FRIHOSTFORUMSFAQTOSBLOGSDIRECTORY
You are invited to Log in or Register a Frihost Account!

sql problem

   Frihost Forum Index -> Scripting -> Php and MySQL
 


AlexandruDan
i try to add some entries into a data base and i don't understand why it doesn't work:

the code is:
<?php
include ("../../db.php");
$q=mysql_query("SELECT * FROM `categorii`");
echo '<SELECT NAME="cat_parinte">';
echo '<OPTION VALUE = "0" SELECTED = "SELECTED">Principal </OPTION>';

WHILE ($date=mysql_fetch_array($q)){
echo "<OPTION VALUE =\"".$date[0]."\">".$date["cat_nume"]."</OPTION>";
}
echo "</SELECT>";
?>
<form method = "post" action = "procesare.php" ENCTYPE = "MULTIPART/FORM-DATA">
nume: <input type = "text" name = "pr_nume"><br />
descriere: <textarea name = "desc" rows = "5" cols = "20"></textarea><br />
pret: <input type = "text" name = "pr_pret"><br />
cantitate: <input type = "text" name = "pr_cantitate"><br />
poza: <input type = "file" name = "poza"><br />
trimite <input type = "submit" value = "trimite">
</ form>


and the procesare.php is:

<?php
include ("../../db.php");
$nume_categorie = $_POST["cat_nume"];
$nume_produs = $_POST["pr_nume"];
$desc = $_POST["desc"];
$pret = $_POST["pr_pret"];
$cantitate = $_POST["pr_cantitate"];
if ($_FILES["poza"]["name"]){
$nume = explode (".",$_FILES["poza"]["name"]);
$nr = count($nume);
$nr-=1;
$ext = $nume[$nr];
$nume = md5(time());
$ext_permise = array("jpg","png","gif");
if (in_array ($ext,$ext_permise)){
$src = $_FILES["poza"]["tmp_name"];
$nume_final = $nume.".".$ext;
$dest = "../../poze/produse/".$nume_final;
// echo $dest;

move_uploaded_file ($src,$dest);
}

}

$sql = "INSERT INTO `produse` (`cat_id`,`pr_nume`,`pr_descriere`, `pr_pret`, `pr_cantitate`,`pr_poza`, ) VALUES ('$nume_categorie','$nume_produs',
'$desc', '$pret', '$cantitate', '$nume_final')";
$q=mysql_query($sql);
if($q){
echo "Am adaugat categoria";

}
/*echo $sql; returns INSERT INTO `produse` (`cat_id`,`pr_nume`,`pr_descriere`, `pr_pret`, `pr_cantitate`,`pr_poza`, ) VALUES ('','de', '123', '1234', '12', 'cd6ed986562aebf6333951973dfa478f.jpg') */
?>
kv
Can you post some details like what you are trying to do, what do you mean when you say it doesn't work -- is it giving error or is not behaving as expected, etc?
Aredon
Edit $sql and remove the extra comma lest it generate a MySQL query syntax error. Simple fix, eh? It happens.
Before:
Code:

$sql = "INSERT INTO `produse` (`cat_id`,`pr_nume`,`pr_descriere`, `pr_pret`, `pr_cantitate`,`pr_poza`, ) VALUES ('$nume_categorie','$nume_produs',
'$desc', '$pret', '$cantitate', '$nume_final')";

After:
Code:

$sql = "INSERT INTO `produse` (`cat_id`,`pr_nume`,`pr_descriere`, `pr_pret`, `pr_cantitate`,`pr_poza` ) VALUES ('$nume_categorie','$nume_produs',
'$desc', '$pret', '$cantitate', '$nume_final')";

As a side note you should learn to use mysql_real_escape_string so your queries don't fail when presented with non-alphanumberic characters. In a worse case scenerio someone could preform a database injection on your database, if supported, and go as far as an INSERT INTO query. Such a query would create a PHP file on the server with whatever content they please -- which could even be used to read other PHP files on the server and gain full control over the server and database(it could read the database password stored in another PHP file) all through a simple MySQL injection. If however INSERT INTO is not supported, they could read all the data in your database and have full control over altering it and could even possible change your own database password on you... I didn't have to go so much into detail but the more detail the better you'll understand the security risks of MySQL injections due to poorly written code which could have been avoid by simply passing the data through a prebuilt function designed especially for preventing injections and query failures.
AlexandruDan
Thank you Aredon, it worked.
I will use the tip you gave me about mysql_real_escape_string
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2007 Frihost, forums powered by phpBB.