|
PHP - Is This Pdo Database Connection/ Insertion Secure From Injection?
<?php
if(isset($_POST['submit'])){
$uname = $_POST['username'];
$pword = $_POST['password'];
/*** mysql hostname ***/
$hostname = 'localhost';
/*** mysql username ***/
$username = 'root';
/*** mysql password ***/
$password = 'anty90';
try {
$link = new PDO("mysql:host=$hostname;dbname=gambling", $username, $password);
/*** echo a message saying we have connected ***/
echo 'Connected to database<br />';
/*** INSERT data ***/
$stmt = $link->prepare("INSERT INTO gamb(username, password) VALUES (?, ?)");
try{
$stmt->execute(array("$uname", "$pword"));
} catch(PDOException $e){
echo "Exception caught: $e";
}
/*** echo the number of affected rows ***/
//echo $count;
/*** close the database connection ***/
$link = null;
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
?>
<html>
<form action='home.php' method='post'>
<input type="text" name="username" >
<input type="password" name="password" >
<input type="submit" name="submit" value="submit">
</form>
</html>
I'm new to databse programming so I was just wondering if this was vulnerable to sql injection or not.
Similar TutorialsI'm connecting to my database using the following... @ $db = new mysqli('host', 'username', 'password', 'database') The .php file that is connecting to the database is in my root (htdocs) folder on the server. I know that I am not supposed to put my actual 'host', 'username', 'password', 'database' inside the mysqli function for security purposes. I know that I am supposed to put variables in instead. But here is where I am confused. Where do I set those variables? Do I set them in another file and include that file? If so, where do I store the file that holds the passwords, and what prevents a hacker from simply navigating to that file? Thanks for the help <?php include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo $row['username'] . ": <Br> " . $row['comment']; echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } I'm trying to learn writing php scripts with html-simple-dom. I am scrapping my website with html-simple-dom and the below code, but I am running into an issue with inserting the scrapped data into my database. This code scraps the website and grabs the html data I want. Code: [Select] $ret = $html->find('table[class=data] tr'); foreach($ret as $visitor){ $visitor = $visitor->find('td','1') . "<br>"; $insert="INSERT INTO $dbtable (visitor) VALUES ('$visitor')"; mysql_query($insert) OR die(mysql_error()); } But this is being inserted into the database "visitor" field. Code: [Select] <td colspan="1" rowspan="1" style="text-align: left;"><a style="border-bottom:1px dotted;" onclick="loadTeamSpotlight(jQuery(this));" rel="HEN" href="javascript:void(0);">HENRY</a></td><br> I only want "HENRY" to be extracted out of the html code above and inserted into the database table. Any help would be greatly appreciated, as I have been pulling my hair out trying to figure this out. Do I need to use explode or something? Thanks, Code: [Select] //enter into btree ---------------------------------------------- $sql_plevel='select nlevel from btree where uniqueid = '.$formjoinedunder; $abc = mysql_query($sql_plevel , $db) $result_plevel = mysql_fetch_assoc($abc) or die(mysql_error()); $plevel = $result_plevel['nlevel'] + 1; $insert_btree = 'INSERT INTO btree (uniqueid,nlevel,pside) VALUES ('.$reguniqueid.','.$plevel.','.$formposition.')'; mysql_query($insert_btree , $db) or die(mysql_error()); Can any one please tell me what is the problem in the above code it does not insert into the table btree. Hi All, I am using the PHP Simple HTML DOM parser to connect to a financials website, parse out a companies financial information (Income statement in this case) and then insert the scrapped data into a mysql database that I can then later use to run automated calculations. Here is the code I have so far: Code: [Select] <?php include_once 'simple_html_dom.php'; //Connect to financial Website and Create DOM from URL $income_statement = file_get_html('http://www.WEBSITE.com/finance?etc..etc...etc...etc...'); //PULL FINANCIAL DATA foreach($income_statement->find('td[class]' ) as $lines=>$data) { echo $data->plaintext . "<br/>"; } // clean up memory $html->clear(); unset($html); ?