Results 1 to 8 of 8

Thread: MYSQL Insert Problem

  1. #1
    Join Date
    May 2005
    Location
    Hawaii
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default MYSQL Insert Problem

    I am have a problem inserting into a database. Here is the source of the form page, I had to remove the css and javascript because it was to long:
    Code:
    <html><head><title>Compose Message</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    
    <body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0">
    <a name="TOP"></a>
    <form action="../sendmail.php" method="post" name="compose" id="compose" onsubmit="return buttonPressed">
    
    
    <table border="0" cellpadding="10" cellspacing="0" width="100%">
       <tbody><tr>
    	<td>
    
    	<table border="0" cellpadding="0" cellspacing="0">
    	   <tbody><tr>
    	     <td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td>
    		 <td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"><span class="text12">Basic Editor / HTML Editor </span></td>
    	   </tr>
    	   <tr>
    		<td colspan="5" nowrap="nowrap"><font class="head14">&nbsp;&nbsp;Enter Recipients:</font>
    		<font class="text10">&nbsp;&nbsp;&nbsp;&nbsp;Separate recipient names with commas.</font></td>
    	   </tr>
    	   <tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
    	   <tr>
    	   	<td><font class="text10">&nbsp;&nbsp;&nbsp;<b>To:</b>&nbsp;&nbsp;</font></td>
    		<td colspan="3"><font class="text10"><input class="textform" name="to" value="" size="65" type="text"></font></td>
    		<td valign="top"><a href="javascript:address()" onmouseover="window.status=''; return true;"><img src="composeBody_data/address.gif" alt="Address" border="0" height="18" hspace="10" width="62"></a></td>
    	   </tr>
    	   <tr><td colspan="4"><img src="composeAd_data/dot-blank.gif" height="3" width="1"></td></tr>
    	   <tr>
    	   	<td><font class="text10">&nbsp;&nbsp;&nbsp;<b>Cc:</b>&nbsp;&nbsp;</font></td>
    		<td><font class="text10"><input class="textform" name="cc" value="" size="27" type="text"></font></td>
    	   	<td><font class="text10">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>Bcc:</b>&nbsp;&nbsp;</font></td>
    		<td><font class="text10"><input class="textform" name="bcc" value="" size="26" type="text"></font></td>
    		<td></td>
    	   </tr>
    	   <tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
    	</tbody>
    	</table>
    	<table border="0" cellpadding="0" cellspacing="0">
    	   <tbody><tr>
    		<td><font class="head14">&nbsp;&nbsp;Enter Subject:&nbsp;&nbsp;</font></td>
    		<td><font class="text10"><input class="textform" size="49" name="subject" value="" type="text"></font></td>
    	   </tr>
    	   <tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
    	</tbody></table>
    	<table border="0" cellpadding="0" cellspacing="0">
    	   <tbody><tr>
    		<td valign="bottom" width="150"><font class="head14">&nbsp;&nbsp;Enter Message:</font></td>
    		<td align="right"><font class="textwarning" id="spck">&nbsp;&nbsp;&nbsp;&nbsp;</font></td>
    	   </tr>
    	   <tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="5" width="1"></td></tr>
    	   <tr><td colspan="2"><font class="text10">&nbsp;&nbsp;
    	     <textarea class="textform" cols="75" rows="18" name="body" wrap="virtual"></textarea></font></td></tr>
    	   <tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
    	</tbody></table>
    	
    	<font class="sw">
    	<input name="emaildate" type="hidden" value="<?php echo gmdate("mdYHis"); ?>">
    	</font>
    	<table border="0" cellpadding="0" cellspacing="0" width="100%">
    	   <tbody><tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
    	   <tr>
    		<td width="10%"><font class="head14" id="attach_label">&nbsp;&nbsp;Attachments:&nbsp;&nbsp;</font></td>
    		<td width="90%"><font class="text12" id="attach_list">
    		  <input name="attachment" type="file" id="attachment" size="45">
    		</font></td>
    	   </tr>
    	   <tr><td colspan="2"><img src="composeAd_data/dot-blank.gif" height="8" width="1"></td></tr>
    	</tbody></table>
    	
    	<table border="0" cellpadding="0" cellspacing="0" width="100%">
    	   <tbody><tr><td colspan="2" class="bglight"><img src="composeAd_data/dot-blank.gif" height="1" width="1"></td></tr>
    	   <tr valign="bottom" class="bgslight">
    	   	<td>&nbsp;</td>
    	   	<td align="right">
    	   	  <input name="imageField" type="image" src="composeBody_data/send.gif" width="62" height="18" border="0">
    	   	  <a href="javascript:window.close();" target="_parent" onmouseover="window.status=''; return true;"><img src="composeBody_data/cancel.gif" alt="Cancel" border="0" height="18" hspace="3" vspace="4" width="62"></a></td>
    	   </tr>
    	   <tr><td colspan="2" class="bgtabon"><img src="composeAd_data/dot-blank.gif" height="3" width="1"></td></tr>
    	   <tr><td colspan="2">
    <table border="0" cellpadding="0" cellspacing="0" width="100%">
    </table>
    
    </td>
    	   </tr>
    	</tbody></table>
    	</td>
       </tr>
    </tbody></table>
    </form>
    </body></html>
    and here is the code for the sendmail.php
    PHP Code:
    <?php
    header
    ("Location: compose.php");
    // Connecting, selecting database
    $link mysql_connect('localhost''''')
       or die(
    'Could not connect: ' mysql_error());
    mysql_select_db('rrmail') or die('Could not select database');
    $query_rs_insertmessages "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
    $re_insertmessages mysql_query($query_rs_insertmessages);
    ?>
    It does not give me and error it just uses the header function to go to compose.php page. and is does NOT INSERT INTO THE DATABASE. Could somebody please help?

    Thanks,
    Christian

  2. #2
    Join Date
    May 2005
    Location
    Hawaii
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Anybody?

  3. #3
    Join Date
    Sep 2004
    Location
    UK
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    To be honest, I can't actually see a problem with your PHP coding (although maybe I'm just missing something simple).
    Only thing that I can see is the header, which should use an absolute URI.

    You will not, however, see an error message should one occur. The code sends a redirect header to the browser before any code is outputted, so anything outputted is not seen. Regardless of that, your mysql_query() doesn't return an error if it fails.
    To see error messages you must move the header() below the MySQL functions, and it's also typical to call exit() after redirecting to stop any other coding getting executed.

    Try running this slight update (replace the URI with your own), and see if you get an error message returned now.

    PHP Code:
    <?php
    // Connecting, selecting database
    $link mysql_connect('localhost''''') or die('Could not connect: ' mysql_error());
    mysql_select_db('rrmail') or die('Could not select database');
    $query_rs_insertmessages "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
    $re_insertmessages mysql_query($query_rs_insertmessages) or die('Insert failed: ' mysql_error());

    header("Location: http://www.domain.tld/compose.php");
    exit();
    ?>

  4. #4
    Join Date
    May 2005
    Location
    Hawaii
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Odin
    To be honest, I can't actually see a problem with your PHP coding (although maybe I'm just missing something simple).
    Only thing that I can see is the header, which should use an absolute URI.

    You will not, however, see an error message should one occur. The code sends a redirect header to the browser before any code is outputted, so anything outputted is not seen. Regardless of that, your mysql_query() doesn't return an error if it fails.
    To see error messages you must move the header() below the MySQL functions, and it's also typical to call exit() after redirecting to stop any other coding getting executed.

    Try running this slight update (replace the URI with your own), and see if you get an error message returned now.

