 |
|
|
| View previous topic :: View next topic |
| Author |
Message |
raninda
Joined: 10 Apr 2008
Posts: 11
|
 Posted: Thu Apr 10, 2008 4:57 pm insert into database |
 |
|
|
hi, i have a code like this
| Code: |
<html>
<form action="debet_kredit.php" method="POST">
<font face="verdana" size="2">
Your Donation and Expence <br /><br />
dd : <select name="dd">
<option value="">[select day]</option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
<option value="25">25</option>
<option value="26">26</option>
<option value="27">27</option>
<option value="28">28</option>
<option value="29">29</option>
<option value="30">30</option>
<option value="31">31</option>
</select>
mm : <select name="mm">
<option value="">[select month]</option>
<option value="01">Januari</option>
<option value="02">Februari</option>
<option value="03">Maret</option>
<option value="04">April</option>
<option value="05">Mei</option>
<option value="06">Juni</option>
<option value="07">Juli</option>
<option value="08">Agustus</option>
<option value="09">September</option>
<option value="10">Oktober</option>
<option value="11">November</option>
<option value="12">Desember</option>
</select>
yyyy : <input type="text" size=4 maxlength=4 name="yyyy"> <br /><br />
Description :<br />
<input type="text" size=50 maxlength=500 name="desc"><br />
Debet :<br />
<input type="text" size=50 maxlength=10 name="debet"><br />
Kredit :<br />
<input type="text" size=50 maxlength=10 name="kredit"><br />
Balanced :<br />
<input type="text" size=50 maxlength=10 name="balanced"> <input type=submit value="submit">
</form>
<hr>
<?php
$Submit = $_POST['Submit'];
if(isset($Submit))
{
$msg="";
$dd = trim($_POST['dd']);
$mm = trim($_POST['mm']);
$yyyy = trim($_POST['yyyy']);
$tanggal = $dd-$mm-$yyyy;
$desc = trim($_POST['desc']);
$debet = trim($_POST['debet']);
$kredit = trim($_POST['kredit']);
$balanced = trim($_POST['balanced']);
include"db.php";
$queryx=mysql_db_query($dbname,"insert into celebes_donasi(tanggal,desc,debet,kredit,balanced) values ('$tanggal', '$desc','$debet','$kredit','$balanced');");
$query=mysql_db_query($dbname,"select * from celebes_donasi");
$row=mysql_fetch_row($query);
if($row=0)
[b]$msg=$msg."<br> succeed";
else
$msg=$msg."<br> failed";[/b]
extract($_REQUEST, EXTR_SKIP);
echo "<br>tanggal = ".$tanggal;
echo "<br>desc = ".$desc;
echo "<br>debet = ".$debet;
echo "<br>kredit = ".$kredit;
echo "<br>balanced = ".$balanced;
}
?>
</html>
|
i try to insert data from the input types, to my database.i already have db.php. but i don't know what went wrong, everytime i try, and i check in phpmyadmin, the table seems empty.
i put a code (bold) as information for me if the data succeed or failed when inserted.
i really need help  |
|
kanenas
Joined: 14 Dec 2004
Posts: 191
|
| Posted: Tue Apr 29, 2008 3:58 pm Typeos |
|
|
|
Please provide minimal test cases rather than posting all of the code you're having problems with. Including extraneous material and leaving out potentially necessary source (e.g. 'db.php') makes it much harder to answer questions. Cutting out most of the 'option' elements in your example still gives enough to see potential problems. Moreover, this is a good debugging technique; if you cut out a portion of the source and you still see the same issue, then what you cut isn't involved in the problem.
If you check your error log, you'll probably see something like: "Undefined index: Submit in [...]". This message should draw your eye to the '$Submit = $_POST["Submit"]' line in your script. When debugging, always check your logs first; they will help you figure out what's going wrong.
Is mysql_connect() called in db.php? If not, the mysql_* functions may fail.
The $_REQUEST array is also often a better choice than $_POST because it combines form variables submitted either by POST or GET.
There are 2 errors, 1 warning-causing approach with your submission detection code and 1 HUGE security hole that jump out. The first error is that the name for the 'submit' form variable in "$_POST['Submit']" is capitalised while it's all lower case in the corresponding HTML element ('<input type="submit" value="submit">'). The second error is the submit button isn't given a name, so browsers aren't sending a value for it. Either test for one of the other form variables or name the submit button.
The line "$Submit = $_POST['Submit'];" causes a warning to be logged because "$_POST['Submit']" isn't defined. Better to run the isset test (or array_key_exists()) on $POST[...] or $_REQUEST[...], which won't cause a warning because 'isset' is a special form. Something like "if (isset($_REQUEST['dd'])) { ...".
The garing security hole is that you pass the form values to the SQL statement with only the most basic processing. Remember that there's no guarantee an HTTP request is being sent unadulterated from the form on the page you create. A user can alter the form to their heart's content or just construct their own request. Read about SQL injection in the PHP documentation for more information.
Play around with the following (untested)
| Code: |
<?php
/* safify: convert a form value to something safe for an SQL query. */
function safify($value, $type='') {
// we're handling our own quoting, so we don't need magic quotes
if(get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
settype($value, $type);
switch ($type) {
case 'int': case 'float': case 'double':
// the settype() above is all we need to do for numbers
break;
case 'boolean': /* processing of booleans depends on where $value is coming
* from. This section will probably need to be customized on a
* per-form basis.
*/
$value = $value ? 1 : 0;
break;
default:
$value = mysql_real_escape_string(trim($value));
break;
}
return $value;
}
/* createSetStatement: convert an array into a string of the form col_name='value'", sutable for an "INSERT INTO tbl_name SET" query */
function createSetStatement($row) {
// Oh! for efficient anonymous function support in PHP.
var $tmp;
foreach ($row as $col => $val) {
$tmp[] = "$col='$value'";
}
return implode(', ', $tmp);
}
/* keys of $fields are names of form variables to be used in insertion.
$field[$key] is type of form variable $key and is used to create a safe value
to be passed to an SQL query.
*/
$fields = array('dd' => 'integer', 'mm' => 'integer', 'yyyy' => 'integer',
'desc' => 'string', 'debet' => 'string', 'kredit' => 'string',
'balanced' => 'string');
if(isset($_REQUEST['dd'])) {
// include db.php before processing form so that we have an active connection
include_once('db.php');
foreach ($fields as $key => $type) {
$row[$key] = safify($_REQUEST[$key], $type);
}
$row['tanggal'] = "$row[dd]-$row[mm]-$row[yyyy]";
unset($row['dd']); unset($row['mm']); unset($row['yyyy']);
$insertQuery = 'INSERT INTO celebes_donasi SET ' . createSetStatement($row) . ';';
$queryx=mysql_db_query($dbname,$insertQuery);
// ...
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
Forum Home
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
