Last active
December 17, 2018 07:11
-
-
Save cholthi/2966a33321ce1185f23f8bba8a22510b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Hello Jiep, | |
| // Your code in the email is not looking ok, first you're mixing the APIs. | |
| // There are two types of php Mysql apis ;1- the old `mysql_*` functions, 2- the `Mysqli` extension. is OOP api. | |
| ## Mysql_* functions | |
| $db = mysql_connect($host ,$username , $password); // returns a database resource type | |
| # example | |
| $link = mysql_connect('localhost', 'mysql_user', 'mysql_password'); // password is optional | |
| if (!$link) { | |
| die('Could not connect: ' . mysql_error()); | |
| } | |
| echo 'Connected successfully'; | |
| mysql_close($link); | |
| mysql_select_db($db_name, $link) // returns bool | |
| $result = mysql_query($sql, $link) // returns resource or bool | |
| $row = mysql_fetch_assoc($result) // fetches row from database and returns it. | |
| ## Mysqli Extension | |
| The Mysqli (notice the `i` at the end) stands for _Mysql Improved_. It is a new more improved mysql api for Php which provides OOP acces to | |
| Mysql databse instance. | |
| $this->conn = new \mysqli($host, $user, $passwd, $database, $port); | |
| $this->conn->select_db($database) // selects db, similar to old mysql_select_db function. | |
| $this->conn->query($query) // again, similar to mysql_query function. | |
| Read more [here](http://php.net/manual/en/book.mysqli.php). | |
| ## Your code | |
| | $link =mysqli_connect("localhost","root",""); | |
| Mysqli_select_db($link, "system"); | |
| Mysqli_query($link, "INSERT INTO tablename VALUES ('', '$_POST[firstname]','$_POST[lastname]','$_POST[username]','$_POST[password]', | |
| '$_POST[email]', | |
| '$_POST[contact]','$_POST[reollmntno]')"); | |
| As you can see above, you're mixing mysql_* functions and Mysqli api. Based on the above example, it appears you intended to use old mysql functions | |
| . To correct it, remove the `i` at the end of all function calls. | |
| ## Corrected | |
| $link =mysql_connect('localhost','root',''); | |
| mysql_select_db('system',$link); | |
| mysql_query($link, "INSERT INTO tablename VALUES ('', '".$_POST[firstname]."','".$_POST[lastname].'",'".$_POST[username]."','".$_POST[password]."', | |
| '".$_POST[email]."', | |
| '".$_POST[contact]."','".$_POST[reollmntno]."')"); | |
| Notice that I remove the `i` from the function names. Those are the correct function names if using old mysql api. | |
| Also notice, your values in $_POST array are not properly quoted. String values in mysql query are supposed to quoted, this is important because can | |
| have any string even reserved mysql keywords. | |
| ## Security Considerations | |
| Your code is not secured as well. Inserting user data into database query is considered a security weakness and can expose your database | |
| to hackers. A popular attack known as `Sql injection` can happen. | |
| It is recommended to `escape` values from user submission incase they contain special strings which could confuse mysql engine. | |
| in Php, you can just call `mysql_real_escape_string($_POST['email'])`. But it is better to learn the more recent [PDO](php.net/manual/en/book.pdo.php) | |
| API as it supports `prepared statements` which makes your interaction with your database server secure. | |
| Written By Chol Tiopic. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment