way I can add or remove any table entries is through PHPMyAdmin. I know that I should be able to add entries to MySQL from the weblog on the host that I'm using, but I don't really know SQL the best, so I can't quite be sure that I'm doing it correctly. there might be a problem in the PHP too, but I don't think so.

Here's the code. (This is for adding blog entries) The database is named "a_database", the table is named "Entries", and the host is 127.0.0.1 or "localhost".
Form code:
Code: 
<form method="post" action="submit.php">
ID: <input type="text" name="id"><br>
Date: <input type="text" name="date"><br>
Time: <input type="text" name="time"><br>
Title: <input type="text" name="title"><br>
Link: <input type="text" name="link"><br>
Content: <textarea name="content" cols="100" rows="10"></textarea><br>
Search: <textarea name="search" cols="100" rows="10"></textarea><br>
<input type="submit" value="Submit">
</form>

PHP code (submit.php):
Code: 
<?php

$id = $_POST["id"];
$date = $_POST["date"];
$time = $_POST["time"];
$title = $_POST["title"];
$link = $_POST["link"];
$content = $_POST["content"];
$search = $_POST["search"];

$con = mysql_connect("localhost","*uname*,"*pword*");
if (!$con)
{
	die('Could not connect: ' . mysql_error());
}

mysql_select_db("a_database", $con);

$query = "INSERT INTO a_database.Entries VALUES ( " . $id . ", '" . $date . "', '" . $time . "', '" . $title . "', '" . $link . "', '" . $content . "', '" . $search . "' )";
$result = @mysql_query( $query );

echo("I dont think there are any problems?");

mysql_close($con);
?>
Sorry, I had deleted the comments submission code before I thought about asking here. The script above is called on form submission.

Thanks for any help!
Adam
 
42aruaour said:
Code: 
$query = "INSERT INTO a_database.Entries VALUES ( " . $id . ", '" . $date . "', '" . $time . "', '" . $title . "', '" . $link . "', '" . $content . "', '" . $search . "' )";
$result = @mysql_query( $query );
Click to expand...

please don't do this, use parameterised queries or something to that effect, but really please don't interpolate arbunsafe strings into ... um anything, really, anything that's going anywhere. also read this, I'd appreciate if everyone using php read this, but even if you don't, at least read the other two links and pdo docs.

more pertinent, really don't suppress your errors (that's still what @ does in php, right). if something is going wrong you want to know what's going wrong; quiet failure is ... a bug, unless that's what you really want to do (it's not).

offhand, I'd guess there could be a problem is with specifying a_database in the query; but I haven't dealt with databases not sqlite so I'm likely to be wrong.

if you take out the error-suppression, it would probably tell you, though.

Sorry, I had deleted the comments submission code before I thought about asking here. The script above is called on form submission.
Click to expand...

source control helps. this is an okay introduction, I think.
 
Thanks. Actually that code there was made all the way from when I started the website, but I never uploaded it so it was never updated to prevent SQL injection. I really do not like PHP, but it's really the best I can do for a web platform for now. I mean, I'm still fixing things here and there, and it's really annoying how every update breaks 40 commands and adds 45 new commands. I never knew there was a CGI wrapper for C, so when I get the time, I'm going to rewrite in C or WebPy. Also, I never realized that I put the @ there before, so I'll remove it. I typically hate suppression and such.
Thanks for the help and everything. I read all the links, and I do agree with the one against PHP. By the way... is there something like web.py for C but not a wrapper? I don't appreciate wrappers very much.
 
You must log in or register to reply here.
Back
Top Bottom