PDA

View Full Version : MYSQL Insert Problem



dead-poetic
09-23-2005, 05:31 AM
I am have a problem inserting into a database. Here is the source of the form page, I had to remove the css and javascript because it was to long:

<html><head><title>Compose Message</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>

<body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0">
<a name="TOP"></a>
<form action="../sendmail.php" method="post" name="compose" id="compose" onsubmit="return buttonPressed">


<table border="0" cellpadding="10" cellspacing="0" width="100%">
<tbody><tr>
<td>

<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td>
<td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"><span class="text12">Basic Editor / HTML Editor </span></td>
</tr>
<tr>
<td colspan="5" nowrap="nowrap"><font class="head14">&nbsp;&nbsp;Enter Recipients:</font>
<font class="text10">&nbsp;&nbsp;&nbsp;&nbsp;Separate recipient names with commas.</font></td>
</tr>
<tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
<tr>
<td><font class="text10">&nbsp;&nbsp;&nbsp;<b>To:</b>&nbsp;&nbsp;</font></td>
<td colspan="3"><font class="text10"><input class="textform" name="to" value="" size="65" type="text"></font></td>
<td valign="top"><a href="javascript:address()" onmouseover="window.status=''; return true;"><img src="composeBody_data/address.gif" alt="Address" border="0" height="18" hspace="10" width="62"></a></td>
</tr>
<tr><td colspan="4"><img src="composeAd_data/dot-blank.gif" height="3" width="1"></td></tr>
<tr>
<td><font class="text10">&nbsp;&nbsp;&nbsp;<b>Cc:</b>&nbsp;&nbsp;</font></td>
<td><font class="text10"><input class="textform" name="cc" value="" size="27" type="text"></font></td>
<td><font class="text10">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>Bcc:</b>&nbsp;&nbsp;</font></td>
<td><font class="text10"><input class="textform" name="bcc" value="" size="26" type="text"></font></td>
<td></td>
</tr>
<tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
</tbody>
</table>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td><font class="head14">&nbsp;&nbsp;Enter Subject:&nbsp;&nbsp;</font></td>
<td><font class="text10"><input class="textform" size="49" name="subject" value="" type="text"></font></td>
</tr>
<tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
</tbody></table>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td valign="bottom" width="150"><font class="head14">&nbsp;&nbsp;Enter Message:</font></td>
<td align="right"><font class="textwarning" id="spck">&nbsp;&nbsp;&nbsp;&nbsp;</font></td>
</tr>
<tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="5" width="1"></td></tr>
<tr><td colspan="2"><font class="text10">&nbsp;&nbsp;
<textarea class="textform" cols="75" rows="18" name="body" wrap="virtual"></textarea></font></td></tr>
<tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
</tbody></table>

<font class="sw">
<input name="emaildate" type="hidden" value="<?php echo gmdate("mdYHis"); ?>">
</font>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
<tr>
<td width="10%"><font class="head14" id="attach_label">&nbsp;&nbsp;Attachments:&nbsp;&nbsp;</font></td>
<td width="90%"><font class="text12" id="attach_list">
<input name="attachment" type="file" id="attachment" size="45">
</font></td>
</tr>
<tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
</tbody></table>

<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td colspan="2" class="bglight"><img src="composeAd_data/dot-blank.gif" height="1" width="1"></td></tr>
<tr valign="bottom" class="bgslight">
<td>&nbsp;</td>
<td align="right">
<input name="imageField" type="image" src="composeBody_data/send.gif" width="62" height="18" border="0">
<a href="javascript:window.close();" target="_parent" onmouseover="window.status=''; return true;"><img src="composeBody_data/cancel.gif" alt="Cancel" border="0" height="18" hspace="3" vspace="4" width="62"></a></td>
</tr>
<tr><td colspan="2" class="bgtabon"><img src="composeAd_data/dot-blank.gif" height="3" width="1"></td></tr>
<tr><td colspan="2">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
</table>

</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
</body></html>
and here is the code for the sendmail.php

<?php
header("Location: compose.php");
// Connecting, selecting database
$link = mysql_connect('localhost', '', '')
or die('Could not connect: ' . mysql_error());
mysql_select_db('rrmail') or die('Could not select database');
$query_rs_insertmessages = "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
$re_insertmessages = mysql_query($query_rs_insertmessages);
?> It does not give me and error it just uses the header function to go to compose.php page. and is does NOT INSERT INTO THE DATABASE. Could somebody please help?

Thanks,
Christian

dead-poetic
09-23-2005, 08:20 PM
Anybody?

Odin
09-25-2005, 12:26 AM
To be honest, I can't actually see a problem with your PHP coding (although maybe I'm just missing something simple).
Only thing that I can see is the header, which should use an absolute URI.

You will not, however, see an error message should one occur. The code sends a redirect header to the browser before any code is outputted, so anything outputted is not seen. Regardless of that, your mysql_query() doesn't return an error if it fails.
To see error messages you must move the header() below the MySQL functions, and it's also typical to call exit() after redirecting to stop any other coding getting executed.

