please help php query error.??

@tanvirzafarMar 02.2014

hello everybody…i have an error when i submit data into database..please check it out..
phph code is

[code=php] <?php $con= mysql_connect(‘abc.com’, ‘colg’, ‘Colg@1’); if (!$con) { die(‘Could not connect: ‘ . mysql_error()); } mysql_select_db(colg);

$sql=”INSERT INTO fsc_med(reg_id,f_name,l_name,roll_num,t_eng,o_eng,t_urdu,o_urdu,t_phy,o_phy,t_che,o_che,t_bio,o_bio,t_isl_sstd,o_isl_sstd,total_marks,obtain_marks,attendance) VALUES (‘$_POST[reg_num]’,’$_POST[firstname]’,’$_POST[lastname]’,’$_POST[rollnum]’,’$_POST[t_english]’,’$_POST[o_english]’,’$_POST[t_urdu]’,’$_POST[o_urdu]’,’$_POST[t_physics]’,’$_POST[o_physics]’,’$_POST[t_chemistry]’,’$_POST[o_chemistry]’,’$_POST[t_biology]’,’$_POST[o_biology]’,’$_POST[t_isl_sst]’,’$_POST[o_isl_sst]’,’$_POST[t_marks]’,’$_POST[o_t_marks]’,’$_POST[attdnce]’)”;

if (!mysqli_query($con,$sql)) { die(‘Error: ‘ . mysqli_error($con)); } echo “1 record added”;

mysqli_close($con); ?> [/code]

~~[B]~~data entry form is here ~~[url]~~http://igoc.com.pk/student_results/register_fsc_med_123.html[/url][/B]

to post a comment

PHP

7 Comments(s) _↴

@ginerjmMar 02.2014 — #This code will not run and SHOULD not run. The data you are taking from the user's input and posting to your db without any validation could be loaded with malicious code. Please learn how to check input, ensure that it is what you expect and that it is safe to use before continuing.

That said, there are still plain old syntax errors here as well. Assuming that you mis-typed these into your post, tell us what the error message was so that you can at least get that answer.

@tanvirzafarauthorMar 02.2014 — #i fixed it.....how can i put validation on user inputs??

@ginerjmMar 02.2014 — #You need to read up on security and how to accept input from the user to protect your site from hackers and other malicious users. They can do things to break your database, destroy your tables with improper input. To validate input you need to check each one to see if it is what you expect. For example, if you have a field that should have a number entered in it, then check that the POST var for that field does in fact have a number value when you get it. If a field should have a yes/no value in it, be sure that it does. And so on. For string entries you must be sure to escape the input value to get rid of any harmful characters before posting it to your database.

There are many articles on data security. Read some of them. There's probably one in these forums.

@Error404Mar 03.2014 — #There's several problems with your code. First, mysql will quickly be removed in the future, so you shouldn't be using it. Instead, use either PDO or mysqli.

Second, you're mixing mysql with mysqli and that alone will generate errors.

Third, as already mentioned, you're not checking user input, so they can freely enter code and have it wreck your database. Alternatively,

they could enter nothing for all of the fields and your code would allow that. When you go to read from your database, the output will seem bizarre, assuming

it hasn't already been trashed.

Here's a very quick example code just for checking the firstname, however, it's not complete and requires you to do a bit of work on it for it to execute.

[code=php]
 <?php
 $firstname = "";
 
  if(isset($_POST['firstname'])) {
   $firstname = trim($_POST['firstname']);
   $illegalChars = array(); // enter any specific characters you would like to check for
   if(ctype_alpha($firstname)) { 
   $parts = str_split($firstname);
   foreach($parts as $part) {
   if(in_array($part, $illegalChars)) {
   // do something since it contains an illegal character
   }
   }
   }
  } else {
   // do something
  }
 ?>
 [/code]

Before tackling this though, you want to get your code to be able to run.

@kiwistechMar 04.2014 — #I would advise you should use mysqli extension instead of using mysql. Read important information about mysqli and use it in your program, i found it for you here

http://wistech.biz/2014/03/03/php-5-what-is-mysqli-extension/

@tanvirzafarauthorMar 04.2014 — #I would advise you should use mysqli extension instead of using mysql. Read important information about mysqli and use it in your program, i found it for you here

http://wistech.biz/2014/03/03/php-5-what-is-mysqli-extension/[/QUOTE]

thank you so much ?

@NogDogMar 04.2014 — #If you migrate to either the PDO or MySQLi database extensions in PHP, you can use prepared statements and bound parameters to take care of sanitizing inputs. I prefer the PDO extension, myself, but it's no big deal unless you want the additional database portability that it provides.

An example of using bound parameters can be seen at http://us2.php.net/manual/en/pdostatement.bindparam.php .

Also in #PHP _↴

preg replace problem unzip files using php Delete files and table rows

Success!

Help @tanvirzafar spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...

please help php query error.??

7 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

please help php query error.??

7 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

7 Comments(s) _↴

Also in #PHP _↴