0

My SQL query was working fine just 5 hours ago and now it's not? I have not touched a thing.

Can someone please help me get to the bottom of this, it should get the users ip address and store it in the table along with the current time and date, its not inserting anything, would appreciate some help.

Here is my table:

+-------------------------------------------------------------+
|session_id |    user_ip     |    session_start  | session_end|
|===========|================|===================|============|
|          1|  192.135.123.13|   23:02:20 10:23  | NULL       |
+-------------------------------------------------------------+

Here is my SQL:

// GET IP ADDRESS
 $sql = "INSERT INTO ptb_sessions (session_id, user_ip, session_start, session_end) VALUES (NULL, '" . $_SERVER['REMOTE_ADDR'] . "', now(), NULL);"; 
 mysql_query($sql, $connection); ?>
Chris
  • 2,955
  • 1
  • 30
  • 43
John Bell
  • 21
  • 1
  • 5
    Please, read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). You cannot write queries this way without eventually getting into serious trouble. – tadman May 02 '13 at 20:36
  • 2
    @tadman where is here a sql-inj possiility? You cannot influence the REMOTE_ADDR from outside... – bwoebi May 02 '13 at 20:38
  • as i said nothing gets inserted into the table, absolutely no errors, just nothing happens – John Bell May 02 '13 at 20:39
  • that's an `INSERT` statement, and it'll not `// GET IP ADDRESS` – Ejaz May 02 '13 at 20:39
  • 3
    It is possible to set `REMOTE_ADDR` with clever abuse of headers, but it doesn't matter. Escape **any** and **all** values put into your statement. No excuses. No assumptions. You will get burned in the worst possible way if you write code like this. – tadman May 02 '13 at 20:40
  • @bwoebi yes, yes you can influence the remote_addr from outside. And it's very easy to do might I add. – Tymoteusz Paul May 02 '13 at 20:40
  • If it's not inserting, there has to be an error. Maybe you have `error_reporting` turned off? Try doing `mysql_query() or die(mysql_error());` – Ayush May 02 '13 at 20:41
  • Could you show the structure of your sql table ? – nicolas May 02 '13 at 20:41
  • im not sure why it was working fine for weeks and weeks and now its just stoped doing anything – John Bell May 02 '13 at 20:42
  • Put some error handling `echo $sql; $result = mysql_query($sql, $connection); if (!$result) die('Error: ' . mysql_error());` and post output from echo $sql and error message if any – peterm May 02 '13 at 20:42
  • One way that works on some servers with default configurations is [X-Forwarded-For](http://en.wikipedia.org/wiki/X-Forwarded-For). Also, never, ever rule out buffer overflow exploits that could set these variables to just about anything. You **cannot** trust user data. Period. – tadman May 02 '13 at 20:42
  • is one of your session_id or session_end a NOT NULL column? – Chris May 02 '13 at 20:42
  • @tadman PHP engine is working after the Network layer, so yes its posible to spoof it, but just with some fake IP addresses. But I agree with you on always escaping! – S.Visser May 02 '13 at 20:45
  • @tadman If your webserver is too dumb; no wonder; but normally there shouldn't be never a problem? right? – bwoebi May 02 '13 at 20:46
  • @tadman yes, there's a law along the lines of `A thing that can go wrong, will go wrong`. I presume it's from @CaptainObvious lol :D – Ejaz May 02 '13 at 20:49
  • p.s.: @tadman with a buffer overflow you also could replace the escaping function. This is no excuse^^ – bwoebi May 02 '13 at 20:50
  • @bwoebi It's user data. Escape it. Stop fussing about hypotheticals. Never, ever assume user data is safe unless you've validated it or escaped it for the appropriate context. – tadman May 02 '13 at 20:55
  • @tadman I never considered the remote_addr as user data, only as data about the user... – bwoebi May 02 '13 at 20:56
  • It's coming from an untrusted external source, and as it can be specified by the user in the headers, it's user data. – tadman May 02 '13 at 21:05
  • What about **debug** your query with something like mysql_query($sql, $connection) or die('Invalid query: ' . mysql_error()); Then I would like to remember you that `mysql_` functions are deprecated so i would advise you to switch to [`mysqli`](http://php.net/manual/en/book.mysqli.php) or [`PDO`](http://php.net/manual/en/book.pdo.php). Furhermore you are at risk of `sql injection`, have a look here http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php. You should use prepared statement to avoid any risk – Fabio May 02 '13 at 20:42

2 Answers2

0

Go step by step.

  1. Try inserting the simplest data with values sets to (1, '127.0.0.1', now(), now())
  2. If it is ok, try adding the $_SERVER['REMOTE_ADDR'] instead of 127.0.0.1

Be careful with case in tables and columns names.

If the 1 does not work in your PHP code, try to execute your SQL insert directly with a MySQL GUI (MySQL Workbench for example), an error should be raised.

If the insertion works fine with a MySQL GUI, then check your connection parameters in PHP.

Damien
  • 352
  • 3
  • 11
0

add this $user_ip= $_SERVER['REMOTE_ADDR'];

should be like this

$sql = "INSERT INTO ptb_sessions (session_id, user_ip, session_start, session_end) VALUES ('$session_id', '$user_ip', '$session_start', '$session_end')";
MidWinterNight
  • 51
  • 1
  • 5