Try running this slight update (replace the URI with your own), and see if you get an error message returned now.


<?php
// Connecting, selecting database
$link = mysql_connect('localhost', '', '') or die('Could not connect: ' . mysql_error());
mysql_select_db('rrmail') or die('Could not select database');
$query_rs_insertmessages = "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
$re_insertmessages = mysql_query($query_rs_insertmessages) or die('Insert failed: ' . mysql_error());

header("Location: http://www.domain.tld/compose.php");
exit();
?>

dead-poetic
09-25-2005, 06:27 PM
To be honest, I can't actually see a problem with your PHP coding (although maybe I'm just missing something simple).
Only thing that I can see is the header, which should use an absolute URI.

You will not, however, see an error message should one occur. The code sends a redirect header to the browser before any code is outputted, so anything outputted is not seen. Regardless of that, your mysql_query() doesn't return an error if it fails.
To see error messages you must move the header() below the MySQL functions, and it's also typical to call exit() after redirecting to stop any other coding getting executed.

Try running this slight update (replace the URI with your own), and see if you get an error message returned now.


<?php
// Connecting, selecting database
$link = mysql_connect('localhost', '', '') or die('Could not connect: ' . mysql_error());
mysql_select_db('rrmail') or die('Could not select database');
$query_rs_insertmessages = "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
$re_insertmessages = mysql_query($query_rs_insertmessages) or die('Insert failed: ' . mysql_error());

header("Location: http://www.domain.tld/compose.php");
exit();
?> Tryed your update and I got the error
Insert failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, towho, ccwho, bccwho, subject, body, date) VALUES ('testuser
I updated me code to this
<?php
// Connecting, selecting database
$link = mysql_connect('localhost', '', '') or die('Could not connect: ' . mysql_error());
mysql_select_db('rrmail') or die('Could not select database');
$query_rs_insertmessages = "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
$re_insertmessages = mysql_query($query_rs_insertmessages) or die('Insert failed: ' . mysql_error());

header("Location: http://localhost/mail/compose.php");
exit();
?>
The first value (testuser, $_COOKIE['unique']) is a email address, it is testuser@localhost. If you need i can post my database stuff here.

Twey
09-25-2005, 07:30 PM
It does look OK to me. Perhaps you should check that the values you are inserting do not contain any MySQL reserved characters?
Try:

<?php
// Connecting, selecting database
$link = mysql_connect('localhost', '', '') or die('Could not connect: ' . mysql_error());
mysql_select_db('rrmail') or die('Could not select database');
$query_rs_insertmessages = "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
$re_insertmessages = mysql_query($query_rs_insertmessages) or die('Insert failed: ' . mysql_error() . "\nQuery: $query_rs_insertmessages");

//header("Location: http://localhost/mail/compose.php");
exit();
?>
This will tell us the exact query being executed.

dead-poetic
09-25-2005, 11:46 PM
Tryed you correction and now I get this error

Insert failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, towho, ccwho, bccwho, subject, body, date) VALUES ('testus Query: INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('testuser@localhost', '', '', '', 'Test, Cool!', 'Cool! ?', '');

I attached my database file. The messages in the database we NOT inserted by the form, I inserted thoes using phpmyadmin.

mwinter
09-26-2005, 12:43 AM
header("Location: compose.php");In case you didn't notice the change in Odin's post, the Location header must be an absolute URL. Relative URLs are not permitted.



$query_rs_insertmessages = "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";There are two issues here.

The first, and least serious, is that SQL statements issued through the mysql_query function should not end with a semicolon. This isn't the cause of your problems, but it's best to follow documentation.

The second, potentially catastrophic problem is the possible security vulnerability presented through your apparent trust of client data. If you haven't performed thorough validation and sanitation of those POST variables, you're leaving your database wide open to an SQL injection attack. The MySQL and PHP documentation provides some information on security issues, and you'll find plenty of other sources around the Web.



You will not, however, see an error message should one occur. The code sends a redirect header to the browser before any code is outputted, so anything outputted is not seen.Well, the output would be seen through a Telnet connection or if a user agent doesn't follow the redirect, though the latter only happens with older clients and certain redirection response codes. However, debugging data should never be sent to the client. Debugging code should either be removed entirely when a system goes live, or output should be sent to off-line error logs. There's nothing wrong with defensive programming, however, and appropriate explanations to the user. These explanations should never expose why something went wrong, though. Not only will it mean nothing to the user, but it's an aid to anyone who wants to find vulnerabilities in your code.



INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('testuser@localhost', '', '', '', 'Test, Cool!', 'Cool! ?', '')The word, from, is a reserved word in SQL. You need to escape it with backtick (`) characters.

Mike

Mike

dead-poetic
09-26-2005, 01:07 AM
Thanks, it worked! And I did change it to the full address.