2 Birds, 1 Stone... PHP And Testing
- Thread starter jcb33
- Start date
Aye I had already tried it without the quotation marks and got this error:psyr33n said:
Parse error: parse error, unexpected T_STRING in /home2/cpanelu/public_html/dci125/assets/library/global/insert.php on line 33
Code:
<?php
$email = mysql_query("SELECT * FROM newsLetter);
$to = $email;
$subject = "Welcome!";
$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
"CC: [email protected]";
mail($to,$subject,$txt,$headers);
?>
<?phpEdit, got it semi working, using the following code, only problem is it just sends it to the first email, not the newest!
Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks
http://cpanel.lincoln.ac.uk/dci125/index.shtml
Code:
<?php
$sel = mysql_connect("localhost","cpanelu_dci125","Manypeop");
if (!$sel)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("cpanelu_dci125", $sel);
$comment = mysql_query("SELECT * FROM newsLetter");
$line = mysql_fetch_array($comment);
$to = $line['email'];
$subject = "Welcome!";
$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
"CC: Overclockersvortex.co.uk";
mail($to,$subject,$txt,$headers);
mysql_error();
mysql_close($sel);
?>Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks
http://cpanel.lincoln.ac.uk/dci125/index.shtml
Last edited:
Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks
http://cpanel.lincoln.ac.uk/dci125/index.shtml
Yep its working. If you are having trouble creating a table and adding some data, here the method I use
Code:
<?php
// Declare and initialize variables
$database = "Your database name";
$hostName = "localhost";
$loginName = "Your username";
$passwdName = "You Password";
// Formulate the create table query - Obviously chnage the sql for your table
$query1 = "CREATE TABLE IF NOT EXISTS tblLinks (
`ID` INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
`URL` VARCHAR(255) UNIQUE NOT NULL,
`Title` VARCHAR(255),
`Description` VARCHAR(255)) TYPE=MyISAM";
// Formulate the insert row query
$query2 = "INSERT IGNORE INTO tblLinks (`URL`,`Title`,`Description`) VALUES
('URL Here,' Page Title Here','Descrition Goes here')";
//Repeat format above to add more entries
// Connect to the server
$link = mysql_connect($hostName,$loginName,$passwdName);
// Check result
if (!$link) {
echo "Could not connect to mysql<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Select the database
$result = mysql_select_db($database, $link);
// Check result
if (!$result) {
echo "Could not select database<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Send the create table query to the database and execute it
$result = mysql_query($query1, $link);
// Check result
if (!$result) {
echo "DB Error, could not query the database<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Send the insert row query to the database and execute it
$result = mysql_query($query2, $link);
// Check result
if (!$result) {
echo "DB Error, could not query the database<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Get the number of rows affected by the last query
$affected_rows = mysql_affected_rows($link);
echo "Your data has been successfully exported<br>";
echo "Added $affected_rows record(s)";
// Close the link to the database
mysql_close($link);
?>Hope this helps. Contains some error checking as well
Last edited:
arrond said:Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks
http://cpanel.lincoln.ac.uk/dci125/index.shtml
Yep its working. If you are having trouble creating a table and adding some data, here the method I use
Code:
<?php
// Declare and initialize variables
$database = "Your database name";
$hostName = "localhost";
$loginName = "Your username";
$passwdName = "You Password";
// Formulate the create table query - Obviously chnage the sql for your table
$query1 = "CREATE TABLE IF NOT EXISTS tblLinks (
`ID` INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
`URL` VARCHAR(255) UNIQUE NOT NULL,
`Title` VARCHAR(255),
`Description` VARCHAR(255)) TYPE=MyISAM";
// Formulate the insert row query
$query2 = "INSERT IGNORE INTO tblLinks (`URL`,`Title`,`Description`) VALUES
('URL Here,' Page Title Here','Descrition Goes here')";
//Repeat format above to add more entries
// Connect to the server
$link = mysql_connect($hostName,$loginName,$passwdName);
// Check result
if (!$link) {
echo "Could not connect to mysql<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Select the database
$result = mysql_select_db($database, $link);
// Check result
if (!$result) {
echo "Could not select database<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Send the create table query to the database and execute it
$result = mysql_query($query1, $link);
// Check result
if (!$result) {
echo "DB Error, could not query the database<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Send the insert row query to the database and execute it
$result = mysql_query($query2, $link);
// Check result
if (!$result) {
echo "DB Error, could not query the database<br>";
echo 'MySQL Error: ' . mysql_error();
exit;
}
// Get the number of rows affected by the last query
$affected_rows = mysql_affected_rows($link);
echo "Your data has been successfully exported<br>";
echo "Added $affected_rows record(s)";
// Close the link to the database
mysql_close($link);
?>Hope this helps. Contains some error checking as well
[/QUOTE]Thanks, will give it a shot
Glad its working, took a lot of brain power hehe, Im enjoying learning all this much more than seems normal 
Only thing now is that, well 2 things:
1) People can enter script into the comment, and email boxes that cause problems, e.g last night someone had this going:
Code:
<script type="text/javascript">
alert('Sanitise all user input!');
alert('Otherwise people will inject code into your site');
alert('Like this');
</script>2) The email looks a bit of a mess, e.g:
Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!
