How to get data into MySQL with PHP?

John Oliver

I know absolutely nothing about this. I've been banging around various
tutorials. Most just sort of skip over this. The closest I came is:

http://www.freewebmasterhelp.com/tutorials/phpmysql/4

However, their example:

$query = "INSERT INTO contacts VALUES
('','$first','$ last','$phone', '$mobile','$fax ','$email','$we b')";

doesn't work, and got me a "Learn how to use SQL Injection" comment.

I need a tutorial that explains this stuff. I don't have the vaguest
clue what I'm doing, and when the tutorial assumes any pre-existing
knowledge, I get left behind pretty quickly.

--
* John Oliver http://www.john-oliver.net/ *
* Reform California gun laws - http://www.reformcagunlaws.com/ *
* http://www.gunownersca.com - http://www.crpa.org/ *
* San Diego shooters come to http://shooting.forsandiego.com/ *

Dec 2 '05 #1

Subscribe Reply

1467

Kim André Akerø

John Oliver wrote:

I know absolutely nothing about this. I've been banging around
various tutorials. Most just sort of skip over this. The closest I
came is:

http://www.freewebmasterhelp.com/tutorials/phpmysql/4

However, their example:

$query = "INSERT INTO contacts VALUES
('','$first','$ last','$phone', '$mobile','$fax ','$email','$we b')";

doesn't work, and got me a "Learn how to use SQL Injection" comment.

I need a tutorial that explains this stuff. I don't have the vaguest
clue what I'm doing, and when the tutorial assumes any pre-existing
knowledge, I get left behind pretty quickly.

The reason for the "Learn how to use SQL Injection" comments are
justified. If your server hosting has the magic_quotes_gp c setting in
PHP switched off, in addition to having register_global s switched on,
you'll be in trouble with the method above. Then I can delete your
entire address book by entering the following into one of the fields:

'); DELETE FROM contacts;

A better method would be something in the direction of the following:

<?php
// remove slashes for magic_quotes_gp c and injection attacks
$first = stripslashes($_ REQUEST["first"]);
$last = stripslashes($_ REQUEST["last"]);
$phone = stripslashes($_ REQUEST["phone"]);
$mobile = stripslashes($_ REQUEST["mobile"]);
$fax = stripslashes($_ REQUEST["fax"]);
$email = stripslashes($_ REQUEST["email"]);
$web = stripslashes($_ REQUEST["web"]);

// the following code is all on one line
$query = "INSERT INTO contacts VALUES
'','".mysql_rea l_escape_string ($first)."','". mysql_real_esca pe_string($l
ast)."','".mysq l_real_escape_s tring($phone)." ','".mysql_real _escape_stri
ng($mobile)."', '".mysql_real_e scape_string($f ax)."','".mysql _real_escape
_string($email) ."','".mysql_re al_escape_strin g($web)."')";

// execute the MySQL statement
mysql_query($qu ery);
?>

At least you'll be safer than using your original code. I know, it's a
lot more code, but it's also more secure.

Unfortunately, many tutorials out there teach the absolute simplest
way, which also teache the less secure methods.

--
Kim André Akerø
- ki******@NOSPAM betadome.com
(remove NOSPAM to contact me directly)

Dec 2 '05 #2

Similar topics

3276

Using PHP to migrate data from shared Access db to MySQL

by: Phil Powell | last post by:

I've read some online resources that utilize various MySQL command-line actions to migrate data from Access to MySQL. The situation is this: a group of co-workers of mine will be using an Access db in a shared source (for now, a directory.. ???) to be able to generate reports on the fly. What they want to do is to be able to migrate that data to a MySQL db instance that currently exists on a different server. What would be the best...

PHP

6686

FW: mysql LOAD DATA INFILE

by: Donald Tyler | last post by:

Then the only way you can do it that I can think of is to write a PHP script to do basically what PHPMyAdmin is trying to do but without the LOCAL in there. However to do that you would need to be able to place the PHP file on the server, and I guess you probably can't do that either. Talk about catch 22... The only other way I can think of is to install MySQL on a machine you control, then import the data there using the method I...

