Donogh5 All American 971 Posts user info edit post |
Yup, that syntax looks right to me. For security, it's best not to expose db server instances across the Internet. At the very least, it should be on a private, NATed LAN.
I'm not sure why die() is used either, but it seems to be the convention when dealing with db connections. Usually, with PHP, the choice of one function or syntax over is historical in nature. Another example is the strange inconsistency between the ordering of needle and haystack parameters in different functions. 7/6/2008 5:36:44 PM |
quagmire02 All American 44225 Posts user info edit post |
^ actually, that addresses a question i've always had, but never really come across (so i never gave it more than a passing thought):
i have unlimited mysql databases on my hosting plan...if a friend doesn't have any on his and i let him create the database on my server, how would he go about creating a secure connection between the two? i mean, neither of us own the servers - they're just basic, relatively cheap hosting plans on shared servers
oh, and wouldn't vertigo need to specify a port? i don't have a great deal of experience in cross-server communication like this, but in my limited experience, i've always had to specify ports
*shrug*
[Edited on July 6, 2008 at 5:42 PM. Reason : .] 7/6/2008 5:41:14 PM |
Donogh5 All American 971 Posts user info edit post |
^ i presume it'd default to port 3306, but maybe he would
a vpn connection would be the way to go, but it depends whether you're allowed to run vpn clients/servers
you could also do basic tunnelling over ssh: http://www.revsys.com/writings/quicktips/ssh-tunnel.html 7/6/2008 7:22:35 PM |
vertigo Veteran 135 Posts user info edit post |
Okay, empty records keep being submitted when I use this simple form:
<?php $host = "localhost"; $user = "user"; $pswd = "pswd"; $mydb = "mydb";
$link = @mysql_connect($host,$user,$pswd); if (!$link) { echo "Connection failed: ".mysql_error(); exit; }
$db_connect = @mysql_select_db($mydb,$link); if (!$db_connect) { echo "Cannot connect to database: ".mysql_error(); exit; }
if (isset($_POST['submit'])) { $fname = stripslashes(trim($_POST['fname'])); $mname = stripslashes(trim($_POST['mname'])); $lname = stripslashes(trim($_POST['lname']));
$query = "INSERT INTO $table (LNAME,FNAME,MNAME) VALUES ('$lname','$fname','$mname')";
$result = @mysql_query($query,$link); if (!$result) { echo "Query failed: ".mysql_error(); exit; }
mysql_close($link); } ?>
<form enctype="text/plain" class="conf_reg" method="post" action="<?php echo $_SERVER[$PHP_SELF]; ?>"> <input name="fname" type="text" size="25" maxlength="25" /> <input name="mname" type="text" size="1" maxlength="1" /> <input name="lname" type="text" size="25" maxlength="25" /> <input name="submit" type="submit" value="SUBMIT" /> </form>
When I check in phpMyAdmin, it shows the first column as increasing (it's called RECORD_ID and it's set to auto_increment) and it shows the correct timestamp (the second column is called TIMESTAMP and has a value of CURRENT_TIMESTAMP). So, every time I test the submission page, I get a new record with the correct timestamp, but the other three columns are all empty.
What am I missing?
Thanks!7/13/2008 6:29:30 PM |
vertigo Veteran 135 Posts user info edit post |
Does anyone have any suggestions as to what I might be doing wrong? 7/14/2008 2:27:11 PM |
bous All American 11215 Posts user info edit post |
$query = "INSERT INTO $table
where is $table assigned a string value? 7/14/2008 2:31:18 PM |
vertigo Veteran 135 Posts user info edit post |
Oh, I forgot to include that as part of my post. It's in there, though, just below the $db declaration:
$table = "tablename";
I've tried just sticking it directly into the query, but it doesn't make any difference. And, since I'll end up having multiple queries, I like setting the table name to a variable. Is that stupid?7/14/2008 2:39:56 PM |
Ernie All American 45943 Posts user info edit post |
It's not stupid, but it's pointless and potentially confusing for anyone else maintaining the script. 7/14/2008 2:43:49 PM |
quagmire02 All American 44225 Posts user info edit post |
i'm confused...you're saying that it's actually creating new records, but it's not populating the database except for the record id and timestamp? 7/14/2008 3:06:11 PM |
vertigo Veteran 135 Posts user info edit post |
Yes. I can take a screenshot if that would help. I just can't figure out why it won't fill in my other fields. 7/14/2008 3:10:56 PM |
vertigo Veteran 135 Posts user info edit post |
Any other ideas? Anyone? I can't get this to work, and I can't figure out why. 7/14/2008 11:00:31 PM |
BigMan157 no u 103354 Posts user info edit post |
whag are LNAME,FNAME,MNAME?
