0

this code keeps saying that the "Record has been Added", yet it's no where to be seen on phpmyadmin...Any thoughts?

phpmyadmin: localhost>summative>Data

$con = mysql_connect("localhost", "root", "") or die(mysql_error()); 
if(!$con)(die("could not connect " . mysql_error()));
mysql_select_db("summative") or die(mysql_error()); 
mysql_query("INSERT INTO Data(First Assister) VALUES('$_GET[assist1]')"); 
if("INSERT INTO Data(First Assister) VALUES('$_GET[assist1]'");
{
echo "Record Added";
}
?>
user3230595
  • 1
  • 1
    You have an error(s) in your query, but you never see them because the code *fails to correctly check for errors* - why are you "if"ing the query string? It's a string. Re-read the applicable section on error checking in `mysqli` or `PDO` - *don't* use `mysql_*`, it has been obsoleted - and then see http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – user2864740 Jan 24 '14 at 08:06
  • (Personally, I'd start with PDO and promoting errors to exceptions - see http://www.php.net/manual/en/pdo.error-handling.php - as this eliminates many manual checks.) – user2864740 Jan 24 '14 at 08:11

1 Answers1

0

1.) mysql is now deprecated use mysqli... from http://us2.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

2.) Are you seriously setting $_GET data into your database?

3.) Are you seriously setting $_GET data into your database without escaping it? ALWAYS escape user provided data when putting it into your databse unless you enjoy getting hacked by Chinese government sponsored hackers (or Russian, or Netherlands, or Brazil... or lesser common countries, but those are the most common as far as I've been hack attempted)

See the docs for mysqli_real_escape_string: http://us2.php.net/manual/en/mysqli.real-escape-string.php

2.) Where are you getting that INSERT format from? In MySQL the format is:

INSERT INTO table_name VALUES (value1, value2, value3,...)

From: http://www.w3schools.com/php/php_mysql_insert.asp

Personally, I prefer the other INSERT format:

INSERT [LOW_PRIORITY | DELAYED | HIGH_PRIORITY] [IGNORE] [INTO] tbl_name [PARTITION (partition_name,...)] SET col_name={expr | DEFAULT}, ... [ ON DUPLICATE KEY UPDATE col_name=expr [, col_name=expr] ... ]

4.) What is your table name? I see a DB name, and I THINK a column name, and then a value...

So I'd change your INSERT statement to this:

$value = mysqli_real_escape_string($_GET['param']);
$sql = 'INSERT INTO `table_name` SET `column`="'.$value.'";';
$result = mysqli_query($sql);
pfuri
  • 464
  • 1
  • 4
  • 10