Store Facebook Name in MYSQL - mysql

I need to store a users public facebook name in my MYSQL database, when they fill out a form in my canvas based application.
This is what I have, but for some reason the name never makes it into the database - everything else does..
$submit = $_POST['submit'];
if(isset($_POST['submit']) )
{
//form data
$name = $me['name'];
$q1 = $_POST['bromance'];
$q2 = $_POST['couple'];
$q3 = $_POST['prime'];
$email = $_POST['email'];
//register the user
$queryvote = mysql_query("INSERT INTO vote VALUES ('','$name','1','$q1','$q2','$q3','$email')");
I can succesfully echo out the users name by using $me['name'];, so I'm struggling to see why I cannot carry it through to my mysql_query. I've even tried populating it into a readonly field in the form, and inserting that value... again though, it never shows in the database.
I know the code I'm using is depreciated, but its needed for this project. Probably a silly error, but we all miss things!
Thanks!

Related

Is it possible to send a POST request only through HTML (without javascript)?

I want to send a newsletter through email and I would like to see who opened my email.
I send HTML in the content of the email, so I can not add javascript in there. (see here )
Is there any way to send a post request (to my server) only through HTML, every time the HTML is opened and not by pressing a button?

No.
The only HTTP requests that can be triggered by simply opening an HTML document without any JS in it are GET requests.
Tracking of HTML emails is usually achieved using GET requests from images (and usually blocked by email clients because it is intrusive).

I think you are wanting to track emails which are opened? If you are using a PHP server you can create a simple "pixel" but would need to hook it up to your database.
Inside your email you can load the pixel as an image and replace the %pixel_id%
<img src="https://yoururl/pixel.php?tid=%pixel_id%" style="width:1px;height:1px;" title="pixel">
Pixel code:
<?php
//YOU NEED TO INCLUDE YOUR DATABASE CONNECTION FILE HERE
$conn_cms=get_dbc();
$stmt = $conn_cms->prepare("SELECT * FROM `pixel_tracker` WHERE `pixel_id` = ?");
$stmt->bind_param("s", $tid);
$tid = $_GET['tid'];
$stmt->execute();
$result = $stmt->get_result();
$assoc = $result->fetch_assoc();// get the mysqli result
$stmt = $conn_cms->prepare("UPDATE `pixel_tracker` SET `seen` = ?,`seen_count` = ?,
`seen_when`= ?, `header_track`= ? WHERE `pixel_id` = ?");
$stmt->bind_param("sssss", $seen, $seen_count, $seen_when, $header_track, $pixel_id);
$seen = 1;
$seen_count = $assoc['seen_count']+1;
$seen_when = date("Y-m-d H:i:s");
if(isset($_SERVER['HTTP_REFERER'])){
$header_track = $_SERVER['HTTP_REFERER'];
} else {
$header_track = "none";
}
$pixel_id = $tid;
$stmt->execute();
$result = $stmt->get_result(); // get the mysqli result
$pixel = imagecreate(1,1);
$color = imagecolorallocate($pixel,255,255,255);
imagesetpixel($pixel,1,1,$color);
header("content-type:image/jpg");
imagejpeg($pixel);
imagedestroy($pixel);
?>
EDIT: If you are sending emails automatically from your server you can dynamically insert the pixel reference in to your database, otherwise for now you can do this manually.

How to solve sql error " product portfolio has diversified to encompass a highly successful multi-brand' at line 1"