VARCHARs?
[Edited on July 15, 2008 at 7:42 AM. Reason : also, it's good practice to add slashes - not strip them - to help prevent injection attacks]
[Edited on July 15, 2008 at 7:43 AM. Reason : another thing: do this to debug - if (isset($_POST['submit'])) {print_r($_POST);}] 7/15/2008 7:40:56 AM |
DPK All American 2390 Posts user info edit post |
Have you done any debugging to see that there's actually anything in those post variables? Like echo out the variable lengths and $_SERVER['REQUEST_METHOD'] to double check what's going on. You could be looking in the wrong place all together.
Also, what version of PHP are you running?
Debug debug debug.
[Edited on July 15, 2008 at 8:05 AM. Reason : -]
[Edited on July 15, 2008 at 8:07 AM. Reason : Read up on your Super Globals - http://us3.php.net/manual/en/language.variables.superglobals.php] 7/15/2008 7:51:41 AM |
vertigo Veteran 135 Posts user info edit post |
print_r($_POST); gives me nothing. As in, nothing shows up at all. I put in this: <?php echo "<p>request method: ".$_SERVER['REQUEST_METHOD']."</p>" ?> and when I initially load the page, it says "request method: GET" and after I submit something it says "request method: POST", so I think it's doing that correctly.
FNAME, MNAME, and LNAME are all varchars, of 25, 3, and 25, respectively.
According to phpinfo(), I'm running PHP version 5.2.6.
Is it possible that some setting is turned off that I need turned on? I don't even know where to begin looking. That code above isn't quite right, by the way. I was piecing it together since I didn't have my page with me. Below is the code I'm actually using, and now, it's not creating ANY new records or timestamps - nothing gets submitted.
<?php $host = "localhost"; $user = "username"; $pswd = "password"; $mydb = "databasename";
$link = @mysql_connect($host,$user,$pswd); if (!$link) { echo "Connection failed: ".mysql_error(); exit; }
$db_connect = @mysql_select_db($mydb,$link); if (!$db_connect) { echo "Cannot connect to database: ".mysql_error(); exit; }
if (isset($_POST['submit'])) { $fname = addslashes(trim($_POST['fname'])); $mname = addslashes(trim($_POST['mname'])); $lname = addslashes(trim($_POST['lname']));
$query = "INSERT INTO tablename (LNAME,FNAME,MNAME) VALUES ('$lname','$fname','$mname')";
$result = @mysql_query($query,$link); if (!$result) { echo "Query failed: ".mysql_error(); exit; } print_r($_POST); } mysql_close($link); ?>
<form enctype="text/plain" method="post" action="<?php echo $_SERVER[$PHP_SELF] ?>"> <input name="fname" type="text" size="25" maxlength="25" /> <input name="mname" type="text" size="1" maxlength="1" /> <input name="lname" type="text" size="25" maxlength="25" /> <input name="submit" type="submit" value="submit" /> </form>
<?php echo "<p>request method: ".$_SERVER['REQUEST_METHOD']."</p>" ?>
[Edited on July 15, 2008 at 10:19 AM. Reason : formatting]7/15/2008 10:17:26 AM |
BigMan157 no u 103354 Posts user info edit post |
$_SERVER[$PHP_SELF] should be $_SERVER['PHP_SELF'] 7/15/2008 10:28:27 AM |
vertigo Veteran 135 Posts user info edit post |
^ Good point. I changed it, and it still isn't submitting to the database and I'm still not getting any errors. 7/15/2008 11:16:38 AM |
DirtyMonkey All American 4269 Posts user info edit post |
try print_r($_REQUEST); that will display all GET and POST vars. also, if you want to do a post-back (submit to the same page) just leave the entire action attribute off the form tag. 7/15/2008 11:53:00 AM |
vertigo Veteran 135 Posts user info edit post |
If I put that inside the isset, then it displays nothing. If I put it right after the request method echo, I get: Array ( )
display vars: 1 7/15/2008 12:43:30 PM |
DirtyMonkey All American 4269 Posts user info edit post |
make a (temporary page) with this: echo phpinfo();
then refresh the page and look for these two lines:
register_globals (should be "off") variables_order (should be "EGPCS")
i don't know why these two would say anything different but if variables_order is blank, that would be why there is nothing in those superglobals.
also, you probably have error reporting turned off. put these two lines at the top of your script (in php tags, but NOT in any conditional statement) for debugging. don't forget to remove them or comment them out when you're done.
error_reporting(E_ALL); ini_set('display_errors','on');
[Edited on July 15, 2008 at 1:53 PM. Reason : errors] 7/15/2008 1:52:09 PM |
vertigo Veteran 135 Posts user info edit post |
Those two are directives are as you said they would be. I put in those two lines regarding error reporting, at the top without any conditions. When I run the page (either initially or after submitting something), I see nothing different.
