-1

I tried to find an answer on here already, as well as read the PHP doc on it, however it doesn't explain it very well.

I'm just trying to get the last ID inserted by the user. I know MYSQL is deprecated, but I need to do it this way.

This is what I have so far.

$query="INSERT INTO teams (team_name)
VALUES
('$team_name')";
mysql_query($query) or die('error');

$team_id = mysql_query("SELECT LAST_INSERT_ID()");

Thanks!

Brad Larson
  • 170,088
  • 45
  • 397
  • 571
hashtagbad
  • 97
  • 11
  • 1
    And what is the problem? – Chris Apr 14 '16 at 19:38
  • 1
    Do you need to do it this way because it's a school project? Go and tell your school they're wrong ...and they probably have really poor security on their wifi network and their bluetooths can easily be hijacked. – Martin Apr 14 '16 at 19:42
  • 1
    (Do you also *need* to make your code appear to be vulnerable to SQL Injection? Is there a *need* to avoid properly escaping values incorporated into SQL text?.) After the execution of the SELECT statement using the (deprecated) mysql_query function, that should either return a resultset or return FALSE (just like every other SELECT statement you run.), You can test whether the return is FALSE, So, on the next line (not shown) when you fetch a row from the resultset, what happens? (Were you asking *a question*? Or just giving a status report?) Does the table have an AUTO_INCREMENT column? – spencer7593 Apr 14 '16 at 19:47
  • 2
    @rcsnooks But it does. The linked question provides answers for PDO, MySQLi as well as the old `mysql_` – kero Apr 14 '16 at 19:52
  • If you're doing your error handling through AJAX (assuming you mean javascript) your code **is** insecure. – Mike Apr 14 '16 at 19:55
  • 2
    Do NOT use `mysql_*` it has been removed and it will not work anymore, use `PDO` [link](http://php.net/manual/en/book.pdo.php) or `mysqli` [link](http://php.net/manual/en/book.mysqli.php) instead. – Tom Apr 14 '16 at 19:56
  • 2
    I said that the code *appears* to be vulnerable to SQL Injection, because we don't see any escaping of the value before it's included in the text. We don't see it, so we are going to be conservative, and assume that the value `$team_name` could contain a potentially unsafe value. (Why would the value of $team_name need to be escaped for use in a MySQL statement anywhere *before* it's included in the SQL text?) And we can't tell why you are avoiding using the **mysqli_insert_id** function. (So, we assume that there's some need to do it this way, running a separate SELECT.) – spencer7593 Apr 14 '16 at 19:57
  • 1
    After the execution of mysql_query("SELECT ..."). That returns either FALSE or a resultset. We don't see any code after you get that. As Chris asked in the first comment.... what is the problem? – spencer7593 Apr 14 '16 at 19:59
  • I love how much of an asshole you are being for someone who is asking for help with a very basic problem. You still haven't actually explained what is going wrong with the code you have and why you can't use `mysql_insert_id()` **like everyone else is telling you to**. – Chris Apr 14 '16 at 20:04
  • We don't assume where $team_name came from. For all we know, it was a value retrieved from the database. What we *don't* see is *any guarantee* that the value has been properly escaped. The usual pattern for doing the escaping is to do it right where the value gets incorporated into the SQL text, e.g. `VALUES ('" . mysql_real_escape_string( $team_name ) . "') ...`. And almost by definition, any value from $_POST is potentially unsafe. – spencer7593 Apr 14 '16 at 20:04
  • [`mysql_real_escape_string()` will not secure your application](https://stackoverflow.com/questions/5414731/are-mysql-real-escape-string-and-mysql-escape-string-sufficient-for-app-secu) (as do prepared statements) – kero Apr 14 '16 at 20:07
  • @kingkero: but mysql_real_escape_string` it's the best we can do with the deprecated mysql_ interface functions. – spencer7593 Apr 14 '16 at 20:08
  • @rcsnooks Wow, the answer was what had been posted here twice as well as in the linked question (second answer)- who would have thought? – kero Apr 14 '16 at 20:12
  • @rcsnooks Assigning variables and using their values is something you learn your first 5 minutes of learning PHP. – Mike Apr 14 '16 at 20:54
  • @rcsnooks: if you are knowledgeable about SQL Injection, I suggest you don't post code that *appears* to be vulnerable. You could have used a literal in your query, or included a line above that assigned either a literal, or the return from mysql_real_escape_string to $team_name. The code posted looks fine. It only goes as far as getting a resultset returned. The posted code doesn't show fetching the row and extracting the value. (We just assume that the table has an AUTO_INCREMENT column.) The mysql_insert_id function is just a wrapper for running that same SELECT LAST_INSERT_ID() statement. – spencer7593 Apr 14 '16 at 22:45

2 Answers2

2

Take a look at mysql_insert_id

But beware of the issues when using ON DUPLICATE KEY UPDATE statements. It is described in the comments on the php doc page.

But your solution should work, too.

Also, if you're using mysql, don't forget to mysql_real_escape your input, $team_name in your case.

[insert obligatory mysql is deprecated warning here ;)]

arkuuu
  • 619
  • 7
  • 23
1

You can do it by PHP. You don't need a query: mysql_insert_id()

Mike
  • 23,542
  • 14
  • 76
  • 87
Mojtaba
  • 4,852
  • 5
  • 21
  • 38
  • See that big red box on the linked page? `mysql_` functions should not be used anymore – kero Apr 14 '16 at 19:41
  • 1
    @kingkero OP specifically said it needed to use the deprecated `ext/mysql` extension. – Mike Apr 14 '16 at 19:42
  • 2
    @kingkero lets be fair, you should probably down vote the other answer too for using `MySQL_` :-D – Martin Apr 14 '16 at 19:43
  • 1
    @Mike You're right, I overread that - sorry. Edited the question in order to be able to remove the downvote – kero Apr 14 '16 at 19:50
  • $team_id = "mysql_insert_id()" doesn't work either. – hashtagbad Apr 14 '16 at 19:55
  • @rcsnooks what is your PHP version? As you see, mysql_insert_id is deprecated after v5.5. Maybe you should migrate to mysqli – Mojtaba Apr 14 '16 at 19:59
  • 2
    @rcsnooks What do you mean it doesn't work? Also, is that the exact code you used? Because it's assigning the literal string `mysql_insert_id()` to the variable rather than actually calling the function. – Chris Apr 14 '16 at 20:07