-1

I'm trying to insert from data into my database but it won't work for some reason. I keep getting the following error when submitting the form: Error: INSERT INTO voorwerpenlijst (beschrijving, waar, wanneer, ophalen) VALUES ('value', 'value', 'value', 'value') Access denied for user 'id11961846_profielwerkstuk'@'%' to database 'voorwerpenlijst'. When i leave out the $sql part i am able to connect to the database just fine so the login credentials are correct. I ran the same PHP using XAMPP and phpmyadmin from my own PC and it worked just fine. This confirmed for me that my code should be fine, but it's still not working with 000webhost. I'm using the database I got through 000webhosting which doesn't allow me to change any of the privileges in phpmyadmin. Any sql statement i try to use gets blocked. thanks in advance

<html lang="nl">
<meta charset = "utf-8">
<head>
<link rel="stylesheet" href="profielwerkstukSTYLE.css">
<ul>
  <li><a href="index.html">Home</a></li>
  <li><a class="active" href="upload.php">upload voorwerp</a></li>
  <li><a href="voorwerpenlijst.html">voorwerp lijst</a></li>
</ul>
</head>
<body>
<h3>Upload het door u gevonden voorwerp<h3><br>
<div>
<form action="upload.php" method="post" enctype="multipart/form-data">
Beschrijving:<br>   <input type="text" name="beschrijving" placeholder="bijv. jas, airpods, sleutels etc."><br>
Waar:<br>           <input type="text" name="waar" placeholder="bijv. lokaal 117"><br>
Wanneer:<br>        <input type="text" name="wanneer" placeholder="bijv. 5e uur"><br>
ophalen waar:<br>   <input type="text" name="ophalen" placeholder="bijv. bij de balie"><br>
<input type="submit" value="verzend" name="knop">
</form>
<div>

<?php
if(
isset($_POST["beschrijving"])&& $_POST["beschrijving"]!="" &&
isset($_POST["waar"]) && $_POST["waar"]!="" &&
isset($_POST["wanneer"]) && $_POST["wanneer"]!="" &&
isset($_POST["ophalen"]) && $_POST["ophalen"]!="")


{
$host="localhost";
$username="id11961846_profielwerkstuk";
$password="12345";
$dbname="voorwerpenlijst";

$conn= mysqli_connect("$host", "$username", "$password", "$dbname");

if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

$beschrijving=$_POST["beschrijving"];
$waar=$_POST["waar"];
$wanneer=$_POST["wanneer"];
$ophalen=$_POST["ophalen"];

$sql = "INSERT INTO voorwerpenlijst (beschrijving, waar, wanneer, ophalen)
VALUES ('$beschrijving', '$waar', '$wanneer', '$ophalen')";

if (mysqli_query($conn, $sql)) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}

mysqli_close($conn);
}
else
{
if(isset($_POST["knop"]))
{
    print("Vul A.U.B alles in");
}   
}

?>
</body>
</html>
Michiel Dekker
  • 1
  • 2
  • Simply grant the user the privileges see https://dev.mysql.com/doc/refman/8.0/en/grant.html or use a user that has the privileges – nbk Dec 16 '19 at 16:34
  • When using phpmyadmin through 000webhosting, i'm not allowed to change any of the privileges or users. When i run the sql it just says "acces denied for user: 'id11961846_profielwerkstuk'@'%' to database 'id11961846_voorwerpenlijst' – Michiel Dekker Dec 16 '19 at 16:42
  • you have to login in as root and grant the privileges as described in the link. – nbk Dec 16 '19 at 16:54
  • i'm not sure if i'm able to. as far as i know the username you get from 000webhosting is the only username you can login with – Michiel Dekker Dec 16 '19 at 17:06
  • Then contact the support, they made a mistake not granting the privileges. And please check the answer, because of sql injection https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – nbk Dec 16 '19 at 17:15

1 Answers1

-1

Your code is vulnerable to SQL injection - a better way to perform this insert would be to use a prepared statement ~ it might help solve your issue too

<?php

    $errors=[];
    $args=array(
        'beschrijving'  =>  FILTER_SANTITIZE_STRING,
        'waar'          =>  FILTER_SANTITIZE_STRING,
        'wanneer'       =>  FILTER_SANTITIZE_STRING,
        'ophalen'       =>  FILTER_SANTITIZE_STRING,
        'knop'          =>  FILTER_SANTITIZE_STRING
    );
    foreach( array_keys( $args ) as $field ){
        if( !isset( $_POST[ $field ] ) ) $errors[]=sprintf( 'The field "%s" is not set', $field );
    }
    foreach( $_POST as $field => $value ){
        if( !in_array( $field, array_keys( $args ) ) )$errors[]=sprintf( 'Unknown field "%s"', $field );
    }

    if( empty( $errors ) ){

        /* filter incoming POST array */
        $_POST=filter_input_array( INPUT_POST, $args );
        /* create variables */
        extract( $_POST );


        $host="localhost";
        $username="id11961846_profielwerkstuk";
        $password="12345";
        $dbname="voorwerpenlijst";

        $conn=new mysqli( $host, $username, $password, $dbname );


        $sql='insert into `voorwerpenlijst` ( `beschrijving`, `waar`, `wanneer`, `ophalen` ) values (?,?,?,?)';
        $stmt=$conn->prepare( $sql );
        if( !$stmt )$errors[]='failed to prepare sql';

        $stmt->bind_param( 'ssss', $beschrijving, $waar, $wanneer, $ophalen );
        $res=$stmt->execute();
        $stmt->close();

        echo $res ? 'New record created successfully' : 'error';

    } else {
        /* display errors? */
    }
?>
Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46