PHP: I can't the script to connect, or post form data into mySQL

Question

could someone help me debug this script?

(The * is the information. I know it, but not posting it)

<?php
$dbhost = '*********';
$dbuser = '*********';
$dbpass = '*********';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(!$connection) {
  die("Database connection failed: " . mysql_error());
}
$db_select = mysql_select_db("applicationinfo",$connection);
if (!$db_select) {
  die("Database selection failed:: " . mysql_error());
}
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
  die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
mysql_close($conn);
$sql = 'INSERT INTO applicationinfo '.
       '(Name, Email, Email_confirmation, Activity, Quote, Username, Password,                Password_Confirmation, 13+) '.
   'VALUES ( "personal_name", "user_email", "user_email_confirmation", "user_activity", "user_quote", "user_username", "user_password", "user_password_confirmation", "user_13older",  NOW() )';

?>

Here's the website where the script will be ran: http://www.ProjectZilkr.com/apply.html

Thanks guys

you're trying to pass query codes first, then you're closing your connection, then wanting to insert. plus this `13+` that could give you problems. — Funk Forty Niner, Jun 01 '15 at 15:35
[Your script is at risk for SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using PDO, [it's not as hard as you think](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jun 01 '15 at 15:37
Add error reporting to the top of your file(s) right after your opening ` — Jay Blanchard, Jun 01 '15 at 15:37
[Don't limit passwords](http://jayblanchard.net/security_fail_passwords.html) and [use the proper methods to hash passwords with PHP](http://jayblanchard.net/proper_password_hashing_with_PHP.html). — Jay Blanchard, Jun 01 '15 at 15:37
*"post form data into mySQL"* - You see any POST arrays *Sam?* - @JayBlanchard — Funk Forty Niner, Jun 01 '15 at 15:40
@JayBlanchard Are you also a *"common cunning linguist"* Sam? — Funk Forty Niner, Jun 01 '15 at 15:45
*I might cunning Ralph, but certainly not common!* As I am sure you are @Fred-ii- — Jay Blanchard, Jun 01 '15 at 15:49

score 1 · Answer 1 · answered Jun 01 '15 at 15:57

Your order of operations is off and below is an example of a prepared statement which should be safer than what you are using. I have not tested the code, so hopefully no typos, etc.

$dbhost = '*********';
$dbuser = '*********';
$dbpass = '*********';
$dbname = 'applicationinfo';

// Create connection
$conn = new mysqli($dbhost, $dbuser, $dbpass, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// prepare and bind
$stmt = $conn->prepare("INSERT INTO applicationinfo (Name, Email, Email_confirmation, Activity, Quote, Username, Password, Password_Confirmation, `13+`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");

// first argument can be one of 4 types (i - integer, d - double, s - string, b - BLOB) You must have one of these for each parameter/field.
$stmt->bind_param("sssssssss", $name, $email, $email_conf, $activity, $quote, $username, $password, $password_conf, $one_three);

// set parameters and execute
$name = "Joe Snuffy";
$email = "joe.snuffy@example.com";
$email_conf = "joe.snuffy@example.com";
$activity = "Test";
$quote = "quote";
$username = "username";
$password = "password";
$password_conf = "pass conf";
$one_three = "yes";
$stmt->execute();

echo "New records created successfully";

$stmt->close();
$conn->close();

PHP: I can't the script to connect, or post form data into mySQL

1 Answers1