0

So, i got this code:

<?php
    $servername = "localhost";
    $username = "**";
    $password = "**";
    $dbname = "TestDB";
    // Create connection
    $conn = new mysqli($servername, $username, $password,$dbname);


    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }
    echo "Connected successfully<br>";

    $ip = $_SERVER['REMOTE_ADDR'];


    $sql = "INSERT INTO testdata (id,address,count) VALUES (DEFAULT,'$ip',1) ON DUPLICATE KEY UPDATE count=count+1";


    if ($conn->query($sql) === TRUE) {
        echo "New record created successfully<br>";
    } else {
        echo "Error: " ;
    }


    $conn->close();
    ?>

With this code ip-addresses of customers are saved and it should increase count by 1 every time they return to the website. When i visit database.php directly it works like it should in every browser, but when i call the php-file via the index.html-page it counts up twice (most of the times, not always) in Mozilla, other browsers no problem, the code in html-file:

<img style="display: none;" src="http://servername/database.php?">

Anyone know why? Please help, i'm really stuck here

grasshopper
  • 1
  • 1
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 28 '16 at 13:24
  • Why don't you just include this file in the header or some place similar? Now you make an extra http request, open an additional database connection, etc. just to confuse the browser with an invalid image. – jeroen Jun 28 '16 at 13:27
  • 1
    It's possible that the browser sends a header request first to check if the image changed when comparing it to the cache before sending the request to re-acquire it. – apokryfos Jun 28 '16 at 13:30
  • May I suggest you do an AJAX request like a regular person and fallback to this approach in a ` – apokryfos Jun 28 '16 at 13:32
  • There are lot of bug reports that Mozilla makes two requests for empty/not valid image (it tries to refresh it), so avoid such (bad practice) approach. There are lot of other techniques how to load/import scripts. For more info ask Google for `mozilla img twice`. – mitkosoft Jun 28 '16 at 13:35
  • @Jay Blanchard Thnks for the heads up, i'm just beginning my php/sql journey so there's still a lot to learn, i will certainly look into it. – grasshopper Jun 28 '16 at 17:11
  • The problem doesn't seem to occur when i visit the website at home with Mozilla, only at the office where i'm working on it. I will try some of the other suggestions tomorrow. @mitkosoft Curious which other options there are for loading php on a .html-page? I couldn't find anything else.. – grasshopper Jun 28 '16 at 17:15
  • Okay, problem fixed by replacing the img with an iframe. Thnx for the quick replies! – grasshopper Jun 29 '16 at 17:38
  • @Little Bobby, I read some articles and watched videos about sql injections now, but i don't see how this is vulnerable without user input, can you explain a little more? – grasshopper Jul 05 '16 at 08:48

0 Answers0