1

I very recently started learning php, and with the help of some examples I managed to make this code (mainly from W3Schools):

<?php
$con=mysqli_connect("Data Removed for Privacy");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$sql= "INSERT INTO EventRecord (PlayerName, EventType, Value, Time)
VALUES
('$_Get[PlayerName]', '$_Get[Event]' ,'$_Get[Value]' ,'$_Get[Time]')";
if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";
mysqli_close($con);
?>

However, when doing something like 

http://example.com/MyData.php?PlayerName=Test2&EventType=Test&Value=Test&Time=500

It comes up in my database as all of the values being null.

Additional information: The table has 5 columns, the four noted above and EventId (primary index, auto-incrementing). Sorry if this is a stupid question or I did anything wrong.

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
Articulating
  • 19
  • 4
  • **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Dec 17 '13 at 12:09
  • Your SQL code is very vulnerable towards SQL injection. Use prepared statements and bind variables or at *least* escape your variables. – h2ooooooo Dec 17 '13 at 12:10
  • It actually isn't, for the purposes that I'm using this for. Users can't submit their own data. – Articulating Dec 17 '13 at 12:16
  • The only reason it isn't vulnerable is because you are using $_GET wrong. If you fix the problem that is giving you `null` for all your columns, then you will be vulnerable to SQL injection. – Quentin Dec 17 '13 at 12:17
  • If I'm the only one submitting data to the site, how am I vulnerable? – Articulating Dec 17 '13 at 12:19
  • 1
    You can make typos. (Probably not one that will cause a security problem, but quite possibly one that will cause the query to abort). – Quentin Dec 17 '13 at 12:21

4 Answers4

5

$_GET is a superglobal array , it should be in block letters and not like $_get

Some disclaimers >>

  • Never visit www.w3schools.com for browsing resources. You can find the reason here.
  • Never pass foreign parameters like $_GET, $_POST directly into your query as it leads to SQL Injection. Switch to Prepared Statements such that escaping is automatically taken care of.
Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
1

The expressions like $_Get[PlayerName] should be $_GET['PlayerName']. Here's why:

  1. The variable you are trying to use is the reserved variable $_GET. But variable names are case-sensitive, which means that the variables $_Get and $_GET are not the same. So when you try to use $_Get, PHP complains about an "undefined variable".

  2. $_GET is an associative array, which maps integers or strings to values. In your case, it maps the string 'PlayerName' to a value, so you want to pass the string 'PlayerName' to the array index operator. However, the unquoted string PlayerName is interpreted as a constant. This constant is undefined, so PHP complains about an "undefined constant".

jameshfisher
  • 34,029
  • 31
  • 121
  • 167
0

It's not 

$_Get[PlayerName]

but 

$_GET['PlayerName']

Otherwise you won't get the values. Note both the UPPERCASE GET and the single quotes around the name!

Besides that, (Edit, not W3C, but:) W3Schools is NOT a good place to start learning, there are other and better resources available. You should NEVER use the $_GET or $_POST variables straight in your query!!!

Borniet
  • 3,544
  • 4
  • 24
  • 33
-1

Try:

$PlayerName=$_GET["PlayerName"];
$Event=$_GET["Event"];
$Value=$_GET["Value"];
$Time=$_GET["Time"];

$sql= "INSERT INTO EventRecord (PlayerName, EventType, Value, Time)
VALUES
('$PlayerName', '$Event' ,'$Value' ,'$Time')";
MillaresRoo
  • 3,808
  • 1
  • 31
  • 37