Afternoon everyone,
I'm currently trying to insert or update form field values via params into a mysql after some simple validation. The form submits, but does not actually execute any of the operations and does not raise a syntax or database connection error. I know my connection string works because I fetched values from it to compare to in the code prior to the nested evaluation blocks shown below. The foreach loops were inserted as an alternate means of validating that the values have indeed been altered in the table. Your help is greatly appreciated, as always:
my $dbusr = param("dbuser");
my $dbpw = param("dbpass");
my $dbmail = param("dbemail");
my $dbtel = param("dbphone");
my $postflag = param("Submit");
if ($dbusr ne "") {
$sth = $dbh->prepare("SELECT * FROM USER WHERE username LIKE ?");
$sth->execute('$dbusr');
warn( $DBI::errstr ) if ( $DBI::err );
my #results = $sth->fetchall_arrayref();
foreach(#results){
if ($dbusr eq $_){
$loopval = 1;
}
}
unless($loopval){
$sth = $dbh->prepare("INSERT INTO USER
(username, password, phone, email)
values
(?,?,?,?)");
$sth->execute($dbusr, $dbpw, $dbtel, $dbmail);
warn( $DBI::errstr ) if ( $DBI::err );
$sth = $dbh->prepare("SELECT * FROM USER WHERE username LIKE ?");
$sth->execute('$dbusr');
#results = $sth->fetchall_arrayref();
foreach(#results){
if ($dbusr eq $_){
$successflag = 1;
}
}
}
else{
$sth = $dbh->prepare("UPDATE USER
SET (password = ?, phone = ?, email = ?)
WHERE username = ?");
$sth->execute($dbpw, $dbtel, $dbmail, $dbusr);
warn( $DBI::errstr ) if ( $DBI::err );
$sth = $dbh->prepare("SELECT * FROM USER WHERE username LIKE ?");
$sth->execute('$dbusr');
#results = $sth->fetchall_arrayref();
foreach(#results){
if ($dbusr eq $_){
$successflag = 1;
}
}
}
}
Basic Perl: '-quoted strings do NOT interpolate variables:
$sth->execute('$dbusr');
^-- ^---
You're literally passing $, d, b, etc... to your query as the placeholder value.
Try
$sth->execute($dbusr); // note the lack of ' quotes
instead.
You are searching for entire rows with the SELECT * FROM USER WHERE username LIKE ? statement, and are then fetching all the rows in one go with
my #results = $sth->fetchall_arrayref();
That method "returns a reference to an array that contains one reference per row.", but you are treating the returned value as an list of usernames:
foreach(#results){
if ($dbusr eq $_){
$loopval = 1;
}
}
To make this work you should just fetch the username column, and treat the returned rows as references of references. And as you look for exact matches in the database replace LIKE with =:
$sth = $dbh->prepare("SELECT username FROM USER WHERE username = ?");
$sth->execute($dbusr); # no quoting
die( $DBI::errstr ) if ( $DBI::err ); # what else to do if the execute fails?
my $results = $sth->fetchall_arrayref(); # an arrayref is returned
foreach(#$results){ # de-reference the array
if ($dbusr eq $_->[0]){ # each row is an arrayref, look in first element
$loopval = 1;
}
}
(Of course the same applies to the second search.)
Related
I'm baffled, when I use the terminal (mysql) and insert into username,account_password columns, user_id AUTO_INCREMENTS just as it should.
my table:
CREATE TABLE users (
user_id int NOT NULL AUTO_INCREMENT,
user_type VARCHAR(20) NULL,
creation_date TIMESTAMP NOT NULL,
username VARCHAR(100) NOT NULL,
account_password VARCHAR(255) NOT NULL,
PRIMARY KEY (user_id)
);
yet when I use this script:
use strict;
use warnings FATAL => 'all';# good for debugging, FATAL kills program so warnings are more identifiable
use CGI qw/:standard/;
use CGI::Carp qw(fatalsToBrowser); # good for debugging, sends info to browser
use DBI;
use DBD::mysql;
use Digest::SHA qw(sha256);
print header, start_html;
my $fName = param('firstName');
my $lName = param('lastName');
my $compName = param('compName');
my $email = param('email');
my $pswrd = param('password');
my $cnfPswrd = param('confPassword');
my $encpswrd = "";
#check passwords match, if not display error, and exit script
if ($pswrd eq $cnfPswrd) {
$encpswrd = sha256($pswrd);
} else {
print "Passwords did not match! refresh form!";
exit;
}
#database credentials, to be changed accordingly
my $database = "intsystest";
my $host = "localhost";
my $user = "root";
my $pw = "password";
my $dsn = "dbi:mysql:$database:localhost:3306";
#connect to database
my $dbh = DBI->connect($dsn, $user, $pw,
{ RaiseError => 1 }) or die "unable to connect:$DBI::errstr\n"; # <- this line good for debugging
#create, prepare, execute query, disconnect from DB
my $personsQuery = "INSERT INTO persons (first_name, last_name) VALUES (?,?)";
my $compQuery = "INSERT INTO company (company_name) VALUES (?)";
my $usersQuery = "INSERT INTO users (username, account_password) VALUES (?,?)";
my $sth = $dbh->prepare($personsQuery);
$sth->execute($fName, $lName);
$sth = $dbh->prepare($compQuery);
$sth->execute($compName);
$sth = $dbh->prepare($usersQuery);
$sth->execute($email, $encpswrd);
$dbh -> disconnect;
# additional processing as needed ...
print end_html;
I get this error:
DBD::mysql::st execute failed: Field 'user_id' doesn't have a default value at /usr/lib/cgi-bin/compSignUpDBCGI.pl line 44.
I'm assuming it's likely something wrong with the handler. What am I missing??
If your persons table has a foreign key to the users table then you need insert the users record first, then get the id of the new users record and add that to the SQL to insert the persons record.
Something like this:
my $usersQuery = "INSERT INTO users (username, account_password) VALUES (?,?)";
$sth = $dbh->prepare($usersQuery);
$sth->execute($email, $encpswrd);
$sth = $dbh->prepare('SELECT user_id FROM users WHERE username = ?');
$sth->execute($email);
my $user_id = $sth->fetch->[0];
my $personsQuery = "INSERT INTO persons (user_id ,first_name, last_name) VALUES (?,?,?)";
$sth = $dbh->prepare($personsQuery);
$sth->execute($user_id, $fName, $lName);
This is an area where DBIx::Class will definitely make your life easier.
i was doing a insert statement and i want 2 username become 1 data and insert into database. i no sure how to do it.
here is my php and mysql
$target = $_GET['user'];
$id = $_SESSION['id'];
$targetusername = mysqli_query($connection,"SELECT username FROM user WHERE id='$target' ")or die(mysqli_error($connection));
$username= mysqli_query($connection,"SELECT username FROM user WHERE id='$id'") or die(mysqli_error($connection));
$direct_message_room_name ="INSERT INTO direct_message_room(`direct_message_room_name`,`user_1_id`,`user_2_id`) VALUES (('$targetusername' + ' and ' + '$username'),'$id','$target')";
In order to have two variables in one column, you can serialize an array, though this is generally frowned upon unless it's for a good reason.
$array = array('username'=>'user1','username2'=>'user2');
$serialize = serialize($array);
Gives you:
a:2:{s:8:"username";s:5:"user1";s:9:"username2";s:5:"user2";}
Use the unserialize() function to return it to an array. Wordpress is one notable web application that stores arrays in such a way.
On a side note, you need to use bind parameter to avoid injectable sql queries:
// Do not do this
$target = $_GET['user'];
mysqli_query($connection,"SELECT username FROM user WHERE id='$target' ")
Here is a reference:
What does bind_param accomplish?
You can concat two strings in php like so:
$StringAB = $StringA . " something " . $StringB;
$target = $_GET['user'];
$id = $_SESSION['id'];
$targetusername = mysqli_query($connection,"SELECT username FROM user WHERE id='$target' ")or die(mysqli_error($connection));
$username= mysqli_query($connection,"SELECT username FROM user WHERE id='$id'") or die(mysqli_error($connection));
$rowUserName = mysql_fetch_array($username);
$rowTargetUserName = mysql_fetch_array($targetusername );
$room_name = $rowUserName["username"] . ' and ' . $rowTargetUserName["username"]; // Create room name (assuming both exist)
$direct_message_room_name ="INSERT INTO direct_message_room(`direct_message_room_name`,`user_1_id`,`user_2_id`) VALUES ('$room_name','$id','$target')";
I am very confused about this (returning false):
$sql = "SELECT * from tbl_user WHERE group = 'abc'";
$res = mysql_query($sql);
if(mysql_num_rows($res) > 0) {
$response = array('status' => '1');
} else {
$response = array('status' => '0'); // ---> what I get back
die("Query failed");
}
...despite the fact the field group is present in mySQL database. Even more strange is that the following return the value of group:
$SQL = "SELECT * FROM tbl_user";
$result = mysql_query($SQL);
while ($db_field = mysql_fetch_assoc($result)) {
print $db_field['group']; // ---> returns 'abc'
When I execute a WHERE clause with every other fields of my table excepting group (for example WHERE name = 'ex1' AND ID=1 AND isAllowed=0 (and so on...), everything is fine. As soon as I insert group = 'abc', I get nothing...
This makes me mad. If anyone could help... (I am running a local server with MAMP).
Thanks a lot!
The issue is that group is a reserved word in SQL.
