0
<?
include("config.php");
$id = $_GET['id'];
$username = $_GET['username'];
$type = $_GET['type'];

$result = mysql_query("INSERT INTO `logdb`.`devlogs` (`userid`, `username`, `type`, `timestamp`) VALUES ('" . $id . "', '" . $username . "', '" . type . "', '" . date("Y-m-d H:i:s") . "')");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}
?>

Trying with this URL but getting a blank page: mysite/devlog.php?userid=1&username=foo&type=join

Superburke
  • 3
  • 2
  • Well, you should get a blank page... no output on no error. On a development server though, you'd usually have a notice staring you in the face that the constant `type` is not defined.... Perhaps look at [how to get useful error messages from PHP](http://stackoverflow.com/questions/845021/how-to-get-useful-error-messages-in-php). Also, don't alter data based on GETs, it WILL hurt you later on. Manipulating is done with POSTs (or PUT/DELETE's). – Wrikken Feb 12 '14 at 21:37
  • 2
    Please do not use user input directly in an sql query, you are asking for trouble, Look up how to escape your variables or better yet look up prepared statements – Anigel Feb 12 '14 at 21:38
  • Your URL contains userid while you ask $_GET['id'] – Random Feb 12 '14 at 21:39
  • @Anigel fyi the system isn't intended for user input, just a simple system for myself to log things and the only viable option is through gets. – Superburke Feb 12 '14 at 21:42
  • @superburke, that still does not prevent you escaping your values or preparing your statements – Anigel Feb 12 '14 at 21:45
  • @Anigel i know, i'm not finished with it. this is just the start of it but I couldn't resolve this error. – Superburke Feb 12 '14 at 21:51

2 Answers2

1

Your problem is that your id field isn't being passed properly. Change your URL to contain id=1 instead of userid=1.

Also, you are very much so prone to MySQL injection with your query AND you are using the deprecated MySQL libraries, use PDO or MySQLi.

Joe Meyer
  • 4,315
  • 20
  • 28
  • thanks, I changed the name of some of the variables at one point and forgot and I was banging my head trying to work out why it wasn't working. I realize I'm open to sqlinjection but the system isn't able to be used by anyone other than myself. – Superburke Feb 12 '14 at 21:43
0

First point in $id variable, You wrote the $id = $_GET['id']; And when pass that through the url, You wrote it userid. You must make then the same.

Second point, You got a blank page because you did not return anything, Try the following 

if (!$result) {
die('Invalid query: ' . mysql_error());
}else{
 echo 'Everything is ok';
}

Third point, use mysqli instead of mysql.

Fourth point, Do you make this error intended and you want to catch error ?? in that case make an error in sql statement.

Nedal Eldeen
  • 159
  • 1
  • 7