SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question No posted values stored in db

    Below is the form processing code. I am getting only date and ip address in the databas, none of the fiels posted by the users are stored.

    [php]<?php
    session_start();

    if (!isset($_SESSION['token']))
    {
    session_regenerate_id();
    $_SESSION['token'] = true;
    }//check for token

    if (isset($_POST['token']) && isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
    {//token is correct
    $token_age = time() - $_SESSION['token_time'];
    if ($token_age >= 300)
    {//token correct but timeout
    echo "detected a Timeout!";
    exit;
    }
    if(isset($_POST['secCode']) && isset($_SESSION['secCode']) && $_POST['secCode'] == $_SESSION['secCode'] )
    {
    // correct security code, now validate name and other field
    if(isset($_POST['name']))//name field is set
    {
    $n = $_POST['name'];
    if (strlen($n) > 0 && strlen($n) < 31) //valid and sql friendly name now in $name
    {
    $name = mysql_real_escape_string($_POST['name']);
    }
    else {
    // $n is not valid
    echo "recommends you to fill your name properly.";
    }
    }
    else {
    //name not set
    echo "detected that you left the name field blank.";
    }

    //validation for next field

    if(isset($_POST['title']))//title field is set
    {
    $n = $_POST['title'];
    if (strlen($n) > 0 && strlen($n) < 61 ) //valid and sql friendly name now in $name
    {
    $title = mysql_real_escape_string($_POST['title']);
    }
    else {
    // $n is not valid
    echo "recommends you to fill your title properly.";
    }
    }
    else {
    //name not set
    echo "detected that you left the title field blank.";
    }

    //validation for next field
    if(isset($_POST['content']))//content field is set
    {
    $content = mysql_real_escape_string($_POST['content']);
    }
    else {
    //name not set
    echo "detected that you left the content field blank.";
    }

    $date = strtotime("now");
    $ip = $_SERVER['REMOTE_ADDR'];

    $con = mysql_connect("localhost","root","pass");
    if (!$con){
    die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("sql", $con);
    //connect to db
    $sql="INSERT INTO wow (contributed_by,title,content,date,trusted,ip)VALUES('$name','$title','$content','$date','0','$ip')";
    mysql_query($sql) or die(mysql_error());
    mysql_close($con);

    echo "received the content you shared.";








    }
    else {
    // security code is invalid
    echo "detected an invalid code.";
    exit; }
    }
    else
    {
    echo "Wrong data!";
    exit;
    }

    ?>

    <html>
    <body>
    <form action="post.php" method="post">
    <input type="hidden" name="token" value="<?php echo $token; ?>" />
    <table border="0" cellspacing="0" cellpadding="4">
    <tr><td>Name: </td><td><input type="text" name="name" size="30" maxlength="30" /></td></tr>
    <tr><td>Title: </td><td><input type="text" name="title" size="30" maxlength="30" /></td></tr>
    <tr><td>Content: </td><td><textarea name="content" rows="10", cols="30"></textarea></td></tr>
    <tr> <td>Code: </td>
    <td>
    <input type="text" name="secCode" maxlength="6" style="width:50px" size="20"> <b>&laquo;</b>
    <img src="../../includes/seccode.inc.php" width="71" height="21" align="absmiddle"></td>
    </tr>
    <tr><td><input type="submit" /></td></tr></table>

    </form>
    </body>
    </html>
    [/code]

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    first thing that I noticed is that in your msyql INSERT query you have a space in $content (you put $conten t).

    Before running the query, echo $sql, then post it here.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    Quote Originally Posted by arkinstall View Post
    first thing that I noticed is that in your msyql INSERT query you have a space in $content (you put $conten t).

    Before running the query, echo $sql, then post it here.
    I checked it's correct it seems conten t on the forum but in actual it's ok.

    In the if loops when the name,title and content is validated then i use

    Code:
    $title = mysql_real_escape_string($_POST['title']);
    and similar for name and content.


    After i write $sql i get
    INSERT INTO wow (contributed_by,title,content,date,trusted,ip)
    VALUES('','','','1187774608','0','59.178.76.27')

  4. #4
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    PHP Code:
                  if(isset($_POST['name']))//name field is set
                  
    {
                   
    $n $_POST['name'];
                   if (
    strlen($n) > && strlen($n) < 31//valid and sql friendly name now in $name
                     
    {
    echo 
    $name;
    echo 
    " before escape is printed\n";
    $name mysql_real_escape_string($_POST['name']);
    echo 
    $name// <----- not printed 
    echo " after escape is printed";
                     }
                   else {
                     
    // $n is not valid
                         
    echo "Hoptic recommends you to fill your name properly.";
                        }
                       }     
                else {
                    
    //name not set
                   
    echo "Hoptic detected that you left the name field blank.";
                     }     

    //validation for next field ... 
    In the above part of the actual code. I am validating the data and if it is valid i am cleaning it as shown... for debugging when i use the above code then the $name is is not echoed after mysql_escape(). However $name before the mysql escape is printed.

    What i think is that after apply mysql escape to the variable it is converted into some sql compatible code so it cannot be printed. Means escape should be done just before sending data to db. Any other explanation to this problem?

  5. #5
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mysql_real_escape_string requires an active MySQL connection (or it tries to create one with default values). Your code doesn't call mysql_connect() until later on in the script, put the mysql_connect() higher up the code above any mysql_real_escape_string() calls.
    Your probably getting WARNINGS you're not seeing due to your error_reporting level, you could also put error_reporting(E_ALL); ini_set('display_errors', 1); at the top of the script to make sure you'll see any Warnings/Notices.

  6. #6
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile

    Quote Originally Posted by markl999 View Post
    mysql_real_escape_string requires an active MySQL connection (or it tries to create one with default values). Your code doesn't call mysql_connect() until later on in the script, put the mysql_connect() higher up the code above any mysql_real_escape_string() calls.
    Your probably getting WARNINGS you're not seeing due to your error_reporting level, you could also put error_reporting(E_ALL); ini_set('display_errors', 1); at the top of the script to make sure you'll see any Warnings/Notices.
    Just Perfect, I have no other words for that! You pointed out the right thing, i require connection to db before calling mysql escape string You made my day mark . Thanks again ;>


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •