SQL with HTTP/1.1 Get

Question

This was reposted from dba.stackexchange.

Sorry for such an amateur question, but I have no idea why this does not work. I have a "add.php" to connect to the MySQL server.

/add.php

<?php
    include("connect.php");

    $link=Connection();

    $ID1=$_POST["ID1"];
    $ID2=$_POST["ID2"];
    $ID3=$_POST["ID3"];
    $ID4=$_POST["ID4"];
    $ID5=$_POST["ID5"];

    $query = "INSERT INTO Battery (ID01, ID02, ID03, ID04, ID05) 
        VALUES ('".$ID1."','".$ID2.",'".$ID3.",'".$ID4."','".$ID5."')"; 

    mysql_query($query,$link);
    mysql_close($link);

    header("Location: index.php");
?>

connect.php

<?php

    function Connection(){
        $server="mysql.randomserver.com";
        $user="random";
        $pass="1234";
        $db="random_1234";

        $connection = mysql_connect($server, $user, $pass);

        if (!$connection) {
            die('MySQL ERROR: ' . mysql_error());
        }

        mysql_select_db($db) or die( 'MySQL ERROR: '. mysql_error() );

        return $connection;
    }
?>

I use a simple HTTP 1.1 protocol:

GET /add.php?ID1=1int&ID2=2char&ID3=3char&ID4=4int&ID5=2015-04-13 01:00:00 HTTP/1.1\r\nmyhost\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection:close\r\n\r\n\r\n

where ID1,ID4 is int; ID2, ID3 char; ID5 Datetime (SQL)

The host throw me this error:

+IPD,168:<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>hosting</center>
</body>
</html>

If anyone have any idea for me to try out, I would be grateful! I'm really clueless...

Fixed: (moskito-x) '".$ID3.", to '".$ID3."',

UPDATE:2015.04.22 13:56

Ok, I tried this and it works on my Main page: Index.php (just copy the whole /add.php code into /index.php)

$query= "INSERT INTO  Battery (ID01,ID02,ID03,ID04,ID05) 
        VALUES ('1int','2char','3char','4int','2015-04-22 17:20:28')";
$result = mysqli_query($link, $query)

But if I replace it into the add.php, no row is inserted.

I changed add.php as other have suggested:

add.php

<?php
    $link=Connection();
        $server="mysql.myhost.com";
        $user="randomUser";
        $pass="randomPwd";
        $db="radomdb";

    $link=mysqli_connect($server, $user, $pass, $db);


    $query = "INSERT INTO  Battery (ID01,ID02,ID03,ID04,ID05)
        VALUES ('1int','2char','3char','4int','2015-04-22 17:20:28')";
    mysqli_query($link, $query)
             mysqli_close($link);
    header("Location: index.php");
?>

I am not sure if your mysql_query syntax is correct: http://php.net/manual/en/function.mysql-query.php Do you have error reporting turned on for your php code ? — Maximus2012, Apr 21 '15 at 20:15
Please be aware that the `mysql_` functions are now no longer just discouraged (as it was over the last years), but officially [deprecated](http://php.net/manual/en/migration55.deprecated.php). You should really use [MySQLi](http://php.net/manual/en/book.mysqli.php) or [PDO](http://php.net/manual/en/ref.pdo-mysql.php), as this code will stop working very soon. — Oldskool, Apr 21 '15 at 20:16
DO NOT use msql_query() and append values from the webpage, this is known as SQL Injection and it's how your site/database/server gets hacked. You must use parameterized queries by using PDO instead. — TravisO, Apr 21 '15 at 20:21
Thank you Oldskool, I'm new to this so I am really grateful for your patience. Should I change only this in my code? mysqli_multi_query($link,$query) Then change the function Connection to return mysqli? — Nhan Le, Apr 21 '15 at 20:26
What is the datatype in the DB?. I see that `'".$ID2.",'".$ID3.",'".$ID4."'`, after $ID2 you needs add *'* and after $ID3 too. `VALUES ('".$ID1."','".$ID2."','".$ID3."','".$ID4."','".$ID5."')";` — baquiax, Apr 21 '15 at 20:35
@NhanLe See [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) for more information. — Oldskool, Apr 21 '15 at 20:36
@NhanLe Another thing is that you are accessing to POST variables, but you sends data via GET `GET /add.php?ID1=1int&ID2=2char&ID3=3char&ID4=4int&ID5=2015-04-13 01:00:00 ` You can change $_POST['var'] by $_GET['var']. — baquiax, Apr 21 '15 at 20:41
Hi bquiax, I have updated the datatype of the DB. For better security, would it be better using $_POST['var'] or $_GET['var']? — Nhan Le, Apr 21 '15 at 20:53
Hi, @NhanLe POST! Therefore you need change the way to test your add.php — baquiax, Apr 21 '15 at 21:03
@NhanLe : can you please one of the answer as right. (if one is working for you or helped to fins out). — moskito-x, May 02 '15 at 16:33
@moskito-x I finally made it work, I change everything to $_POST , should I answer the question myself? Or just edit the Question ? — Nhan Le, May 05 '15 at 14:56
@NhanLe : $_POST is what we told you all the time. Accept an answer that already exists before you write your own that's only the same describes. — moskito-x, May 05 '15 at 16:01

moskito-x · Answer 1 · 2015-04-21T20:56:43.120

1

Important part $link=Connection();

We can not see code of Connection();
your query is wrong
mentioned in comments -> you using a http GET so $ID1=$_POST["ID1"]; is wrong to.

'".$ID1."','".$ID2.",'".$ID3.",'".$ID4."','".$ID5."')";
//                  |         |
//                  |_________|____ here forget ' 

$query = "INSERT INTO Battery (ID01, ID02, ID03, ID04, ID05) 
    VALUES ('".$ID1."','".$ID2."','".$ID3."','".$ID4."','".$ID5."')";

EDIT

Now we can see in your Edited question

where ID1,ID4 is int; ID2, ID3 char; ID5 TimeStamp

Query should be (assume TimeStamp ="20150421225300") string format.

$query = "INSERT INTO Battery (ID01, ID02, ID03, ID04, ID05) 
    VALUES (".$ID1.",'".$ID2."','".$ID3."',".$ID4.",'".$ID5."')";

edited Apr 21 '15 at 20:56

answered Apr 21 '15 at 20:35

moskito-x

11,832
5
47
60

@NhanLe The request is bad too. – baquiax Apr 21 '15 at 20:44
1

@NhanLe change too $_POST['var'] by $_GET['var']. Because you sent the data via HTTP GET. – baquiax Apr 21 '15 at 20:58
Hi Moskito, i read somewhere that if I add "Content-Type: application/x-www-form-urlencoded", $_POST is ok too, So, it's not correct? – Nhan Le Apr 22 '15 at 08:53
We have said so many times. If you are using "http get", then you need to use in the receiving program a $ _GET. If you have a
tag you can then with `
` a "http post" send. **I would strongly recommend at least to read this.** [http Get and POST](http://www.w3schools.com/tags/att_form_method.asp)
– moskito-x Apr 22 '15 at 15:45
@NhanLe, using a POST request could be done, but then you will have to send the data in the *POST BODY*, not in the *GET parameters* to get something in $_POST. And , please, never add data in your query this way, this is insecure (plain SQL injection) and not robust at all, various ways of failing. By the way, there's no way for me to upvote an answer containing a query with direct parameters concatenation, right way to hell. – regilero Jul 07 '15 at 15:09

score 1 · Answer 2 · answered Apr 22 '15 at 12:38

Your http request as you shown in your post (_ stands for an empty line) :

GET /add.php?ID1=1int&ID2=2char&ID3=3char&ID4=4int&ID5=2015-04-13 01:00:00 HTTP/1.1
myhost
Content-Type: application/x-www-form-urlencoded
Connection:close
_
_
_

It is indeed a bad request because (a) you have unescaped white space characters in the URI and (b) the second line reads just myhost when you probably meant Host: myhost (c) you have extra \r\n (not likely to cause troubles though), so something like that:

POST /add.php?ID1=1int&ID2=2char&ID3=3char&ID4=4int&ID5=2015-04-13+01:00:00 HTTP/1.1
Host: myhost
Content-Type: application/x-www-form-urlencoded
Connection:close
_
_

And of course what other said about SQL injections applies.

hey thanks for your answer, I have yet to make the PHP to insert to SQL table correctly. Please have a look at my update, do you have any suggestion? — Nhan Le, Apr 22 '15 at 12:41

SQL with HTTP/1.1 Get

UPDATE:2015.04.22 13:56

2 Answers2