> So far I am able to get output that looks like this: Code: [Select] Revenue 336.57 331.52 324.32 319.29 320.40 Other Revenue, Total - - - - - Total Revenue 336.57 331.52 324.32 319.29 320.40 etc............................. But being a newb I do not understand how I can break each $ value and each - into their own variables and then insert them to their corresponding mysql table fields. During the database insert I would like to ignore field headings from insertion (i.e Revenue, Total Revenue, etc.... Any help would be absolutely amazing, as I have been reading, scripting and searching for information like crazy, but just can't seem to figure it out. after cloasing connection of database i still got the values form database. Code: [Select] <?php session_start(); /* * To change this template, choose Tools | Templates * and open the template in the editor. */ require_once '../database/db_connecting.php'; $dbname="sahansevena";//set database name $con= setConnections();//make connections use implemented methode in db_connectiong.php mysql_select_db($dbname, $con); //update the time and date of the admin table $update_time="update admin set last_logged_date =CURDATE(), last_log_time=CURTIME() where username='$uname'limit 3,4"; //my admin table contain 5 colums they are id, username,password, last_logged_date, last_log_time $link= mysql_query($update_time); // mysql_select_db($dbname, $link); //$con=mysql_connect('localhost', 'root','ijts'); $result="select * from admin where username='a'"; $result=mysql_query($result); mysql_close($con); //here i just check after closing data baseconnection whether i do get reselts but i do, why? echo "after the cnnection was closed"; if(!$result){ echo "cont fetch data"; }else{ $row= mysql_fetch_array($result); echo "id".$row[0]."usrname".$row[1]."passwped".$row[2]."date".$row[3]."time".$row[4]; } // echo "<html>"; //echo "<table border='1' cellspacing='1' cellpadding='2' align='center'>"; // echo "<thead>"; // echo"<tr>"; // echo "<th>"; // echo ID; // echo"</th>"; // echo" <th>";echo Username; echo"</th>"; // echo"<th>";echo Password; echo"</th>"; // echo"<th>";echo Last_logged_date; echo "</th>"; // echo "<th>";echo Last_logged_time; echo "</th>"; // echo" </tr>"; // echo" </thead>"; // echo" <tbody>"; //while($row= mysql_fetch_array($result,MYSQL_BOTH)){ // echo "<tr>"; // echo "<td>"; // echo $row[0]; // echo "</td>"; // echo "<td>"; // echo $row[1]; // echo "</td>"; // echo "<td>"; // echo $row[2]; // echo "</td>"; // echo "<td>"; // echo $row[3]; // echo "</td>"; // echo "<td>"; // echo $row[4]; // echo "</td>"; // echo "</tr>"; // } // echo" </tbody>"; // echo "</table>"; // echo "</html>"; session_destroy(); session_commit(); echo "session and database are closed but i still get values from doatabase session is destroyed".$_SESSION['admin']; ?> session is destroyed but database connection is not closed. thanks Hi there, I have this connect script I have made. I was wondering if it's secure or not, if not... What would be a good way to do so... Code: [Select] <?php class connect{ public $host = "localhost"; public $dbuser = ""; public $dbpass = ""; public $db = ""; } $connect = new connect(); mysql_connect($connect->host,$connect->dbuser,$connect->dbpass) or die("Could not connect!"); mysql_select_db($connect->db); ?> <?php class UserQuery { public function Adduser($id,$username,$email,$password) { $conn = new Config(); $sql =("INSERT INTO test.user (id, username, email, password) VALUES ('$id', '$username', '$email',$password)"); $conn->exec($sql); } }
getting an "exec doesnt exist " error, saying exec doesnt exist in my db file. it doesnt need to exist does it ? anyone any idea why ?
hey i need help im tryig to get information from my user and then process it in my database so i can use it to log them to a different web site im trying to use this method to get the information from the user but need help to get it please help me. Code: [Select] //make the database connection. $conn = mysql_connect("localhost", "Black Jack"); mysql_select_db("chaper7", $conn); //create a query $sql = "SELECT * FROM hero"; $result = mysql_query($sql, $conn); On some occasions I need to connect to a second and third database in the same script (maybe 5% of scripts have at least a second connection). Usually I would just select the new database. However, my host requires different users to be created for each database. What is the best way to do this? Close current connection (say db1) and open new (say db2) OR keep all open, creating 2nd and 3rd connections. I am happy with the design of my database, and don't want to merge all these tables into one db. Overall I am still happy with my host, so I'd rather not change. Hello guys. Trying to connect php with mysql database and then display results on the screen. This is my code: Code: [Select] <?php $dbhost = "localhost"; $dbuser = "username1"; $dbpass = "password1"; $db = "username1_myDB"; $connection = mysql_connect($dbhost, $dbuser, $dbpass) or die ("Could not connect"); mysql_select_db($connection, $db); $show = "SELECT Name, Description FROM people"; $result = mysql_query($show); while($show = mysql_fetch_array($result)){ $field01 = $show[Name]; $field02 = $show[Description]; echo "id: $field01<br>"; echo "description: $field02<p>"; } ?> However im getting this: Warning: mysql_select_db() expects parameter 1 to be string, resource given in /home/pain33/public_html/index.php on line 20 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/pain33/public_html/index.php on line 26 Any ideas how to fix this? Thank you. Hey,
I'm really new to PHP and having some difficulties with $_SESSION and getting userid from the database. I've managed to put content to my database and also a login script. Though, adding sessions has been a pain. Here's what I got so far:
$sql = "SELECT username, password FROM users WHERE username = '$username' and password = '$pas'";
$query_login = $db->prepare($sql);
$query_login->execute(array('userid' => $userid, 'username' => $username, 'password' => $pas));
$result = $query_login->rowcount();
if ($result>0)
{
session_start();
$_SESSION['username'] = $username;
$_SESSION['logged'] = 1;
$_SESSION['userid'] = $result['userid'];
header('Location: ../user/user.php');
}
When you open a database connection, how long does it stay open for? I have a "Change E-mail Address" script that has 4 queries in it, and I just realized that I don't create a DB Connection until Query #2 in my script, yet things work fine?! Is it possible that the DB Connection was opened earlier by another script and it is just persisting?? Debbie The Script:
pdo_connect.php:
<?php $dsn = "mysql:host=localhost;dbname=2354"; $db = new PDO($dsn, "root", ""); ?>pdo_test.php:
<?php
try{
require_once("pdo_connect.php");
}catch(Exception $e){
$error = $e->getMessage();
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Database Connection with PDO</title>
</head>
<body>
<h1>Connection with PDO</h1>
<?php
if($db){
echo "<p>Connection successful.</p>";
}elseif(isset($error)){
echo "<p>$error</p>";
}
?>
</body>
</html>
I have just watched a tutorial and tried out this script. The issue is that I am getting the following notice alongside with the error message:
Notice: Undefined variable: db in C:\xampp\htdocs\oophp\pdo_test.php on line 18 SQLSTATE[HY000] [1049] Unknown database '2354'By the way this notice does happen in the tutorial as well. My question is: How to have this in ways, where the notice does not occur? Hi guys, I get the following error when trying to connect Warning: mysql_connect() [function.mysql-connect]: Can't connect to MySQL server on '72.18.129.104' (10061) in C:\Domains\crysvis.com\wwwroot\include\dbConnectAndSelect.php on line 8 Here's the code $host = "72.18.129.104"; $user = "deltron"; $pass = "masterconn"; $db = "customers"; $conn = mysql_connect("$host","$user","$pass"); if(!$conn) errorHandler("Msg 10:\nCould not connect to database with $host,$user,$pass in ". $_SERVER["PHP_SELF"]."\nCustId = $CustId\nmysql_error() = ".mysql_error()); if(!mysql_select_db("$db",$conn)) errorHandler("Msg 11:\nCould not select db=$db in ". $_SERVER["PHP_SELF"]."\nCustId=$CustId\nmysql_error() = ".mysql_error()); ?> What am I doing wrong? Any help will be appreciated Through out my program I have used global $mysqli; as a connection to my database - this has worked fine so far. Now I have called $sql_statement = "SELECT * FROM items WHERE name='$itemName'"; $itemStats = mysqli_fetch_array(mysqli_query($mysqli, $sql_statement), MYSQLI_ASSOC); via a function and I get the following warnings - Quote Warning: mysqli_query() expects parameter 1 to be mysqli, null given in /functions/getdata.php on line 27 Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in /functions/getdata.php on line 27 it still works though and returns the correct information. If I take the code out of the function and use it normally then I get no Warnings - but this defeats the whole purpose of having functions! How do I get rid of the warnings? (and no, I don't mean turn the warnings off ) Hi, For school, I need to build a site and this site has to have a few applications. One of the applications, I have to make is to make a script that makes it possible to upload a file and it has to put this file in a online database. Now, I'm just trying to put it in a local database. My code doesn't give an error, but it doesn't work either. The file doesn't get into the database. I can't figure out why. I hope you can help me? Thanks in advance! Lize how do I use a connection file (connection.php) in multiple programs? I think include? |
|||||||