This is becoming very annoying. It's GOT to be a setting somwhere - PHP and SQL aren't THAT difficult. What little experience I have is in Oracle (as the beginning of the thread shows), and so the servers were managed in-house. What else could this be?
[Edited on July 15, 2008 at 3:09 PM. Reason : Frustrated. Thanks for all the suggestions and help, though!] 7/15/2008 3:07:56 PM |
DirtyMonkey All American 4269 Posts user info edit post |
can you post your phpinfo() output? if you'd rather not you can PM me. 7/15/2008 4:10:17 PM |
vertigo Veteran 135 Posts user info edit post |
I'll send it to you. I stripped out most of the identifying information (not because I don't trust you - because, after all, most of you have been very helpful, and I sincerely appreciate it), but because there is stuff shared on that server that is not mine that I am responsible for, and I'd like to take as much precaution as possible against something happening.
Actually, I didn't remove anything, really - I just renamed directories, the URL, and IP addresses that I came across. That said, I'm sure I missed something, but I can only do so much.
Anyone else who wouldn't mind taking a look at it, let me know - I'll send you the file, as well. Thanks! 7/15/2008 5:19:07 PM |
BigMan157 no u 103354 Posts user info edit post |
get rid of all the @ symbols, those suppress errors- that's why you're not getting anything showing up when you turned errors on 7/15/2008 8:47:51 PM |
DirtyMonkey All American 4269 Posts user info edit post |
well that's true, but the problem looks like $_POST (or $_REQUEST) is not being set when the form is submitted, regardless of any possible mysql connection errors. 7/15/2008 9:46:37 PM |
vertigo Veteran 135 Posts user info edit post |
^^ Ah, I did that because of the "messy" errors that were being displayed - I set it so that it would show me error messages in a more readable format. I didn't think about it suppressing all the other errors (though why would it, if the @ symbol only suppresses the errors on that particular function?).
^ Email sent - THANK YOU!
[Edited on July 15, 2008 at 10:36 PM. Reason : Email.] 7/15/2008 10:36:35 PM |
vertigo Veteran 135 Posts user info edit post |
Is there any reason doing something like this is a bad idea?
<?php if(isset($_GET['p'])) { $page = $_GET['p']; } else { page = "home"; } switch($page) { case $page: include($page.".html"); break; default: echo "<div>page error!</div>"; break; } ?> I was thinking that, to avoid writing a case for each and every page on the site (about 15-20), this would work so that all links could be written like this:
<a href="?p=pagename">page name</a> and it would change that include part of the page. The includes are named the same way the cases are - for example, the "contact" page is called contact.html and the "gallery" page is called gallery.html.
The only thing I can think of is that this naming scheme might be insecure, since someone could put in "securepage" and it would automatically bring up securepage.html. But couldn't you just use .htaccess to protect those pages anyway?
Thanks!
[Edited on September 6, 2008 at 5:29 PM. Reason : code tags]9/6/2008 5:28:52 PM |
BigMan157 no u 103354 Posts user info edit post |
they could travel down the directory to root files, potentially 9/6/2008 5:33:07 PM |
EuroTitToss All American 4790 Posts user info edit post |
Quote : | "The only thing I can think of is that this naming scheme might be insecure, since someone could put in "securepage" and it would automatically bring up securepage.html. But couldn't you just use .htaccess to protect those pages anyway?" |
uh... yea, but they'd be able to type "securepage.html" anyway, right?
I think bigman is right though, I don't think .htaccess would prevent an include...9/6/2008 5:52:06 PM |
vertigo Veteran 135 Posts user info edit post |
Do you have any suggestions for an alternative?
This is for another non-profit that doesn't have the money for a web person, full-time or part-time. I had originally decided to do it like this so that the person maintaining the site, who has very little web experience but understands the very basics, could just create new pages by copying an existing page and then giving it a common-sense name. By doing it like this, there'd be no need for an addition to the PHP script. I realize that it would be a small thing for them to just add a line to the script by copying one above it, but I'm trying to minimize the number of steps.
I know there are a number of other ways I could do this without the complexity of PHP, but I'm trying to do it this way.
Thanks! 9/6/2008 7:17:29 PM |
gs7 All American 2354 Posts user info edit post |
Use .htaccess to prevent direct access to the .html files, while including them from your .php file, as ^^ stated above. 9/6/2008 8:18:20 PM |