    PHP Code:
    <?php
    // Connecting, selecting database
    $link mysql_connect('localhost''''') or die('Could not connect: ' mysql_error());
    mysql_select_db('rrmail') or die('Could not select database');
    $query_rs_insertmessages "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
    $re_insertmessages mysql_query($query_rs_insertmessages) or die('Insert failed: ' mysql_error());

    header("Location: http://www.domain.tld/compose.php");
    exit();
    ?>
    Tryed your update and I got the error
    Insert failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, towho, ccwho, bccwho, subject, body, date) VALUES ('testuser
    I updated me code to this
    PHP Code:
    <?php
    // Connecting, selecting database
    $link mysql_connect('localhost''''') or die('Could not connect: ' mysql_error());
    mysql_select_db('rrmail') or die('Could not select database');
    $query_rs_insertmessages "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
    $re_insertmessages mysql_query($query_rs_insertmessages) or die('Insert failed: ' mysql_error());

    header("Location: http://localhost/mail/compose.php");
    exit();
    ?>
    The first value (testuser, $_COOKIE['unique']) is a email address, it is testuser@localhost. If you need i can post my database stuff here.

  5. #5
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    It does look OK to me. Perhaps you should check that the values you are inserting do not contain any MySQL reserved characters?
    Try:
    PHP Code:
    <?php
    // Connecting, selecting database
    $link mysql_connect('localhost''''') or die('Could not connect: ' mysql_error());
    mysql_select_db('rrmail') or die('Could not select database');
    $query_rs_insertmessages "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');";
    $re_insertmessages mysql_query($query_rs_insertmessages) or die('Insert failed: ' mysql_error() . "\nQuery: $query_rs_insertmessages");

    //header("Location: http://localhost/mail/compose.php");
    exit();
    ?>
    This will tell us the exact query being executed.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  6. #6
    Join Date
    May 2005
    Location
    Hawaii
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Tryed you correction and now I get this error
    Insert failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from, towho, ccwho, bccwho, subject, body, date) VALUES ('testus Query: INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('testuser@localhost', '', '', '', 'Test, Cool!', 'Cool! ?', '');
    I attached my database file. The messages in the database we NOT inserted by the form, I inserted thoes using phpmyadmin.

  7. #7
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by dead-poetic
    PHP Code:
    header("Location: compose.php"); 
    In case you didn't notice the change in Odin's post, the Location header must be an absolute URL. Relative URLs are not permitted.

    PHP Code:
    $query_rs_insertmessages "INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('".$_COOKIE['unique']."', '".$_POST['to']."', '".$_POST['cc']."', '".$_POST['bcc']."', '".$_POST['subject']."', '".$_POST['body']."', '".$_POST['date']."');"
    There are two issues here.

    The first, and least serious, is that SQL statements issued through the mysql_query function should not end with a semicolon. This isn't the cause of your problems, but it's best to follow documentation.

    The second, potentially catastrophic problem is the possible security vulnerability presented through your apparent trust of client data. If you haven't performed thorough validation and sanitation of those POST variables, you're leaving your database wide open to an SQL injection attack. The MySQL and PHP documentation provides some information on security issues, and you'll find plenty of other sources around the Web.


    Quote Originally Posted by Odin
    You will not, however, see an error message should one occur. The code sends a redirect header to the browser before any code is outputted, so anything outputted is not seen.
    Well, the output would be seen through a Telnet connection or if a user agent doesn't follow the redirect, though the latter only happens with older clients and certain redirection response codes. However, debugging data should never be sent to the client. Debugging code should either be removed entirely when a system goes live, or output should be sent to off-line error logs. There's nothing wrong with defensive programming, however, and appropriate explanations to the user. These explanations should never expose why something went wrong, though. Not only will it mean nothing to the user, but it's an aid to anyone who wants to find vulnerabilities in your code.


    Quote Originally Posted by dead-poetic
    INSERT INTO tbl_messages (from, towho, ccwho, bccwho, subject, body, date) VALUES ('testuser@localhost', '', '', '', 'Test, Cool!', 'Cool! ?', '')
    The word, from, is a reserved word in SQL. You need to escape it with backtick (`) characters.

    Mike

    Mike

  8. #8
    Join Date
    May 2005
    Location
    Hawaii
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Thanks, it worked! And I did change it to the full address.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •