ok, couple of things;
- if you're using user input in SQL queries, you have to push 'm
through a function that sanitizes the input against sql-insertions.
For now, let that be function antiSQLinsertion ($var) { return
mysql_real_escape($var); };
- if you're going to output values from the DB into HTML that have
been put there by the user, you have to also guard against HTML-level
insertions (malicious html/js/flash to name a few). however, this is
not easy, and i havent found a "good" way of doing this, save
stripping all js,<iframe>,<img> and flash.. :(
- you may want to add adodb.sf.net as a database abstraction layer. it
will help if you ever want to switch mysql to another rdbms.
as for your actual problem;
- you could be right about the permissions issue, connect to the
database as root instead and execute a GRANT statement to allow tom xs
to the db.
http://dev.mysql.com/doc/refman/5.1/en/grant.html
google "debian mysql change root password" if you can't get in as root..
it's just strange to me that it works from 1 env, but not another..
On Sun, Feb 28, 2010 at 10:48 PM, Thomas H. George <lists@xxxxxxxxxxxxxx> wrote:
> I am a newbie. The following script works but the second one (below)
> loads the variables from an html form and then fails. The connection
> command in the second sript are identical as the first script was copied
> from the first. Only the variable values have been changed.
>
> #!/usr/bin/php
> #
> <?php
> $first_name = 'Harry';
> $last_name = 'Potter';
> $when_it_happened = 'This morning';
> $how_long = '6 ms';
> $how_many = 'millions';
> $alien_description = 'angels';
> $what_they_did = 'danced on the head of a pin';
> $fang_spotted = 'No';
> $other = 'There were bright flashing lights';
> $email = 'harry@xxxxxxx';
>
> $dbc = mysqli_connect('localhost', 'tom', 'fog^horn9', 'aliendatabase')
> or die('Error connecting to MySQL server');
>
> $query = "INSERT INTO aliens_abduction (first_name, last_name, when_it_happened, how_long, " .
> "how_many, alien_description, what_they_did, fang_spotted, other, email) " .
> "VALUES ('$first_name', '$last_name', '$when_it_happened', '$how_long', '$how_many', " .
> "'$alien_description', '$what_they_did', '$fang_spotted', '$other', '$email')";
>
> $result = mysqli_query($dbc,$query)
> or die('Error Querying the database');
>
> mysqli_close($dbc);
>
> ?>
>
> The following program successfully loads the variables from an html form
> and then fails.
>
>
> <?php
> $first_name = $_POST['firstname'];
> $last_name = $_POST['lastname'];
> $when_it_happened = $_POST['whenithappened'];
> $how_long =$_POST['howlong'];
> $how_many = $_POST['howmany'];
> $alien_description = $_POST['aliendescription'];
> $what_they_did = $_POST['whattheydid'];
> $fang_spotted = $_POST['fangspotted'];
> $other = $_POST['other'];
> $email = $_POST['email'];
>
> echo 'got to here, ';
> echo "$last_name\n\n";
>
> $dbc = mysqli_connect('localhost', 'tom', 'fog^horn9', 'aliendatabase')
> or die('Error connecting to MySQL server');
>
> $query = "INSERT INTO aliens_abduction (first_name, last_name, when_it_happened, how_long, " .
> "how_many, alien_description, what_they_did, fang_spotted, other, email) " .
> "VALUES ('$first_name', '$last_name', '$when_it_happened', '$how_long', '$how_many', " .
> "'$alien_description', '$what_they_did', '$fang_spotted', '$other', '$email')";
>
> $result = mysqli_query($dbc,$query)
> or die('Error Querying the database');
>
> mysqli_close($dbc);
>
> ?>
>
> The echo entries confirm the variables a have been loaded from an html
> form. The program just stops after the echo entries - no die message,
> nothing in /var/log/mysql.err or mysql.log.
>
> I believe the problem is a permissions problem. I had to make the first
> script executable so of course I also made the second executable but
> this did not help.
>
> My system is Debian Squeeze, 64 bit. I found I had to install php5-mysql
> to use the mysqli_connect command.
>
> Tom
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