I have tried to format it using html, but that does not work, so cant have it looking how I want:
Dear User,
this is just a quick email to thank you for signing up to the OCV newsletter! We look forward to sending you many exciting newsletters in the future!
Thanks again the OCV Team!
Last edited:
I know what its like, im doing my dissertation for my final year degree. I was up til 5 this morning learning more php, likely i got it working. Im using dreamweaver which makes it really easy to create simple and complicated forms to add data to a sql database.
Heres the link to my site
http://students.comp.glam.ac.uk/04033299/blg/
Next i got to create linked tables with foreign and composite keys
Heres the link to my site
http://students.comp.glam.ac.uk/04033299/blg/
Next i got to create linked tables with foreign and composite keys
jcb33 said:
Its called sql injection. Its very common. Heres a simply script you can apply to your code
Code:
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>This is very simple, i would recommend looking into it further but it can get complicated. Basically your goal is to validate input to stop people gaining access by bypassing your password such as using "' OR ''='" which changes the sql query to ignore/eliminate password entry.
Hope this helps
Last edited:
Ah, the problem is not to do with passwords, its just people breaking my guestbook by inserting code into it, instead of leaving a nice comment, so I need to:arrond said:Its called sql injection. Its very common. Heres a simply script you need to apply to your code
Code:<?php // Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error()); // Query $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); ?>
This is very simple, i would recommend looking into it further but it can get complicated. Basically your goal is to validate input to stop people gaining access by bypassing your password such as using "' OR ''='" which changes the sql query to ignore password entry.
Hope this helps
1) Make it so they cannot insert code by making it automaticaly format out < and >
2) Make it so if they enter a realy long word e.g m000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 it goes onto the next line, not breaks my page
Ok its a bit hard to explain everyting if you dont know but on my site you can also post comments, very similar to yours except you can only enter a name and comment. This is my code:
Its a bit complicated i know, most of this was generated for me.
Code:
<?php
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
$insertSQL = sprintf("INSERT INTO tblcom (Name, Comment, `Date`) VALUES (%s, %s, %s, %s)",
GetSQLValueString($_POST['Name'], "text"),
GetSQLValueString($_POST['Comment'], "text"),
GetSQLValueString($_POST['Date'], "date"));
mysql_select_db($database_blog, $blog);
$Result1 = mysql_query($insertSQL, $blog) or die(mysql_error());
$insertGoTo = "comments.php";
if (isset($_SERVER['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
$insertGoTo .= $_SERVER['QUERY_STRING'];
}
header(sprintf("Location: %s", $insertGoTo));
}
?>Its a bit complicated i know, most of this was generated for me.
Look up mysql_real_escape_string, get_magic_quotes_gpc and stripslashes. They are all used in my code, they are your answer. Check out:
http://uk2.php.net/mysql_real_escape_string
http://uk2.php.net/mysql_real_escape_string
Ah well lots of searching and I still cant figure it out, All I know is I want it to do something like
Search Comment, if HTML Tags then replace with " "
Search comment, If word > 20 characters then replace with " "
Submit to database
Search Comment, if HTML Tags then replace with " "
Search comment, If word > 20 characters then replace with " "
Submit to database
jcb33 said:
Code:
$comment = strip_tags($comment);Or you can use htmlspecialchars, which doesn't remove the html but leaves it in the comment as harmless text.
Code:
$comment = htmlspecialchars($comment);
Code:
$comment = substr($comment, 0, 20);Or did you want to ensure no individual word in the comments is > 20 characters?
Before you insert, clean it with mysql_real_escape_string().
Code:
$comment = mysql_real_escape_string($comment);All fairly basic stuff to do with strings; have a read up on PHP: http://hudzilla.org/phpwiki/index.php?title=Main_Page