-3

What I was trying to do is inserting all query errors into a database, but, it doesnt work. I wanted to do this:

<?php
include('db_settings.php');

$query = $conn->query("mysql_query here");

if (!query) {
    $error = $conn->error;
    $log_error = $conn->query("INSERT INTO tab (log) VALUES ('$error')");
}
?>

However, this does not work, the error is not being submitted into the db. Does any of you know some workaround for this?

(before someone asks, all parameters of DB and variables are correct).

BlackSys
  • 91
  • 7
  • because it seems that `$query = $conn->query("mysql_query here");` running properly and that's why if block condition become false – Alive to die - Anant Feb 15 '17 at 05:23
  • Have you checked if autocommit is enabled or not ? If not, using a commit maybe may solve – Massimo Petrus Feb 15 '17 at 05:28
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Feb 15 '17 at 05:55
  • @tadman i'm not using anything of those. This are already defined variables and users have no alter possibilities on that, as 0 inputs, but thanks for the advice anyway. – BlackSys Feb 15 '17 at 05:57
  • **USE PREPARED STATEMENTS WITH PLACEHOLDER VALUES**. I don't care where those values come from. Trust nothing, escape **everything**. This is how [really bad things](http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/) happen to you, your career, and any company you work for. – tadman Feb 15 '17 at 06:00

1 Answers1

3

You simply shouldn't do that.

Do not try to use a medium that failed you that very instant!

Let's take one of your recent questions: The very error message that troubled you here, Mysqli Commands out of sync will prevent your wunderlogging from functioning! Your database won't get back to sync by magic! And thus will effectively prevent you from logging its own error. And so you simply will never have an idea it occurred.

Let errors to be logged, and then you'll be able find them all.

add these three lines at the top of your code, 

ini_set('log_errors',1);
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

and then check the server error log.

This is how everyone is doing it and there is no reason to devise such an awkward and illogical device.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • i need them to be readable by a webpage, i can't always access the server directly to look at files... and i obviously can't give my root password to everyone who should have log access lol – BlackSys Feb 15 '17 at 05:26
  • Ok so basically your saying EVERYONE should view the error log, exposing the server security... that doesnt make sense. and why should i give my root password to all "staff" peoples, that actually should view the logs? this does not accomplish my request – BlackSys Feb 15 '17 at 05:29
  • 1
    That's rubbish. Again, that's not a matter what you *want*, but simply what you can: you cannot add a record in a database if your server has gone away! No to mention that your objection is no less ridiculous: you have the full control over the place where the log should be stored. – Your Common Sense Feb 15 '17 at 05:30
  • so if i have 5 peoples "working" with me, which are at a lower level than me, and shouldn't have any access to the server outside the webpage, how exactly this going to work? cause there is no way i'm gonna turn on E_ALL on reporting and compromise the security with everyone and then what if the error occurs when i'm not present? every single time i have to access the physicial server by root and check the file, which going to result in a hassle. thats what i mean – BlackSys Feb 15 '17 at 05:33
  • @BlackSys that's another question that you may ask and get a simple **and logical** solution according to your particular needs – Your Common Sense Feb 15 '17 at 05:37
  • i dont see why should be illogical to have a database for errors. there is lot of peoples asking for that. example? http://stackoverflow.com/questions/2911094/outputting-all-php-errors-to-database-not-error-log – BlackSys Feb 15 '17 at 05:40
  • @BlackSys you just have no idea what E_ALL is. It should be always turned on, no matter what you *imagine* here. So your other questions are. – Your Common Sense Feb 15 '17 at 05:41
  • yes of course, go turn on E_ALL and display passwords errors and so on to users. very smart, so anyone can crack everything. – BlackSys Feb 15 '17 at 05:42
  • @BlackSys E_ALL has nothing to do with **displaying** anything. There is **another configuration option** in charge for that. Given you have such a vague idea on error reporting, you better not to conjure some monster of your own. – Your Common Sense Feb 15 '17 at 05:44
  • you are not helping at all, just telling something even childs knows. if i wanted to check files on error i wasn't going to open the question. – BlackSys Feb 15 '17 at 05:47
  • When your database dies, logging to the database is going to be a bad plan. This is why you need a backup option. There are error notification services like [Airbrake](http://airbrake.io) specifically for this reason, and beyond that, a plain-text log with some kind of monitoring app for a third layer of protection. – tadman Feb 15 '17 at 05:56
  • 1
    @BlackSys You better ease up on your crappy attitude here. If people are seeing passwords logged in your errors **you have far more severe problems**. This query you're using as a demonstration has a gigantic [SQL injection hole in it](http://bobby-tables.com/) because you're not writing your SQL code correctly. Use prepared statements with placeholder values and your errors will be perfectly harmless unless you go out of your way to do something to break them. – tadman Feb 15 '17 at 05:59
  • @tadman my attitude here is perfectly fine. however, the database does not dies, as i want to log errors such as "record not found" "can't connect" "can't execute" and so on. That doesn't mean the DB is dead and thus cannot operate in any sorts. And what if i have a second server just for errors? that doesn't prove anything, as the function will not work, second server or whatever. And again, there is NO sql injections in my code. how are you injecting code in a NO input statement? – BlackSys Feb 15 '17 at 06:01
  • @BlackSys Explain to me, if you can, how you can insert a record into a database when you **can't connect to it**. "What if i I have a second server just for errors?" Now you have increased your database failure rate by 100%, there's two servers to admin, two servers that could fail for various reasons. Do you have a third in case that fails? A fourth in case that fails? No. Do what everyone else does, and what you're being told to do here in the answer: **Dump it to the server log**. – tadman Feb 15 '17 at 06:04
  • "There is NO sql injections in my code". There is. You are *injecting* a variable into your SQL. That is a textbook definition of a SQL injection bug. Use prepared statements with placeholder values and stop arguing about this. – tadman Feb 15 '17 at 06:04
  • @tadman security of my server is my task and thus you can say whatever you want, still i have the last word on it, as my server, my rules. – BlackSys Feb 15 '17 at 06:05
  • "Dump it to the server log" and give everyone other root access to the server?. good job. why not giving it away for free also? – BlackSys Feb 15 '17 at 06:06
  • @BlackSys Translation: "I don't care, I know better than everyone." You have a very, very bad attitude about this. There's a reason people are extremely paranoid about these things. The world is an ugly place. Tools [like SQLMap](http://sqlmap.org) can destroy your life if they find a way to worm in through the tiniest of holes. – tadman Feb 15 '17 at 06:07
  • @BlackSys Dump it to the log. Give those who need access to it access to it. If you knew how `chown` worked you could make a group and give access to a very narrow list of people if necessary. If this is beyond your capability hire a consultant that knows what they're doing. – tadman Feb 15 '17 at 06:08
  • what you do not understand about "i dont want anyone with root access to server" i don't give a damn if limited or whatever. ssh port is closed and thus shall remain closed, along with ftp and any other external access. – BlackSys Feb 15 '17 at 06:10
  • @BlackSys what you don't understand is that you simply don't have to give a root access to anyone to let them access the error log :) – Your Common Sense Feb 15 '17 at 06:12