Jump to content

a little help please.


DatDudeFuddPucker

Recommended Posts

<?php
mysql_connect("localhost," "root", "1alphabet") or die("Connection Failed");
mysql_select_db("US_States") or die("Connection Failed");
$user = $_POST['user'];
$password = $_POST['userpassword'];
$query = "INSERT INTO test(name,password)Values('$user','$password')";
if(mysql_query($query)){
    echo "inserted";}
    else{
        echo "fail";}
?>

Ok so on the second line where is says "root" I dont know if this is the correct user name to be using. This is the error i get when i run it. Any help?

 

Parse error: syntax error, unexpected '"root"' (T_CONSTANT_ENCAPSED_STRING) in/home/ubuntu/workspace/insert.php on line 2

Link to comment
Share on other sites

With the change Don E recommended it worked. I can input the information and it will store in the database.

Now another question, can i change to mysqli or PDO in the code and it will work anyway? Or will I have to re-write the code entirely to accommodate those changes?

Edited by DatDudeFuddPucker
Link to comment
Share on other sites

<?php
mysql_connect("localhost", "root", "1alphabet") or die("Connection Failed");
mysql_select_db("US_States") or die("Connection Failed");
$user = $_POST['user'];
$password = $_POST['userpassword'];
$query = "INSERT INTO test(name,password)Values('$user','$password')";
if(mysql_query($query)){
    echo "inserted";}
    else{
        echo "fail";}
?>

so does that mean I would change it to this to make it work? or would i change it to (mysqli) and just leave it like that?

 

<?php

mysqli_connect ("localhost," "root", "1alphabet") or die("Connection Failed");

mysqli_select_db("US_States") or die("Connection Failed");

$user = $_POST['user'];

$password = $_POST['userpassword'];

$query = "INSERT INTO test(name,password)Values('$user','$password')";

if(mysql_query($query)){

echo "inserted";}

else{

echo "fail";}

?>

Link to comment
Share on other sites

It's not as easy as changing function names. The way that the old mysql extension was used by most people is inherently insecure. When you do things like this, for example:

 

$query = "INSERT INTO test(name,password)Values('$user','$password')";
You're just asking for your web site to get hacked. SQL injection vulnerabilities I think are still the #1 attack vector against web sites, and it's because of code like that. The replacement for that is to use a prepared statement. The old mysql extension does not support prepared statements, which is one reason it was replaced with mysqli back in 2004. Today PDO is often more popular than mysqli because PDO supports more than just MySQL. Both PDO and mysqli support prepared statements though.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...