[RESOLVED] Query was empty

Minecraft_iPod

Hi all,

One more quick question about my code from the previous thread I posted. Once my T_Variable problem was solved (😃), I noticed that the page said my query was empty (😕). I did not find my submitted parts of the form I created in my PHPMyAdmin database (:eek🙂. Did I connect incorrectly to the database? Here's my code once more:

<html>
	<head>
		<title> Lego Comic </title>
	</head>
<body> <center>
	<h1> Thank you for joining! Now click <a href="index.php" title="Login"> HERE </a> to login! </h1>

<?php

//Connect to the database server
mysql_connect("mysql2.**********.com","xxxxxxxx_xxxxx","xxxxxxxx") or die (mysql_error ());

//Select database
mysql_select_db("xxxxxxxx_xxxxx") or die (mysql_error ());

//The SQL statement is built by the user, taking information from becomeamember.php

$strSQl = "INSERT INTO Members(firstname) values('" . $_POST["firstname"] . "')";
//The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());

$strSQL = "INSERT INTO Members(username) values('" . $_POST["username"] . "')";
//The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());

$strSQL = "INSERT INTO Members(password) values('" . $_POST["password"] . "')";
//The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());

//Close the database connection
mysql_close();
?>

</center> </body>
</html>

Thanks in advance. 😃

bradgrafelman

When posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

As for your error message, the problem is here:

$strSQl = "INSERT INTO Members(firstname) values('" . $_POST["firstname"] . "')"; 
//The SQL statement is executed 
mysql_query($strSQL) or die (mysql_error());

You define a variable called $stringSQl but then try to use one called $stringSQL (which is undefined at that point).

A bigger problem, however, is the fact that you're executing three separate INSERT queries, which means you're creating three separate rows in the DB; one has a firstname value, one has a username value, and one has a password value. The rest of the columns in each of the three rows will be set to their default/NULL state. This doesn't really make much sense. Instead, you should probably be using all three pieces of information to create a single row (e.g using only one INSERT query).

Also note that user-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it such as with a function like [man]mysql_real_escape_string/man (for string data) or by using prepared statements. For more info, see the PHP manual page [man]security.database.sql-injection[/man].

Finally, note that the entire [man]mysql[/man] extension is quite outdated and has been deprecated in favor of [man]MySQLi[/man] or [man]PDO[/man].

Minecraft_iPod

Thank you for your help. You've removed the "Query was empty" error.

I was wondering if you could help me by giving me an example of executing all three commands in one row? It would be a great help.

bradgrafelman

In each of your INSERT queries, you're only listing a single column and a single value. Instead, you should be supplying a comma-separated list of all of the columns that you're specifying for the row to be inserted, followed by a VALUES section with another comma-separated list of values (that corresponds with the list of columns named earlier in the query, e.g. the 2nd value in the list should correspond to the second column).

The MySQL manual page for the INSERT query states its syntax and includes several sample SQL queries.

Minecraft_iPod

Once again, you have solved that problem. But once again, another has appeared... 🙁

When I load the page, instead of displaying my header and entering the data into the database, it displays this error:

"Parse error: syntax error, unexpected ';' in /xxxx/xxxxxxxx/xxxxxx_xxxx/members.php on line 22"

Here is my new code:

<html>
	<head>
		<title> Lego Comic </title>
	</head>
<body> <center>
	<h1> Thank you for joining! Now click <a href="index.php" title="Login"> HERE </a> to login! </h1>

<?php

//Connect to the database server
mysql_connect("host","user","pass") or die (mysql_error ());

//Select database
mysql_select_db("a5179209_avery") or die (mysql_error ());

//The SQL statement is built by the user, taking information from becomeamember.php

$strSQL = "INSERT INTO Members(firstname, username, password) values('" . $_POST["firstname"] . "', '" . $_POST["username"] . "', '" . $_POST["password"] . "')";
//The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());

//Close the database connection
mysql_close();
?>

</center> </body>
</html>

Thank you so much for your help.

bradgrafelman

There are no syntax errors in the code snippet you posted.

