0

So, everytime I go to http://localhost/api/calls.php?gamename=test&gameowner=hi&gameownerid=1&placeid=2&serverjobid=hi&serverid=jaja&serverplayers=1&sendername=bob&senderid=3&senderage=14&senderwarnings=0&calltype=non&reportinfo=hi&suspect=none

it shows absolutely nothing and doesn't send the data to my mysql database.

Here is my code. I removed my mysql info just to be safe. 

<?php
$servername = "";
$username = "";
$password = "";
$database = "";

// Establish MySQL Connection
$conn = new mysqli($servername, $username, $password, $database);

// Check connection
if ($conn->connect_error) {
    die("MySafeServer Database Connection Failed: " . $conn->connect_error);
}

if (array_key_exists('param',$_GET)) {
    $gamename = $_GET['param'];
    $gameowner = $_GET['param'];
    $gameownerid = $_GET['param'];
    $placeid = $_GET['param'];
    $serverjobid = $_GET['param'];
    $serverid = $_GET['param'];
    $serverplayers = $_GET['param'];
    $sendername = $_GET['param'];
    $senderid = $_GET['param'];
    $senderage = $_GET['param'];
    $senderwarnings = $_GET['param'];
    $calltype = $_GET['param'];
    $reportinfo = $_GET['param'];
    $suspect = $_GET['suspect'];
    mysql_query("INSERT INTO mss_calls3 (gamename, gameowner, gameownerid, placeid, serverjobid, serverid, serverplayers, sendername, senderid, senderage, senderwarnings, calltype, reportinfo, suspect) VALUES ($gamename, $gameowner, $gameownerid, $placeid, $serverjobid, $serverid, $serverplayers, $sendername, $senderid, $senderage, $senderwarnings, $calltype, $reportinfo, $suspect)");
};
?>
OP Games OfficerPapasman
  • 11
  • 5
  • 1
    Don't play pick-a-mix with mysql and mysqli..... pick the one interface (mysqli) and stick with that – Mark Baker Mar 19 '16 at 22:27
  • Bear in mind that whether you code succeeds or fails, it only prints something out if the connection fails - there's nothing to tell you if your query worked or not. – andrewsi Mar 19 '16 at 22:28
  • 2
    What I mean is that you're using mysqli for the database connection, and mysql for the query – Mark Baker Mar 19 '16 at 22:29
  • 2
    And if you're going to be using mysqli in the future, learn to use prepared statements with bind variables, just to avoid nasty people destroying your database with SQL Injection attacks – Mark Baker Mar 19 '16 at 22:30
  • 1
    You Also must Quote each argument in VALUE thats not a a number like: VALUES ('$gamename', '$gameowner', .... – Bernd Buffen Mar 19 '16 at 22:36
  • Please read [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Matt Raines Mar 19 '16 at 23:01
  • 1
    im assuming the key `param` does not exist in your query string, thus failing when the condition `if (array_key_exists('param',$_GET)` is checked – CodeGodie Mar 19 '16 at 23:37

1 Answers1

0

@Mark is right, you should stick to using the mysqli functions only.

As @andrewsi says, since you're not querying data, there's nothing in your code that prints whether the insert statement is a success, but only on failure, so I added a "success!" echo. You will still want to query the database to see if the values were inserted.

@Matt and @Mark's points about preparing statements are crucial to sanitizing your input - this is security 101, and you should do some googling on it.

But ultimately, I think @CodeGodie hit on your biggest problem to just getting it working. You assign all your variables to the same value with $_GET['param'] except for "suspect" at the very end. And from the link you posted in the question, there is no "param" in your query string. I'm not entirely sure what you were going for, but I'm assuming you wanted to match the parameter name with the variable name. I don't think it works that way, but the following untested code should get you going:

<?php

$params = array(
  "gamename",
  "gameowner",
  "gameownerid",
  "placeid",
  "serverjobid",
  "serverid",
  "serverplayers",
  "sendername",
  "senderid",
  "senderage",
  "senderwarnings",
  "calltype",
  "reportinfo",
  "suspect"
);

$cols = "";
$vals = "";
$binding_type = "";
$get_params = array();

// first pass to build the query,
// and validate inputs exist
for ($params as $param) {
  if ( isset($_GET["$param"]) ) {
    $cols .= "$param,";
    $vals .= "?,";
    $get_params []= $_GET["$param"];
    // determine the binding type as either integer or string
    if (is_numeric($_GET["$param"]))
      $binding_type .= "i";
    else
      $binding_type .= "s";
  } else die("$param is not set");
}

// trim trailing commas
$cols = rtrim($cols, ",");
$vals = rtrim($vals, ",");

$sql = "INSERT INTO mss_calls3 ($cols) VALUES ($vals);";

$servername = "";
$username = "";
$password = "";
$database = "";

// Establish MySQL Connection
$conn = new mysqli($servername, $username, $password, $database);

// Check connection
if ($conn->connect_error) {
    die("MySafeServer Database Connection Failed: " . $conn->connect_error);
}

// prepare statement
$stmt = $conn->prepare($sql) or die($conn->error);

// bind parameters
// watch this is the tricky dynamic part I got help from the following, but may need some work:
// http://stackoverflow.com/questions/627763/php-and-mysqli-bind-parameters-using-loop-and-store-in-array
// http://no2.php.net/manual/en/mysqli-stmt.bind-param.php#89171
call_user_func_array( array($stmt, 'bind_param'), array_merge(array($stmt, $binding_type), $get_params));

// execute
if( $stmt->execute() )
  echo "success!";
else
  echo $stmt->error;

$stmt->close();
$conn->close();

?>
Jeff Puckett
  • 37,464
  • 17
  • 118
  • 167