I am kind of new one for mysql and php. a week ago this code worked perfectly and when now I am trying it shows this error message
Error : You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 's product portfolio has diversified to encompass a highly
successful multi-brand' at line 1
I search how to solve that after spending a whole day, but couldn't figure it out.
I have tried similar questions here in stackoverflow, Yet I am stucked here.
A help would be really admired
Given below is my code
<?php
if(isset($_POST['upload']))
{ $company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
$fileName = $_FILES['Filename']['name'];
$fileName1 = $_FILES['Filename1']['name'];
$fileName2 = $_FILES['Filename2']['name'];
$fileName3 = $_FILES['Filename3']['name'];
$fileName4 = $_FILES['Filename4']['name'];
$target = "company_images/";
$fileTarget = $target.$fileName;
$fileTarget1 = $target.$fileName1;
$fileTarget2 = $target.$fileName2;
$fileTarget3 = $target.$fileName3;
$fileTarget4 = $target.$fileName4;
$tempFileName = $_FILES["Filename"]["tmp_name"];
$tempFileName1 = $_FILES["Filename1"]["tmp_name"];
$tempFileName2 = $_FILES["Filename2"]["tmp_name"];
$tempFileName3 = $_FILES["Filename3"]["tmp_name"];
$tempFileName4 = $_FILES["Filename4"]["tmp_name"];
$result = move_uploaded_file($tempFileName,$fileTarget);
$result1 = move_uploaded_file($tempFileName1,$fileTarget1);
$result2 = move_uploaded_file($tempFileName2,$fileTarget2);
$result3 = move_uploaded_file($tempFileName3,$fileTarget3);
$result4 = move_uploaded_file($tempFileName4,$fileTarget4);
$file = rand(1000,100000)."-".$_FILES['file']['name'];
$file_loc = $_FILES['file']['tmp_name'];
$file_size = $_FILES['file']['size'];
$file_type = $_FILES['file']['type'];
$folder="pdf_uploads/";
// new file size in KB
$new_size = $file_size/1024;
// new file size in KB
// make file name in lower case
$new_file_name = strtolower($file);
// make file name in lower case
$final_file=str_replace(' ','-',$new_file_name);//anthima
if(move_uploaded_file($file_loc,$folder.$final_file))
{
$query = "INSERT INTO company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4) VALUES ('$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4')";
$con->query($query) or die("Error : ".mysqli_error($con));
mysqli_close($con);
}
}
?>
<?php
Given below is the test data error
VALUES ('singer','Hardware','singer#gmail.com','singer','Singer has been in Sr' at line 1

Because you never sanitize anything and put the data straight into your query,
$company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
...
$query = "INSERT INTO
company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4)
VALUES (
'$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4'
)";
your problem is most likely in the data
's product portfolio has diversified to encompass a highly successful multi-brand
Maybe you have unscaped apostrophes in your data, so you're kinda SQL-injecting yourself. The query ends before the string shown in the error.
The solution is to escape special chars before inserting like in this question: How do I escape only single quotes?
In your case, start with the details
$details = addcslashes($_POST['details'], "'");
or
$details = addslashes($_POST['details']);
But keep adding test scenarios for your code. E.g. what happens if company name gets something like Mc'Donaldson? What is the set of chars you want to accept for each field? Then you will know how to validate those fields and create your functions (or reuse something)

The existing data required by the data writer could not be found

On my page for an add-on i am creating works perfectly well unless i try to update an existing row. `public function actionUpdate()
{
$visitor = XenForo_Visitor::getInstance();
$userName = $visitor['username'];
//Get the text that user wrote in the text box
$text3 = $this->_input->filterSingle('simple_text2', XenForo_Input::STRING);
$text4 = $this->_input->filterSingle('simple_text3', XenForo_Input::STRING);
//Create a instance of our DataWriter
$dwSimpleText = XenForo_DataWriter::create('MinecraftAdder_DataWriter_MinecraftAdder');
//Set the field with the data we filtered
$dwSimpleText->setExistingData('Name');
$dwSimpleText->set('Name', $text3);
$dwSimpleText->setExistingData('Rank');
$dwSimpleText->set('Rank', XenForo_Visitor::getUserId());
$dwSimpleText->setExistingData('UUID');
$dwSimpleText->set('UUID', $text4);
$dwSimpleText->setExistingData('UserID');
$dwSimpleText->set('UserID', $userName);
//Save in the database, please!
$dwSimpleText->save();
//Send a response to the user, so he know that everything went fine with this action
return $this->responseRedirect(
XenForo_ControllerResponse_Redirect::SUCCESS,
$this->getDynamicRedirect()
);
}`
I get the error The existing data required by the data writer could not be found. Does anyone know how to fix this?
My Addon page

Your usage of setExistingData is incorrect. That function must be given one of these two values:
The value of the Primary Key column(s) for the row you want to update
An array with all the data for the row you want to update
So in your case, seeing as you don't select the row in advance, you'd use option 1. Assuming UserID is your Primary Key column, your code would be:
public function actionUpdate() {
$visitor = XenForo_Visitor::getInstance();
$userName = $visitor['username'];
//Get the text that user wrote in the text box
$text3 = $this->_input->filterSingle('simple_text2', XenForo_Input::STRING);
$text4 = $this->_input->filterSingle('simple_text3', XenForo_Input::STRING);
//Create a instance of our DataWriter
$dwSimpleText = XenForo_DataWriter::create('MinecraftAdder_DataWriter_MinecraftAdder');
//Set the field with the data we filtered
$dwSimpleText->setExistingData($userName);
$dwSimpleText->set('Name', $text3);
$dwSimpleText->set('Rank', XenForo_Visitor::getUserId());
$dwSimpleText->set('UUID', $text4);
//Save in the database, please!
$dwSimpleText->save();
//Send a response to the user, so he know that everything went fine with this action
return $this->responseRedirect(
XenForo_ControllerResponse_Redirect::SUCCESS,
$this->getDynamicRedirect()
);
}
Some other tips:
If this actionUpdate may be accessed through a form only, you should add $this->_assertPostOnly(); on the top of the function to make sure the request was a POST request.
You may want to check if the Visitor's user_id is 0 so you don't save the information of guests. (Unless that's what you want of course)

How to randomly select a line within msql in a table and display result on webpage and send result to 2 email addresses as well?