Minecraft_iPod

So then, what could be my problem?!? 😕

Minecraft_iPod

Nvm the last one, solved that myself. There are no error messages displayed, but when I check MyPHPAdmin, it shows an entry, but does not show any data in it?! It makes an entry, but does not show any data under firstname, username or password! It just assigns it an ID number! Here is my new code...

<html>
	<head>
		<title> Lego Comic </title>
	</head>
<body> <center>
	<h1> Thank you for joining! Now click <a href="index.php" title="Login"> HERE </a> to login! </h1>

<?php

//Connect to the database server
mysql_connect("******.**********.***","********_*****","********") or die (mysql_error ());

//Select database
mysql_select_db("********_*****") or die (mysql_error ());

//The SQL statement is built by the user, taking information from becomeamember.php
$strSQL = "INSERT INTO Members(firstname, username, password) values('" . $_POST["firstname"] . "', '" . $_POST["username"] . "', '" . $_POST["password"] . "')";

//The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());

//Close the database connection
mysql_close()
?>

</center> </body>
</html>

To solve the last problem, I removed the ";" from "mysql_close();". Any ideas on solving this problem? I know I've almost got this working... I'm sorry for posting so many problems that are probably obvious... :o

bradgrafelman

Few things:

Do you have display_errors set to On and error_reporting set to E_ALL? If so, do you get any error messages?
Your code above doesn't check to see if a form was actually submitted. In other words, simply visiting the above script in your browser (or letting a search engine's bot/spider crawl the page) would trigger the execution of the INSERT query. This is usually a bad design.

Instead, you should use [man]isset/man (or [man]empty/man) to check if some data was actually POST'ed. If not, then there's no point in executing any of that SQL-related code.
EDIT: Looks like I already covered this list item previously.

EDIT: Also, can you show us the HTML markup for the form that's being submitted to this script?

Minecraft_iPod

Alright, here's the code for the form being submitted:

<html>
	<head>
		<title> Lego Comic </title>
	</head>

<body>
<center>
	<h1> Lego Comic </h1>
	<h2> Become a member! </h2>
	<p> You can become a member of Lego Comic by filling out the form below! </p>

	<form action="members.php" method="post">
	<input type="text" value="firstname" />
	<input type="text" value="username" />
	<input type="password" value="password" />
	<input type="submit" value="Join Now!" />

	</form>

</center>
</body>
</html>

Hope it helps. In the mean time, I'm going to try the isset or empty codes. Thanks again!

bradgrafelman

None of your form elements have any names (as specified by a 'name' attribute).

Minecraft_iPod

How do I turn on display_errors and error_reporting? Also, does this code work?

<html>
	<head>
		<title> Lego Comic </title>
	</head>
<body> <center>
	<h1> Thank you for joining! Now click <a href="index.php" title="Login"> HERE </a> to login! </h1>

<?php

//Connect to the database server
mysql_connect("mysql2.**********.com","a5179209_avery","nepean99") or die (mysql_error ());

//Select database
mysql_select_db("a5179209_avery") or die (mysql_error ());

//The SQL statement is built by the user, taking information from becomeamember.php
$strSQL = "INSERT INTO Members(firstname, username, password) values('" . $_POST["firstname"] . "', '" . $_POST["username"] . "', '" . $_POST["password"] . "')";

//Check to see if the values firstname, username and password are empty
if (empty($strSQL)){
	echo "$strSQL is either empty, zero, or not set at all";
}
//The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());

//Close the database connection
mysql_close()
?>

</center> </body>
</html>

Minecraft_iPod

Also, are these properly named?

<html>
	<head>
		<title> Lego Comic </title>
	</head>

<body>
<center>
	<h1> Lego Comic </h1>
	<h2> Become a member! </h2>
	<p> You can become a member of Lego Comic by filling out the form below! </p>

	<form action="members.php" method="post">
	<input type="text" value="firstname" name="First Name" />
	<input type="text" value="username" name="Username" />
	<input type="password" value="password" name="Password" />
	<input type="submit" value="Join Now!" />

	</form>

</center>
</body>
</html>

Thanks.

bradgrafelman

Minecraft_iPod;11001257 wrote:
How do I turn on display_errors and error_reporting?

