-2

I am trying to insert data into mysql using get parameters in my address bar. My esp.php file have the following code:

$id = ($_GET['id']); 
$temp = ($_GET['t']);
$hum = ($_GET['h']);     
if ($id == '1') {
        $total = mysql_result(mysql_query("SELECT count(*) FROM `esp1`"),0);
        mysql_query("INSERT INTO `esp1` (temp,hum) values ('".$temp."','".$hum."') ");
    }

When I visit the url I get this error : 

Fatal error: Uncaught Error: Call to undefined function mysql_result() in /home/orexlt/domains/ortex.lt/public_html/esp.php:13 Stack trace: #0 {main} thrown in /home/orexlt/domains/ortex.lt/public_html/esp.php on line 13

what am I doing wrong?

Paul
  • 932
  • 2
  • 8
  • 15
Šarūnas Zu
  • 11
  • 4
  • 2
    Do you have PHP7? mysql_result is extremely outdated and has been removed. You should switch to PDO. – Paul May 13 '18 at 18:35
  • 1
    What does your connection look like? Are you really using `mysql_*` or are you connecting using `mysqli_*` (since you didn't get an error about `mysql_connect()`) ? Do yo even have an open connection to the database? – M. Eriksson May 13 '18 at 18:42
  • 1
    1. **Don't** use the **deprecated and insecure** `mysql_*`-functions. They have been deprecated since PHP 5.5 (in 2013) and were completely removed in PHP 7 (in 2015). Use MySQLi or PDO instead. 2. **You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php)** and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries, which can be used if you use the above mentioned MySQLi or PDO. – M. Eriksson May 13 '18 at 18:45
  • 2
    You should remove that link, your script, if you manage to make it work without fixing it will be vulnerable to SQL injections and available for anyone who see this thread to mess around with it. Use prepared statements and an up to date library such as MySQLi or PDO. – Lou May 13 '18 at 18:45
  • 1
    Please respond to our questions and we might be able to help you better. – M. Eriksson May 13 '18 at 18:49

1 Answers1

0

This is an extremely odd error.

The mysql_* functions are part of a now deprecated extension to PHP. But its possible you are running on a platform which still provides support for the extension and does not provide support for its replacement - the mysqli extension (such as Redhat/Centos/Scientific Linux 6).

You should have told us what the undelying operating system and PHP version is.

As expected, the usual trolls have said you should be using PDO. I have yet to see any credible evidence of a security issue in the mysql or the mysqli extension. Certainly PDO goes further in preventing you from doing really stupid things - but it also closes the door on other useful constructs in SQL (like a variable length IN(...) list or keyword search). OTOH if you sub-contract your programming to someone who is actively trying to inject backdoors into your site, you might want to read this - but they'll have little problem finding other ways to subvert your site.

Changing from the deprecated mysql extension to the procedural mysqli extension can be done with a shim or a scripted search and replace of your code. Changing to PDO will require a manual rewrite of all database interaction.

So the cause of the error is that the code you have written does not match the extensions available to your PHP install. To find the extensions which are available, look at the output of phpinfo();. How you install and enable an extension if you need it is dependant on your platform and whether you have the ability to configure it. You may already have the mysqli extension.

But even if you had the mysql extension available, this code will not work. You can't do anything to a database until you establish a connection - and this is a seperate function call for the mysql extension (and in PDO, and in procedural mysqli).

symcbean
  • 47,736
  • 6
  • 59
  • 94