MySQL Database

1731

bad data in mysql tables in replication server

by: Luc Foisy | last post by:

Last week many of our server and client servers had a power problem. Not = quite sure how the servers were handled, wasn't on site, but I don't = think some of these servers got shut down gracefully. but anyways that = shouldn't matter to my question I ran myisamchk on the data directories and I get a large report = containing things such as myisamchk: MyISAM file /usr/data/mysql/qbslive/MANIFESTSPOOL.MYI myisamchk: warning: 1 clients...

MySQL Database

3229

automating data entry

by: Jerry Weinstein | last post by:

Hi, I know about stored procedures and that they can speed up data entry via the SQL 'insert ' statement. However, one drawback to this method is that using the stored procedure still requires one to manually and individually enter each and every record to be inserted to the database before the procedure is executed. I want to circumvent this tedium by finding a way to use maybe a VB application that prompts a user for the data to be...

MySQL Database

3903

Can i replace the files MYI MYD and FRM to update a database?

by: Carlos Eduardo Peralta | last post by:

Hello: Can i update a MySQL database with just copy the files MYI MYD and FRM in the right dir? I know this work. The question is how MySQL manage the user that are usig that database in that moment. Can i close all the connection to that database? How can i tell MySQL deamon that don´t use that database any more? Thank you in advance.

MySQL Database

16082

Differences between DATA INFILE and LOAD DATA LOCAL INFILE ?

by: Ray in HK | last post by:

What are the differences between LOAD DATA INFILE and LOAD DATA LOCAL INFILE ? I found some web hosting company do not allow using LOAD DATA INFILE but allow LOAD DATA LOCAL INFILE. The reason is for the sake of security. What does that mean ?

MySQL Database

5771

How can I get MySQL data from an external hard drive

by: eieiohh | last post by:

MySQL 3.23.49 PHP 4.3.8 Apache 2.0.51 Hi All! Newbie.. I had a CRM Open Source application installed and running. Windows Xp crashed. I was able to copy the contents of the entire hard drive onto a USB External Hard Drive. I have to assume I also copied the data. I

MySQL Database

4857

MySQL 5.0, FULL-TEXT Indexing and Search Arabic Data, Unicode

by: jrs_14618 | last post by:

Hello All, This post is essentially a reply a previous post/thread here on this mailing.database.myodbc group titled: MySQL 4.0, FULL-TEXT Indexing and Search Arabic Data, Unicode I was wondering if anybody has experienced the same issues

PHP

9827

Error: "Column 'InvariantName' is constrained to be unique. Value 'MySql.Data.MySqlClient' is already present."

by: Carmine [www.thetotalsite.it] | last post by:

Hi, I am using ASP.Net 2.0 with the MySQL Connector .Net 5.1.2.2. I added these lines to the web.config to make the connector.net able to handle the SqlConnection object (and so to bind it to a grinview/formview etc.): <DbProviderFactories> <add name="MySQL Data Provider" invariant="MySql.Data.MySqlClient" description=".Net Framework Data Provider for MySQL" type="MySql.Data.MySqlClient.MySqlClientFactory, MySql.Data,

ASP.NET

6006

Getting Byte[] data with MySQL -Cast(... AS BINARY)

by: ist | last post by:

Hi, I am trying to get (and transfer over ASP.NET) some encrypted data from some MySQL fields. Since the data contains many unicode characters, I tried to get the data as a series of ASCII values, transfer those numeric values over ASP.NET. I had no problem doing this on my local computer, by getting the field with "cast(field as BINARY)" so that on ASP.NET I have a byte array.Then send every field of array over ASP.Net.

ASP.NET

9589

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

9423

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

10216

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

9997

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9865

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

8873

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

5448

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

3965

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

3565

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP