Can't connect to mysql using php script

[amandarobe]

I'm relatively new to php and mysql. I wrote a simple php script to pull data from a html form and post that data to mysql. I created the DB in mysql and made sure all the permissions/privildeges were correct. When I go to the html form and enter info, it just comes up with a blank page. No errors, nothing. The database has no new data.

I know for a fact that my username and password are correct and I think localhost should be correct. I've read every post on here where people had similar problems and I've tried everything I can think of. Any advice would be greatly appreciated! Thanks in advance for your help!

Here's my php script:

<?php

$con = mysql_connect('localhost', 'root', 'password')
or die("Query failed:" .mysql_error()."Actual query:".$query");
print "Connected to MySQL<br>";

mysql_select_db("tester");

$sql = "INSERT INTO userpass (username, password)
VALUES
('$_POST[username]', '$_POST[password]')";

if (!mysql_query($sql, $con))
{
die('Error: ' . mysql_error());
}
echo "record added!";

mysql_close($con);
?>

[wildjokerdesign]

You can "turn on" logging for the directory where you are trying this script out by creating a .htaccess file with this code in it.

Code:

php_flag log_errors on
php_value error_log /var/www/html/php_error.log

Upload the file to the same directory where you have the php script you are trying and then run the script. See what errors show up in the resulting php_error.log file.

The path and name of the file can be what ever you want BTW. The above is set to write the errors to php_error.log in /var/www/html but it could write the log anywhere you want. It is always best to remove "turn off" off this logging once you get things going by removing the .htaccess file. If not you can end up with a log file that is very large that eats up your diskspace quota.

I think that this line is your problem BTW:

PHP Code:

or die("Query failed:" .mysql_error()."Actual query:".$query"); 


The quote " after the $query should not be there. The line should look like this:

PHP Code:

or die("Query failed:" . mysql_error() . "Actual query:" . $query); 


Also do you see how the coloring of the code has changed in my second php example? I placed the code inside the bbCode for php which color codes things. This is the easiest way to "catch" mistakes in your code and there are editors out there that do this also. I use EditPlus or Crimson both well color code your scripts.

[wildjokerdesign]

I just keep seeing things in your code. I thought I should warn you that this is a very insecure bit of code by itself. The fact that you are inserting $_POST variables directly into your database without any type of "checking" could be a security risk. Depending on how you have your php.ini set up the script could also fail depending on what is entered into the form.

[amandarobe]

Wow, thanks so much for the info, Wildjoker. You are amazing! I love the way you put everything in layman's terms so that even a beginner like me can understand it!

BTW, is there anything in particular that I should have in my php.ini file that would help to make this script more secure? What kind of "checking" should I do in the script to make it more secure? I certainly don't want to take up loads of your valuable time, so you don't necessarily have to give examples, maybe just a hint or two

[wildjokerdesign]

Although there are things you could do with the php.ini I would suggest not going that route. It would be the "lazy mans" way so to speak. It could actually cause problems with other php scripts you may want to install down the line or already have installed.

Have you visited php.net yet? I spend tons of time there and you can get an overview of some of the things on this page: http://us2.php.net/manual/en/security.php

When ever you use data from form you have to assume two things. One, is that the person entering the data may enter something wrong. Two, a hacker is going to use that form to destory your site! Ok I admit that number two is a bit over dramatic but I think you understand.

Let use take for example your form. I do not really know what you are useing it for but if perhaps the password you want the to enter should be only letter with no numbers or other charecters then you have done nothing to check that before you have inserted it into your database.

When you are at the php.net site make sure to have a close look at the function addslashes.

[j103c]

You might also want to familiarize yourself with the term "SQL injection". Using the $_POST variable directly in the SQL statement the way you are opens your web app to someone using SQL injection to do the bad things wildjokerdesign was hinting at.

http://en.wikipedia.org/wiki/SQL_injection

[amandarobe]

Ok, I think I'm losing my mind here.

I tried creating the .htaccess file and ran the script a billion times and it is not creating the php_error file. What does this mean? Is the php script not getting kicked off at all when I enter data into the form?

I also made the correction in my code that wildjoker suggested and it still didn't run (before or after I created the .htaccess file).

I'm just using this script as a test to learn how to enter data from a form into the DB, so the security stuff is not an issue. Thank goodness!

Any advice? Thanks!!!!!!!!

[wildjokerdesign]

Try this:

PHP Code:

<?php

$con = mysql_connect('localhost', 'root', 'password');

if (!$con)
{
 die("Connection failed:" . mysql_error());
}

echo "Connected to MySQL<br />";

$select_db = mysql_select_db('tester', $con);

if (!$select_db)
{
 die("Can't select tester:" . mysql_error());
}

$sql = "INSERT INTO userpass (username, password)
VALUES ('$_POST[username]', '$_POST[password]')";

if (!mysql_query($sql, $con))
{
die('Error: ' . mysql_error());
}
echo "record added!";

mysql_close($con);
?>

[amandarobe]

It worked! Thank you so much! Wish I could take you out to dinner or something....

[rolling]

Now there's an offer WildJoker!