For MySql you need to escape it with backticks
`group`
So your query would be
$sql = "SELECT * from tbl_user WHERE `group` = 'abc'";
I am having an issue with inserting an array of information into a mysql database. Basically I built a sortable gallery similar to Facebook's photo albums that can be arranged by moving the div to a new spot with jquery's sortable function.
I am using Ajax to call a php file which will inser the new order of the div's into the DB. The information is being passed correctly, it is just not being inserted correctly.
The error I am receiving is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Array' at line 1
The Php code is:
foreach ($_GET['listItem'] as $position => $item) {
if ($item >= 1) {
$sql[] = "UPDATE table SET order = '{$position}' WHERE id = '{$item}'";
mysql_query($sql) or die(mysql_error());
}
}
If I remove the mysql_query function and just do a print_r, I get:
Array
(
[0] => UPDATE table SET order = '0' WHERE id = '2'
[1] => UPDATE table SET order = '1' WHERE id = '4'
[2] => UPDATE table SET order = '2' WHERE id = '3'
[3] => UPDATE table SET order = '3' WHERE id = '1'
[4] => UPDATE table SET order = '4' WHERE id = '5'
[5] => UPDATE table SET order = '5' WHERE id = '6'
)
This is the first time I have tried to do something like this. Any help would be great.
Thank you in advance for the help!
In mysql_query($sql) $sql is an array, therefore it's value is simply Array. When you assign $sql[] = "UPDATE table SET order = '{$position}' WHERE id = '{$item}'"; simply make this line $sql = "UPDATE table SET order = '{$position}' WHERE id = '{$item}'";. That should solve your problem.
EDIT:
You can leave the [] and simply remove the mysql_query from where it is. After your foreach list item, add this:
foreach($sql as $query) {
mysql_query($query);
}
Sounds like there is some confusion about what the [] operator does. You use [] when you want to append an element to the end of an existing array.
For example:
$sql = array();
$sql[] = 'UPDATE table SET order = "0" WHERE id = "2"';
mysql_query($sql); // this will produce the error you are seeing
Versus:
$sql = 'UPDATE table SET order = "0" WHERE id = "2"';
mysql_query($sql); // this will work
You should rewrite your code as such:
foreach ($_GET['listItem'] as $position => $item) {
if ($item >= 1) {
$sql = "UPDATE table SET order = '{$position}' WHERE id = '{$item}'";
mysql_query($sql) or die(mysql_error());
}
}
That will do what you are intending. However, this is still not a good idea, since you are passing untrusted $_GET data directly to the database. I could, for example, call your script with a string like:
http://yoursite.com/yourscript.php?listItem=1'%3B%20DROP%20TABLE%20yourtable%3B
Since the value of listItem is going directly to the database -- and the $item >= 1 check is insufficient, since PHP will evaluate a string as an integer if it begins with numeric data -- all I have to do is add a single quote to terminate the previous query, and I am then free to inject whatever SQL command I'd like; this is a basic SQL injection attack. Whenever you write database-touching code, you should cleanse any input that might be going to the database. A final version of your code might look like:
foreach ($_GET['listItem'] as $position => $item) {
if ($item >= 1) { // this check may or may not be needed depending on its purpose
$sql = 'UPDATE table SET order = "' . mysql_real_escape_string($position) . '" WHERE id = "' . mysql_real_escape_string($item) . '"';
mysql_query($sql) or die(mysql_error());
}
}
There are other ways to cleanse input data as well, that is just one of them. Hope that helps.
Please I am having problem tracking down the problem with this code I have been trying for hours . it gives me the error DBD::mysql::st fetchrow_hashref failed: fetch() without execute() at line 15
sub Split_Into_Words
{
#### Connection parameters ############################
my $dsn = "dbi:mysql:malware:localhost:3306";
my $user = 'root';
my $passwd = 'sxxxs';
########################################################
my $domain ;
my $countDir = 0 ;
my $file = shift ;
my $labelID = (split(/[.]/ , $file))[1] ; ### Split and get the middle value since format is temporay.
