Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Ilya Bobkov2015-11-25 14:44:40
PHP
Ilya Bobkov, 2015-11-25 14:44:40

Where can there be an error in the request?

Hey! There is such a POST processing:

if ( $_POST["func"] == "AddNewPerson" )
{

 if (isset($_POST['fio'])) { $fio = $_POST['fio'];  if ($fio == '')  unset($fio); }
 if (isset($_POST['pn']))  { $pn  = $_POST['pn'];   if ($pn  == '')  unset($pn);  }
 if (isset($_POST['vt']))  { $vt  = $_POST['vt'];   if ($vt  == '')  unset($vt);  }
 if (isset($_POST['sr']))  { $sr  = $_POST['sr'];   if ($sr  == '')  unset($sr);  }
 if (isset($_POST['cht'])) { $cht = $_POST['cht'];  if ($cht == '')  unset($cht); }
 if (isset($_POST['pt']))  { $pt  = $_POST['pt'];   if ($pt  == '')  unset($pt);  }
 if (isset($_POST['sb']))  { $sb  = $_POST['sb'];   if ($sb  == '')  unset($sb);  }
 if (isset($_POST['vs']))  { $vs  = $_POST['vs'];   if ($vs  == '')  unset($vs);  }

 $user_id = $_SESSION["user_id"];

 // id, fio, pn, vt, sr, cht, pt, sb, vs, user_id, group_id, data_reg
 $result = $mysqli->query("INSERT INTO personal VALUES ( NULL,'".$fio."','".$pn."','".$vt."','".$sr."','".$cht."','".$pt."','".$sb."','".$vs."','".$user_id."',154,'",GETDATE(),"')" );
 if (!$result) error($mysqli->error);
 
 $result->free();
 $result->close();
 $mysqli->close();
}

Data does not come to the table, Mysql does not return an error. Where can be an error?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
V
Vladimir Martyanov, 2015-11-25
@vilgeforce

The mistake is that you do not provide the SQL query code that actually goes into the database.

Report
P
Philip, 2015-11-25
@shcherbanich

Preparing a query and filtering variables? No, I haven't heard...
php.net/manual/ru/mysqli.prepare.php is for mysqli . Life will become easier) And then maybe you will switch to PDO :)

Report
A
Alex Safonov, 2015-11-25
@elevenelven

And you are not embarrassed that if, say, $_POST['vs'] does not come , then you will not have a $vs variable .
And below in the code you refer to it ( $vs ). This is Notice - Undefined variable and uncontrolled behavior.
Besides you directly in a request body push input from POST. This is the direct path to SQL injection.

Similar questions
I
Isaac Clark2017-04-05 13:43:42
HTML5 GAME: Is it better to use Canvas or DIV for sprite animation? 5Reply
A
Anton2021-03-27 12:39:53
Getting the selected radio item and passing it to the email body, how to display the selected item? 2Reply
A
Andrei1penguin12021-04-01 00:37:45
Why don't losses decrease? 3Reply
R
ReDeNDeR2021-04-06 13:10:49
How to order raspberry pi in Baku? 4Reply
Y
Yaroslav2019-10-03 12:49:21
Where and how to find free labor for the for fun project and where to discuss ideas? 7Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question