-2

I'm getting this error for the following php code on line 12. I'm trying to insert data into a table and if it succeeds, redirect to another page after alert.

<?php
session_start();
include 'dbconn.php';
$name = $_POST["name"];
$hof = $_POST["hof"];
$tier = $_POST["tier"];
$services = $_POST["services"];
$proced  = $_POST["proced"];
$addr = $_POST["addr"];
$phone = $_POST["phone"];
$depname = $_SESSION['depname'];
$qry = "INSERT INTO '.$depname.'(name,hof,tier,services,method,address,phone) VALUES ('$name','$hof','$tier','$services','$proced','$addr','$phone')"; //This is where the problem is;
if(mysqli_query($conn,$qry) === TRUE) {
echo "<script type='text/javascript'>alert('Success');
window.location='welcome.php';
</script>";
}
else{
echo "<script type='text/javascript'>alert('Error');
window.location='welcome.php';
</script>";
}
?>
chrisjzach
  • 3
  • 2
  • 3
    Obligatory warning: you code is incredibly vulnerable to an attack. Use prepared SQL statements. – Carcigenicate Dec 05 '16 at 17:16
  • 1
    Since you're using PHP why not use `header()` to perform the redirect? – Jay Blanchard Dec 05 '16 at 17:17
  • What does `var_dump($_SESSION['depname']);` output? – bassxzero Dec 05 '16 at 17:19
  • 3
    There goes that bad concatenation again. You don't need periods to concatenate within a double-quoted string. And table names should be in backticks, not quotes. That goes on top of Carcigenicate's comment. – aynber Dec 05 '16 at 17:19
  • Eagle-eye @aynber! – Jay Blanchard Dec 05 '16 at 17:21
  • 1
    Well that line 12 cannot generate the error you specify. Its just a variable assignment and nothing to do with a `mysqli_result` object – RiggsFolly Dec 05 '16 at 17:25
  • Thanks everyone, i'm a noobie to php, doing my first assignment... – chrisjzach Dec 05 '16 at 17:34
  • @bassxzero i tried using var_dump($_SESSION['depname']) and the result is an alert which i set in the else part of the code. After I placed var_dump function, this code is executing but the data is not being entered into the table. – chrisjzach Dec 05 '16 at 17:43
  • @bassxzero screenshot here: screenshot here: https://drive.google.com/open?id=0B-PK0FEEZ7jdbFBtWGc2X21GSEU – chrisjzach Dec 05 '16 at 17:50
  • I don't think `$_SESSION['depname'];` is holding what you think it should. – bassxzero Dec 05 '16 at 17:53
  • $sql = "SELECT id,depname FROM admin WHERE username = '$myusername' and password = '$mypassword'"; $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result,MYSQLI_ASSOC); $count = mysqli_num_rows($result); if($count == 1) { session_start(); $depname = mysqli_query($conn,"SELECT depname FROM admin WHERE username = '$myusername' and password = '$mypassword'"); $_SESSION['depname'] = $depname; header("location: welcome.php"); } – chrisjzach Dec 05 '16 at 17:57
  • @bassxzero The above is the code for login.php where username and password is matched and a corresponding table name is taken from the matching row which is $depname. This is carried forward to my next php file which is above for dynamic table value insertion. – chrisjzach Dec 05 '16 at 18:00
  • @chrisjzach `mysqli_query` does't return a row. You need to need to fetch a row from your result named `$depname` and then assign `$_SESSION['depname'] = $row['depname']` – bassxzero Dec 05 '16 at 18:06
  • @JayBlanchard I'm not sure the question you linked is an exact duplicate of this one, but it is helpful. Please see the last couple of comments. – bassxzero Dec 05 '16 at 18:10
  • 1
    Please do not dump code into comments. If you have changes edit your original question to include the updates. – Jay Blanchard Dec 05 '16 at 18:11
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Dec 05 '16 at 18:11
  • Information we did not have when I duped @bassxzero and it is still relvant for the INSERT – Jay Blanchard Dec 05 '16 at 18:12
  • @JayBlanchard again that's fine, but since the linked question doesn't directly solve his problem should you not remove it so someone can post an answer? – bassxzero Dec 05 '16 at 18:13
  • I reopened @bassxzero. It it beginning to smell more like http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem – Jay Blanchard Dec 05 '16 at 18:16
  • @JayBlanchard Thank you. – bassxzero Dec 05 '16 at 18:59

1 Answers1

1

In addition to what everyone else said this should fix your errors. You will still have security problems that you need to fix.

Also, I don't use mysqli I use PDO so you will have to forgive me if the syntax is slightly wrong.

Your problem is that mysqli_query() doesn't return a row. You need to need to fetch a row from your result and then assign it to $_SESSION['depname']

Login.php should look like this

// Note we are using prepared statements to prevent SQL injections
// Also note the use of backticks `, which are used for identifiers
$mysqli = new mysqli('host', 'user', 'password', 'database');
$stmt = $mysqli->prepare('SELECT `id`,`depname` FROM `admin` WHERE `username` = ? and password = ?');
$stmt->bind_param('ss', $myusername, $mypassword);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows == 1) {
    session_start();
    $row = $result->fetch_assoc();
    $_SESSION['depname'] = $row['depname'];
    header("location: welcome.php");
    exit;
}

Other Script

<?php 
session_start();
include 'dbconn.php';
$name = $_POST["name"];
$hof = $_POST["hof"];
$tier = $_POST["tier"];
$services = $_POST["services"];
$proced  = $_POST["proced"];
$addr = $_POST["addr"];
$phone = $_POST["phone"];
$depname = $_SESSION['depname'];

$qry = "INSERT INTO `{$depname}` (`name`,`hof`,`tier`,`services`,`method`,`address`,`phone`) VALUES (?,?,?,?,?,?,?)";

// prepare our query to prevent sql injections 
$stmt = $mysqli->prepare($qry);
$stmt->bind_param('sssssss', $name, $hof, $tier, $services, $proced, $addr, $phone);
$stmt->execute();

// not sure why you aren't using header here like @JayBlanchard said, but whatever
if($stmt->affected_rows == 1) {
    echo "<script type='text/javascript'>alert('Success');
window.location='welcome.php';
</script>";
}
else
{
echo "<script type='text/javascript'>alert('Error');
window.location='welcome.php';
</script>";
}
bassxzero
  • 4,838
  • 22
  • 34
  • Thanks a lot for the support. Tried using header to instead of window.location='welcome.php' but the alert function is not working, the page is redirected before that happens. – chrisjzach Dec 06 '16 at 02:43