0

I have this script on my site:

<?php

  $db_handle = mysql_connect($server, $user_name, $password);
  $db_found = mysql_select_db($database, $db_handle);

  if($db_found) {
    $SQL = "INSERT INTO users (user, address)
    VALUES('".$_GET['username']."','".$_GET['password']."')";

    $result = mysql_query($SQL);

    mysql_close($db_handle);
    print "Records added to the database";
  }
  else {
    print "Database NOT found";
    mysql_close($db_handle);
  }
?>

I then open this url in my browser:

http://ringkapps.altervista.org/addToDatabase.php?user=ringk&address=test

But instead of inserting "ringk" and "test" in the table, it inserts this:

enter image description here

Can't understand why, any help would be greatly appreciated.

RingK
  • 83
  • 12
  • can you do var_dump($_REQUEST), var_dump($_GET) and var_dump($_POST) before your insert? and post results – Dimi Mar 24 '17 at 14:23
  • `user` != `username`, and there is no password in the GET (and it shouldn't be either, use POST for that!) - and you should hash your passwords!! – Qirel Mar 24 '17 at 14:23
  • 1
    [**Please, don't use `mysql_*` functions in new code**](http://stackoverflow.com/q/12859942). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://php.net/mysql-connect)? Learn about [*prepared statements*](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) can help you decide which. – Qirel Mar 24 '17 at 14:24
  • 1
    Don't store your passwords in plain-text! This is not secure *at all!* PHP has built-in functions which you should use to handle storing of passwords, see the [`password_hash()`](http://php.net/manual/en/function.password-hash.php) function which is a lot more secure! – Qirel Mar 24 '17 at 14:24
  • Your `$_GET` index keys are `user` and `address` not `username` and `password` – DiddleDot Mar 24 '17 at 14:24
  • @Qirel yes, this is just a test, i will look at the link you posted, thanks! – RingK Mar 24 '17 at 14:27
  • @DiddleDot thanks! – RingK Mar 24 '17 at 14:28
  • @RingK If you're just learning MySQL and PHP, I recommend learning the "new" and most secure way first. `mysql_` is like I said, obsolete, so learning it is somewhat a waste of time. Look into PDO or MySQLi, and learn how to use `prepare()` with placeholders ;-) – Qirel Mar 24 '17 at 14:38

3 Answers3

1

This code is wrong!

$SQL = "INSERT INTO users (user, address)
VALUES('".$_GET['username']."','".$_GET['password']."')";

Replace this.

$SQL = "INSERT INTO users (user, address)
    VALUES('".$_GET['user']."','".$_GET['address']."')";
Star_Man
  • 1,091
  • 1
  • 13
  • 30
0

It's not working because you're calling

http://ringkapps.altervista.org/addToDatabase.php?user=ringk&address=test

Which creates $_GET["user"] and $_GET["address"] but you are trying to put in the db $_GET['username'] and $_GET['password'] which don't exist.

You should call:

http://ringkapps.altervista.org/addToDatabase.php?username=ringk&password=test

Plus, read something on security for PHP apps, your code is prone to a lot of vulnerabilities!!!

napolux
  • 15,574
  • 9
  • 51
  • 70
0

In the url : http://ringkapps.altervista.org/addToDatabase.php?user=ringk&address=test

We can see user = ringk and address = test. Where user is the key and ringk it's value. Where address is the key and test it's value.

You can print all the $_GET value by using var_dump($_GET) and see by yourself what's in it.

My guess is that what you want is to access $_GET['user'] and $_GET['address']

then just replace the line : 

 VALUES('".$_GET['username']."','".$_GET['password']."')";

with 

 VALUES('".$_GET['user']."','".$_GET['address']."')";

or you could update the url to match the code.

Unex
  • 1,747
  • 13
  • 17