0

here is my code, as you can see, I just wanna to connect mysql then insert a info field, but it seems not execute the next code after selected the db code, I am a newer in php, and it did not return an error, so I do not know where am I wrong..

<html>
<body>

Welcome <?php echo "show" ?><br>
Your email address is: 


<?php
$servername = "localhost";
$username = "root";
$password = "123456";

// 创建连接
$conn = mysqli_connect($servername, $username, $password);

// 检测连接
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "mysql successed connected.";


mysql_select_db("flowers", $conn) or die("database flowers failed".mysql_error()) ;

echo "database successed";

$sql="INSERT INTO flowers (username, password)
VALUES
('$_POST[name]','$_POST[email]')";

if (!mysql_query($sql,$conn))
  {
  die('Error: ' . mysql_error());
  }

echo "1 record added";


mysql_close($conn);

?>
</body>
</html>

test demo info and here is the db info: dn info

I use ubuntu 16.04 apache2

Rezero
  • 150
  • 12
  • `mysql_*` doesnt work with `mysqli`. Your database selection and query will currently fail. You also will be open to sql injections if you dont parameterize that query. An email as a password also isn't secure. – chris85 Apr 06 '17 at 14:49
  • Your code is vulnerable to SQL injection attacks. You should use [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php) prepared statements as described in [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 06 '17 at 14:51
  • Thanks, I will learn more about the **SQL injection**. – Rezero Apr 06 '17 at 15:35

2 Answers2

2

So the main issue here is that you are using a combination of mysql_ and mysql functions. Note that mysql has been depreciated since PHP5 and has been completely removed in PHP7 so you should be using the newer mysqli or PDO. I personally use PDO, however have kept your code with mysqli.

<?php
$servername = "localhost";
$username = "root";
$password = "56lj0721";

// 创建连接
$conn = mysqli_connect($servername, $username, $password);

// 检测连接
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "mysql successed connected.";


mysqli_select_db($conn,"flowers") or die("database flowers failed".mysqli_error()) ;

echo "database successed";

$sql="INSERT INTO flowers (username, password)
VALUES
('$_POST[name]','$_POST[email]')";

if (!mysqli_query($conn, $sql))
  {
  die('Error: ' . mysql_error());
  }

echo "1 record added";


mysqli_close($conn);

?>

You should also really be using prepared statements to help prevent SQL Injection. You can read more here for mysqli.

It's also important to remember that you should be validating your $_POST['name'] and $_POST['email'] values as well, which I have not included.

If you want to read further about PDO, take a look here.

Dom_TC
  • 83
  • 6
  • change `mysqli_select_db("flowers", $conn)` ==> `mysqli_select_db($conn,"flowers");` – Masivuye Cokile Apr 06 '17 at 15:09
  • I've updated it, thanks. – Dom_TC Apr 06 '17 at 15:13
  • The problem has finished.Very thanks your help, by the way, the second **if** also seems should be changed like mysqli_*($conn, args) not mysqli_*(args, $conn) – Rezero Apr 06 '17 at 15:38
  • My apologies, I clearly didn't proof this as well as I thought I did. I'll edit the original answer just incase anyone else looks at this. Glad you got it sorted. – Dom_TC Apr 06 '17 at 16:07
0

You have these two statements in your php code.

$conn = mysqli_connect($servername, $username, $password);
        ...
$conn = mysqli_connect($servername, $username, $password);

You should get rid of the second one if you must use the mysql_ interface to run your query.

You should also know, with respect, that only a fool uses the mysql_ interface in 2017. It has been deprecated for years, for reasons of cybersecurity, and is going away soon.

O. Jones
  • 103,626
  • 17
  • 118
  • 172