The manual page [man]configuration.changes[/man] lists the various ways to alter PHP directives.

Minecraft_iPod;11001257 wrote:
Also, does this code work?

I don't know... you tell us. 🙂

Note I do see one thing that doesn't make much sense:

$strSQL = "INSERT INTO Members(firstname, username, password) values('" . $_POST["firstname"] . "', '" . $_POST["username"] . "', '" . $_POST["password"] . "')";

//Check to see if the values firstname, username and password are empty
if (empty($strSQL)){

Two things wrong with that if() statement:

It doesn't do what the code comment is saying it's doing.
It doesn't do anything useful since the 'else' branch will never be executed; why would $strSQL be empty when it was just defined (with a non-empty value) in the previous statement?

Minecraft_iPod;11001258 wrote:
Also, are these properly named?

That depends what you mean by "properly," I suppose. You can name them whatever you want - it's your form, after all. However, none of the names you've given the three text fields match the names you're using in the PHP code, so unless you updated the code as well then you're still going to have problems.

Minecraft_iPod

Okay, I totally remade the login system with a different tutorial. Almost everything works, except when I try to login with the information I have added to MyPHPAdmin, it comes up with my message, "Wrong Username or Password".

Here's the code:

<html>
	<head>
		<title> Lego Comic </title>
	</head>

<body>
	<center>
	<h1> Lego Comic </h1>
	<h2> Login below! </h2>
	<h3> To become a member, click <a href="register.php" title="Become a Member!"> HERE! </a> </h3>
<?php
session_start();
// dBase file
include "dbconfig.php";

if ($_GET["op"] == "login")
 {
 if (!$_POST["username"] || !$_POST["password"])
 	{
 	die("You need to provide a username and password.");
 	}

 // Create query
 $q = "SELECT * FROM `Members` "
 	."WHERE `username`='".$_POST["username"]."' "
 	."AND `password`=PASSWORD('".$_POST["password"]."') "
 	."LIMIT 1";
 // Run query
 $r = mysql_query($q);

 if ( $obj = @mysql_fetch_object($r) )
 	{
 	// Login valid, create session variables
 	$_SESSION["valid_id"] = $obj->id;
 	$_SESSION["valid_user"] = $_POST["username"];
 	$_SESSION["valid_time"] = time();

// Redirect to member page
Header("Location: mainsite.php");
}
 else
 	{
 	// Login not successful
 	die("Incorrect Username or Password. Press the back button on your browser to try again.");
 	}
 }
else
 {
//If all went right the Web form appears and users can log in
 echo "<form action=\"?op=login\" method=\"POST\">";
 echo "Username: <input name=\"username\" size=\"15\"><br />";
 echo "Password: <input type=\"password\" name=\"password\" size=\"15\"><br />";
 echo "<input type=\"submit\" value=\"Login\">";
 echo "</form>";
 }
?>

	</center>
</body>
</html>

Can you see any problems?

Thanks! 😃

Derokorian

Did you store your password in plain text in mysql? Because the select query is looking for a string that has gone through the PASSWORD() function.

Minecraft_iPod

By plain text, do you mean not encoded? If that's what you mean, the password is encoded.

Minecraft_iPod

I just checked, and on the registration page, the password is put into a PASSWORD() function.

bradgrafelman

Try using phpMyAdmin to execute a query like:

SELECT PASSWORD('your password here')

to see what the password you're entering looks like when it's encoded by that function, and then manually SELECT the relevant row in your Members table. That would be one easy way to verify that the two values match (and, if they don't, you might be able to deduce why based on how the two values differ).

Minecraft_iPod

Would I write the SELECT PASSWORD like this?


<?php
include "dbconfig.php";

$m = "SELECT * FROM Members WHERE password = 'nepean99'";
$n = mysql_query($m);

echo $n;

?>