#### Query String ############################################################################
my $InsertIntoHostTable_QS = "INSERT INTO TB_host(HostName , UrlID , ExtID) Values (? , ? , ? ) ; ";
my $InsertIntoDomainTable_QS = "INSERT IGNORE INTO TB_Domain(Domain) values (?) ;" ;
my $InsertIntoArgVal_QS = "INSERT INTO TB_Arg_Value(Arg, URL_ID) VALUES (? , ? ) ; " ;
my $InsertIntoDirectory_QS = "INSERT INTO TB_Directory(DIRNAME , DEPTH , URLID) VALUES (? , ? , ? )" ;
my $InsertIntoExtension_QS = "INSERT IGNORE INTO TB_Extension (Extension) values ( ? ) ; ";
my $InsertIntoExtensionNULL_QS = "INSERT IGNORE INTO TB_Extension (ID , Extension) values (? , ? ) ; ";
my $SelectString = " Select URL , ID from TB_URL where LabelID = '" . $labelID."';";
my $InsertIntoFileName_QS = "INSERT IGNORE INTO TB_FileName( filename) VALUES (?) ; " ;
###################################################################################################
my $DBIConnect = DBI->connect($dsn , $user , $passwd) or die("Cannot connect to datadbase $DBI::errstr\n");
print ("Splitting Into Words \n");
######Initialization of a default DB value #################
my $sth = $DBIConnect->prepare( $InsertIntoExtensionNULL_QS);
$sth->execute(1 , 'null') or die("Error Executing the Insertion" . $sth->errstr );
$sth->finish();
#############################################################
$sth = $DBIConnect ->prepare($SelectString);
sleep(10);
open (FH , '<' , $file); # Open file to be read from disk
my $i = 0;
$sth->execute() or die("Error Executing the Insertion" . $sth->errstr );
->line 15 while(my $hash_ref = $sth->fetchrow_hashref )
{
my $extensionID = "1";
my $intialURL = $hash_ref->{URL} ;
my $initialID = $hash_ref->{ID};
}
}
I'm not sure if this is the issue, but you may not need the finish after the insert. From the DBI doc:
Indicate that no more data will be fetched from this statement handle
before it is either executed again or destroyed. You almost certainly
do not need to call this method.
Adding calls to finish after loop that fetches all rows is a common
mistake, don't do it, it can mask genuine problems like uncaught fetch
errors.
If that is the problem, you may want to create a second statement handler for the select call.
Apart from the annoyingly long SQL variable names, $SelectString should contain a "?", in case $labelID contains something that could break the query or cause an injection.
prepare() doesn't absolutely require a "?", but if execute has parameters, then there must be a matching number of "?" in the query string.
First $sth->finish() is not needed because the query is an insert and doesn't return any rows.
Second 'die' should be "Error executing query", because it executing $SelectString
Note SQL convention is to write all in uppercase, and for extra safety enclose field names in backticks. Queries do not end with semicolon. Also note that "my" variables are local to that between braces, { } so that my variables in the while loop will be unavailable afterwards.
Suggest formatting thus:
sub Split_Into_Words {
#### Connection parameters ############################
my $dsn = "dbi:mysql:malware:localhost:3306";
my $user = 'root';
my $passwd = 'sxxxs';
########################################################
my $domain ;
my $countDir = 0 ;
my $file = shift ;
my $labelID = (split(/[.]/ , $file))[1] ; ### Split and get the middle value since format is temporary.
#### Query String ############################################################################
my $InsertIntoHostTable_QS = "INSERT INTO `TB_host` (`HostName`,`UrlID`,`ExtID`) VALUES (?,?,?)";
my $InsertIntoDomainTable_QS = "INSERT IGNORE INTO `TB_Domain` (`Domain`) VALUES (?)";
my $InsertIntoArgVal_QS = "INSERT INTO `TB_Arg_Value` (`Arg`,`URL_ID`) VALUES (?,?)";.
my $InsertIntoDirectory_QS = "INSERT INTO `TB_Directory` (`DIRNAME`,`DEPTH`,`URLID`) VALUES (?,?,?)";
my $InsertIntoExtension_QS = "INSERT IGNORE INTO `TB_Extension` (`Extension`) VALUES (?)";
my $InsertIntoExtensionNULL_QS= "INSERT IGNORE INTO `TB_Extension` (`ID`,`Extension`) VALUES (?,?)";
my $SelectString = "SELECT `URL`,`ID` FROM `TB_URL` WHERE `LabelID`=?";
my $InsertIntoFileName_QS = "INSERT IGNORE INTO `TB_FileName` (`filename`) VALUES (?)";
###################################################################################################
my $DBIConnect = DBI->connect($dsn , $user , $passwd) or die("Cannot connect to datadbase $DBI::errstr\n");
print ("Splitting Into Words \n");
######Initialization of a default DB value #################
my $sth = $DBIConnect->prepare( $InsertIntoExtensionNULL_QS);
$sth->execute(1 , 'null') or die("Error executing the Insertion: " . $sth->errstr );
# $sth->finish(); # not needed because it's an insert
#############################################################
$sth = $DBIConnect->prepare($SelectString);
sleep(10);
open (FH , "<$file"); # Open file to be read from disk
my $i = 0;
$sth->execute($labelID) or die("Error executing query: " . $sth->errstr );
while(my $hash_ref = $sth->fetchrow_hashref ) {
my $extensionID = "1";
my $intialURL = $hash_ref->{URL};
my $initialID = $hash_ref->{ID};
}