PHP Crew: Help!

Discussion in 'OT Technology' started by o2, May 10, 2006.

  1. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    I decided to learn php, after being fed up with paying my lazy programmer.

    Im trying to write a script that will allow me to add text to DB via a form, display the text, and delete the text via DELETE links. I got everything to work, but when I tried to make it use a 2nd table (which stores author information) I cant get it insert the text into 1 table, and user data into another, and connect the 2, so when it displays a piece of text, it also dislays the author that submitted it.

    Here is th insertion part of the script.

    Code:
    <form action="<?php echo($PHP_SELF); ?>" method="post">
    <textarea name="joketext" cols="40" jokes="3"></textarea><br>
    Name: <input type="text" name="name"> Email: <input type="text" name="email">
    <input name="submitjoke" value="SUBMIT" type="submit">
    </form>
    
    <? php
    //New Joke Submision
    if ("SUBMIT" == "$submitjoke") {
    
    $sql = "insert into jokes set " . 
            "joketext = '$joketext', jokedate = curdate()";
            
    $sql = "insert into authors set " .     
            "name = '$name', email = '$email'";
    
            
            if (mysql_query($sql)) {
            echo ("<b>Your joke has been added!</b><br>"); }
            
            else { 
            echo("there was an error: " . mysql_error() . "<br>");
            }
            }
    ?>
    
    Right now it just inserts the author info, but not the text. If I reverse the order of sql queries, it inserts the text, bu not the author. I cant even begin realize how to make it associate the author id, with the text.
     
  2. fishbulb

    fishbulb Active Member

    Joined:
    Oct 29, 2001
    Messages:
    6,848
    Likes Received:
    4
    Location:
    md
    My guess is something is screwing up with trying to put both of the inserts together looking at the results you explained? I don't know, I've never had more than one per variable. This isn't the cleanest solution but you could always make one sql1 and the other sql2, or any seperate variable names, and have the if statement be
    Code:
    if (mysql_query($sql1) AND mysql_query($sql2) )
    
    it should eliminate the problem.
     
  3. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    I dont see how your suggestion would solve the problem. How would the final code look like?
     
  4. defcondefcon

    defcondefcon Member

    Joined:
    Nov 30, 2003
    Messages:
    37
    Likes Received:
    0
    your overwriting the value of $sql value when you assign it again ...
     
  5. defcondefcon

    defcondefcon Member

    Joined:
    Nov 30, 2003
    Messages:
    37
    Likes Received:
    0
    PHP:
    if ("SUBMIT" == "$submitjoke") {

    $sql1 "insert into jokes set " 
            
    "joketext = '$joketext', jokedate = curdate()";
            
    $sql2 "insert into authors set " .     
            
    "name = '$name', email = '$email'";

            
            if (
    mysql_query($sql1) && mysql_query($sql2)) {
              echo (
    "<b>Your joke has been added!</b><br>"); 
            } else { 
              echo(
    "there was an error: " mysql_error() . "<br>");
            }
    }
     
  6. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    dawt. Print out the value of $sql when you run the query to debug, and you see that you never EXECUTE the first SQL command... And thus, when you do run the query, only the second query is executed.
     
  7. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    Thanks that worked! Which leads us problem #2. How to link the author id with the item that was posted by him. jokes table has a "aid" column (author id) and the authors table has an "id" column. I need to put the id from authors table, into "aid" fom jokes table. How would I go about doing that?
     
  8. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    I hope you're not actually going to USE this script... it is very vulnerable form a security standpoint... Research "SQL injection"
     
  9. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    Thanks that worked! Which leads us problem #2. How to link the author id with the item that was posted by him. jokes table has a "aid" column (author id) and the authors table has an "id" column. I need to put the id from authors table, into "aid" fom jokes table. How would I go about doing that?
     
  10. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    no I dont plan to use this anywhere. Im just learning.

    Whats the big security issue? How would one use it to inject sql commands?
     
  11. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    Why cant you do as instructed and research SQL injection attacks....


    You take un-modified user-input and pass it as an SQL query.

    For example:

    PHP:
    "insert into jokes set " "joketext = '$joketext', jokedate = curdate()"
    assuming that $joketext will be properly formatted by the user. However, I could pass the following as $joketext:

    Code:
    test'; DROP jokes;
    and BAM, bye-bye table. All your data gone.
     
  12. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    Interesting. How do you get around this problem? There's gotta be a way to prevent execution of sql code in the text box.
     
  13. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    data validation.... lots of it. strip quotes and special characters. use htmlencoding when applicable. do string conversions, integer conversions, etc.. Test test test and then test some more before you use the data in your queries.
     
  14. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    You don't want to do any of that. You want to use a tool that does it for you. There is no reason to reinvent the wheel and validate your own CGI input.
     
  15. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    :greddy: Yea why would you want to LEARN for yourself when you can rely on someone else to screw it up for you :mamoru:

    Honestly, do it yourself, and become a better person for it.
     
  16. o2

    o2 Witty Title Here OT Supporter

    Joined:
    Oct 4, 2005
    Messages:
    16,099
    Likes Received:
    11
    Location:
    Toronto
    Do you have any links that would give me more info? I dont have a clue what any of those are, or how they are used... except the stripslashes thing.
     
  17. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Yeah, and why not do your CGI in C. You'll REALLY understand everything then. :hsugh: Maybe he should code his own web server and TCP/IP stack too? :rofl:

    The fact is that if you're trying to solve a problem, LAZINESS IS A VIRTUE. Do not reinvent the wheel if you do not have to. You are doing yourself, and your employer a disservice if you do. If you google "php form validation" there are some packages to do it for you there.

    With every post, you demonstrate your enormous ineptitude. Go to ITT or some shitty tech school or actually get a job in IT and then come back and give advice, kiddie.
     
  18. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    Went to Cal State Fullerton for Computer Science, dipshit. Took 2 years and changed majors because my father works for IBM and has a little industry insight -- didn't like where it would end up.

    Now as for using an off-the-shelf product, that can be bad. How many times have I written something from scratch that has held up better than the "commonly-used" version of a similar product? Lots!
     
  19. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    The point being that chunking at a high level allows you to accomplish things that would never be possible if you reinvented every wheel. In this case, telling a novice to do his own form validation is terrible advice, because he will do a bad job, and because it will take him forever. There is no need.
     
  20. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    it's people like you that suggest products like "form-mail" instead of writing their own socket-based SMTP connection.... Resulting in abuse by spammers.

    Commonly-known, widely-available commercial applications are NOT always better.

    I'm not saying that an n00b can do a better job... But I am saying that somethings are best done yourself. It's up to you to do it properly. Don't rely so heavily on someone else's work.
     
  21. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Nobody is talking about anything commercial. I don't use any closed source tools. There are lots of free php form validators out there. Open source. And actually, security holes result from people reinventing the wheel as you suggest. He won't do a good job at form validation. Other people already have. Since the goal of his project is not to build a newer better form validator library, reinventing this wheel is not just inefficient... its just plain stupid.

    Sometimes it IS important to do something on your own. PHP Form validation is not one of those times. It would be 10x faster to read the validation code in one of the FOSS toolkits than writing your own. Like I said, you're not writing your own web server, TCP/IP stack, kernel, or web scripting language, are you? Why not?

    Effective intelligence is about standing on the shoulders of giants... it is not about wasting time reinventing the wheel. You must concentrate your efforts and energies on the parts of the application that are most novel and critical. And since this is a problem that is already solved many times over, form validation ain't it.
     

Share This Page