PHP/MYSQL Help

AShatteredGrave · Post by **AShatteredGrave** » Wed Jul 06, 2005 12:53 pm

I've done this many times before but now I'm spacing. I'm trying to insert tables via a form to my database. For some reason, it fails to insert the tables and fields from the $_POST on table.html

It will tell me that the fields weren't created and it will read the $_POST on the if/else statement. I just seems that the query isn't reading the variables.

If someone can find what's wrong and show me, I would greatly appreciate it.

-------table.html---------
<html>
<head>
<title>Create Table and a Field</title>
</head>
<body>
<form action="create.php" method="post">
<p>Create the table:<br>
<input type=text name="createtable" size="20">
<p>Create the field:<br>
<input type=text name="createfield" size="20">
<p>
<input type=submit name="submit" value="Create Table"></p>
</form>
</body>
</html>

---------create.php-------------
<?php
//open the connection
$conn = mysql_connect("localhost", "name", "pass");
//The database to use
mysql_select_db("database",$conn);
//Creating the table
$table = "$_POST[createtable]";
$field = "$_POST[createfield]";
$sql = "CREATE TABLE $table (id int not null primary key auto_increment, $field varchar(75) }";

if (mysql_query($sql,$conn)) {
echo "$_POST[createtable] and $_POST[createfield] were successfully created!";
} else {
echo "$_POST[createtable] and $_POST[createfield] weren't created!";
}
?>

sam · Post by **sam** » Wed Jul 06, 2005 1:27 pm

why are you doing this through php? why don't you just make the table in mysql through ssh. does the user who you added into the database have the privilages required to create new tables?

AShatteredGrave · Post by **AShatteredGrave** » Wed Jul 06, 2005 1:48 pm

Yes, the user has the privileges. I'm the user. I'm doing this so I can work on my DB while at work. I don't have ssh access at work.

I was playing with the php without using the GLOBALS to post the information. I did it the regular way of:

$sql = "CREATE TABLE table (blah blah, field varchar(blah))";

mysql_query($sql,$conn);

and it works just fine. I'm just trying to find out why it won't read the GLOBALs in the $sql variable and how to fix it.

Post by **MonMotha** » Wed Jul 06, 2005 2:47 pm

PHP seems to ahve some issues using the "$var" construction to get $var, so I'd try removing the double quotes around the assignments there, and maybe quote your element in the POST array ($_POST['foo']).

Also, don't forget that if this is a public page, you need to escape EVERYTHING you get from the user with mysql_real_escape_string(...) or you'll end up with SQL injection vulneribilities everywhere. Do it as you write the code, not as an afterthought. If you do it later, you'll invariably miss one and someone will come along and wreck your database.

However, phpmyadmin seems 100% suited for the task, if all you want to do is raw database administration remotely. It's really a nice little app. Check it out.

AShatteredGrave · Post by **AShatteredGrave** » Wed Jul 06, 2005 6:14 pm

Oh yeah, I know about phpMyAdmin. I use it all the time. This script is more or less for my own learning experience. I'm curious as to what I can do with a database with PHP. I know it's alot.

Anyway, I tried what you told me MonMotha, didn't work. I probably didn't write it like you meant though, think you could write the line like you meant for me to use?

Post by **MonMotha** » Wed Jul 06, 2005 6:44 pm

Code: Select all

$query .= chop($_POST['description']) . ", ";

That's how I grab data from POSTs, that would take data from the form variable 'description' and assemble it into my query (notice the '.=' and the appended ','), trimming any whitespace. This was taken from a page with access control for users that are completely trusted (it just bails if you aren't an administrator), so I got lazy and didn't escape the data. Remember to do that as well.

Incidentally, here's the corresponding HTML:

Code: Select all

<form action="script.php" method="post" enctype="multipart/form-data"><p>
...
	Description (optional): <textarea name="description" rows="6" cols="48"></textarea><br />
	<input type="hidden" name="MAX_FILE_SIZE" value="2097152" />
	Picture File (Max 2MB): <input type="file" name="picfile" /><br />
...
<input type="submit" /></p></form>

(Ugly HTML for an ugly page...)

Basically, you can do anything with the database, since PHP just submits raw queries to it. Take a look at the (awful) phpbb code for some examples. Always remember to validate your input!

AShatteredGrave · Post by **AShatteredGrave** » Thu Jul 07, 2005 2:29 am

Now this is in a complete seperate script but in the same program. Nothing to do with SQL just a simple if statement confusion..

*Example 1*

Code: Select all

//This statement tells us whether the ticket has been approved
$problem = isset($problem) == "$tag[9]";

if (isset($_POST[approve])) {
  if($problem) {
	   echo "ts complete<br>tt approved<br><br>Duplicated issue<br><br>";
     } else {
        echo "ts complete<br>tt approved<br><br>";
     }
}else{
    echo "Steps needed for escalation:<br><br>";
}

Now the problem with it is that it doesn't recognize if the array from previous page is there or not. It will show the else statement from the inside if statement.

------------------------------------------------------------------
My theory is that if I make another variable such as $else and say that $else is equal to all the values in the array except for $tag[9] then use that else statement.

*Example 2*

Code: Select all

//This statement tells us whether the ticket has been approved
$problem = isset($_POST[problem]) == "$tag[9]";

$else = isset($_POST[problem]) == "<all other items in the array>";

if (isset($_POST[approve])){
  if($problem) {
	   echo "ts complete<br>tt approved<br><br>Duplicated issue<br><br>";
     } elseif ($else) {
        echo "ts complete<br>tt approved<br><br>";
     } else {
  }
}else{
    echo "Steps needed for escalation:<br><br>";
}

The problem is, I don't know how to have it call all the items in the array except $tag[9]