Basically I am setting up a subscription application of name and email on my website which I am currently building. I have tested out the subscription form and all is working as it sends the data to the msql database and into the appropriate table (subscriptions) then into the 2 fields (subscriptionname, subscriptionemail).
With this I wish to once a month randomly draw a line out of the fields (which would have their name and email) and display this (only their name along with some other text such as "name is the winner of this month's random draw" etc) on the homepage of the website. (Might do as TWO draws same time every month. Unsure yet).
I'd want this to also send an email to the winner using obviously the email address it has as well as send to a predefined email address to me. (This is so I know exactly who has won it as of course there could be 2 or more people with the same name so I would not know which one won it. So within this email it would simply provide me with the name and email so I could supply the prize.)
I really hope someone would be able to help as I am completely clueless as what to do as I know little in the world of codes especially something like this.

I am not sure what language you are using so I will write in python.
Rewritten in PHP
<?php
// your MySql specific parameters
$my_host = "localhost";
$my_user = "user";
$my_pass = "password";
$my_db = "test";
// Connecting, selecting database
$link = mysql_connect($my_host, $my_user, $my_pass);
mysql_select_db($my_db);
// Mysql fast random from http://wanderr.com/jay/order-by-slow/2008/01/30/
// Assuming MySql table called users
$query = "SELECT * FROM subscriptions T JOIN (SELECT FLOOR(MAX(ID)*RAND()) AS ID FROM USERS) AS x ON T.ID >= x.ID LIMIT 1;";
$result = mysql_query($query);
// get the user
$user = mysql_fetch_array($result, MYSQL_ASSOC);
$user_email = user['Subscriptionemail'];
$user_name = user['subscriptionname'];
// Free resultset
mysql_free_result($result);
// Closing connection
mysql_close($link);
//
// Email part
//
// specific to you
$HOST = 'My smtp server';
$my_email = 'me#my_domain.com';
$server = smtplib.SMTP(HOST);
$text = "Hello " + $user_name + " you have won the prize!";
mail($user_email, "You won!", $text, "From: " + $my_email);
$text = $user_name + " has won the prize! Their email is " + $user_email + ".";
mail($my_email, "New winner!", $text, "From: " + $my_email);

$SQL UPDATE doesn't work when added WHERE CLAUSE

I know I am simply missing the simplest thing here but cant seem to figure it out.
so this works with this code but changes all rows of the database as opposed to just the one with the page id...
<? $pageid= $_GET["id"];
$sql = "SELECT id, first_name, last_name, email, bio, job, job2, job3 FROM `".weapons."` WHERE id = $pageid";
if(isset($_POST['Update']))
{
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$job = $_POST['job'];
$job2 = $_POST['job2'];
$job3 = $_POST['job3'];
$bio = $_POST['bio'];
$email = $_POST['email'];
$sql = "UPDATE weapons SET first_name='$first_name', email='$email' , job='$job', job2='$job2', job3='$job3', bio='$bio', last_name='$last_name'";
if (#mysql_query($sql)) {
echo('<p>Update Complete</p>');
} else {
echo('<p>Error updating: ' . mysql_error() . '</p>');
}
}else{ ...
however when adding the WHERE clause, like as follows
$sql = "UPDATE weapons SET first_name='$first_name', email='$email' , job='$job', job2='$job2', job3='$job3', bio='$bio', last_name='$last_name' WHERE id = $pageid";
I get an error
Error updating: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Any help would be great, thanks
EDIT
I actually missed a super easy thing, which is what I initially assumed, I had at first in my form had <form method='post' enctype='multipart/form-data' action='submit.php'> however that obviously messed up the get id because there isnt an idea, so even if that page was submit.php?id=4 when you hit submit it wouldnt run because the id would be gone.
Switching the code to <form method='post' enctype='multipart/form-data' action='#'> did just the trick.
Thanks for the help guys and I am looking into the sql injection now and working on how to better secure my site.

Please escape your strings before you create your SQL statement. Various characters in your input values will both break your query and open a HUGE security hole. That may very well be your problem. Look at this post for more info How can I prevent SQL injection in PHP?
In short, you assignments would look like this:
$first_name = mysql_real_escape_string($_POST['first_name']);
echo $sql; before you run it and post what that outputs.