Yup, that syntax looks right to me. For security, it's best not to expose db server instances across the Internet. At the very least, it should be on a private, NATed LAN.

I'm not sure why die() is used either, but it seems to be the convention when dealing with db connections. Usually, with PHP, the choice of one function or syntax over is historical in nature. Another example is the strange inconsistency between the ordering of needle and haystack parameters in different functions.

7/6/2008 5:36:44 PM

^ actually, that addresses a question i've always had, but never really come across (so i never gave it more than a passing thought):

i have unlimited mysql databases on my hosting plan...if a friend doesn't have any on his and i let him create the database on my server, how would he go about creating a secure connection between the two? i mean, neither of us own the servers - they're just basic, relatively cheap hosting plans on shared servers

oh, and wouldn't vertigo need to specify a port? i don't have a great deal of experience in cross-server communication like this, but in my limited experience, i've always had to specify ports

*shrug*

[Edited on July 6, 2008 at 5:42 PM. Reason : .]

7/6/2008 5:41:14 PM

^ i presume it'd default to port 3306, but maybe he would

a vpn connection would be the way to go, but it depends whether you're allowed to run vpn clients/servers

you could also do basic tunnelling over ssh: http://www.revsys.com/writings/quicktips/ssh-tunnel.html

7/6/2008 7:22:35 PM

Okay, empty records keep being submitted when I use this simple form:

<?php
    $host = "localhost";
    $user = "user";
    $pswd = "pswd";
    $mydb = "mydb";

    $link = @mysql_connect($host,$user,$pswd);
    if (!$link) {
        echo "Connection failed: ".mysql_error();
        exit;
    }

    $db_connect = @mysql_select_db($mydb,$link);
    if (!$db_connect) {
        echo "Cannot connect to database: ".mysql_error();
        exit;
    }

    if (isset($_POST['submit'])) {
        $fname = stripslashes(trim($_POST['fname']));
        $mname = stripslashes(trim($_POST['mname']));
        $lname = stripslashes(trim($_POST['lname']));

        $query = "INSERT INTO $table (LNAME,FNAME,MNAME) VALUES ('$lname','$fname','$mname')";

        $result = @mysql_query($query,$link);
            if (!$result) {
                echo "Query failed: ".mysql_error();
                exit;
	}

        mysql_close($link);
    }
?>

<form enctype="text/plain" class="conf_reg" method="post" action="<?php echo $_SERVER[$PHP_SELF]; ?>">
    <input name="fname" type="text" size="25" maxlength="25" /> 
    <input name="mname" type="text" size="1" maxlength="1" /> 
    <input name="lname" type="text" size="25" maxlength="25" />
    <input name="submit" type="submit" value="SUBMIT" />
</form>

7/13/2008 6:29:30 PM

Does anyone have any suggestions as to what I might be doing wrong?

7/14/2008 2:27:11 PM

$query = "INSERT INTO $table


where is $table assigned a string value?

7/14/2008 2:31:18 PM

Oh, I forgot to include that as part of my post. It's in there, though, just below the $db declaration:

$table = "tablename";

7/14/2008 2:39:56 PM

It's not stupid, but it's pointless and potentially confusing for anyone else maintaining the script.

7/14/2008 2:43:49 PM

i'm confused...you're saying that it's actually creating new records, but it's not populating the database except for the record id and timestamp?

7/14/2008 3:06:11 PM

Yes. I can take a screenshot if that would help. I just can't figure out why it won't fill in my other fields.

7/14/2008 3:10:56 PM

Any other ideas? Anyone? I can't get this to work, and I can't figure out why.

7/14/2008 11:00:31 PM

whag are LNAME,FNAME,MNAME?

VARCHARs?

[Edited on July 15, 2008 at 7:42 AM. Reason : also, it's good practice to add slashes - not strip them - to help prevent injection attacks]

[Edited on July 15, 2008 at 7:43 AM. Reason : another thing: do this to debug - if (isset($_POST['submit'])) {print_r($_POST);}]

7/15/2008 7:40:56 AM

Have you done any debugging to see that there's actually anything in those post variables? Like echo out the variable lengths and $_SERVER['REQUEST_METHOD'] to double check what's going on. You could be looking in the wrong place all together.

Also, what version of PHP are you running?

Debug debug debug.

[Edited on July 15, 2008 at 8:05 AM. Reason : -]

[Edited on July 15, 2008 at 8:07 AM. Reason : Read up on your Super Globals - http://us3.php.net/manual/en/language.variables.superglobals.php]

7/15/2008 7:51:41 AM

print_r($_POST);

<?php echo "<p>request method: ".$_SERVER['REQUEST_METHOD']."</p>" ?>

<?php
    $host = "localhost";
    $user = "username";
    $pswd = "password";
    $mydb = "databasename";

    $link = @mysql_connect($host,$user,$pswd);
    if (!$link) {
        echo "Connection failed: ".mysql_error();
        exit;
    }

    $db_connect = @mysql_select_db($mydb,$link);
    if (!$db_connect) {
        echo "Cannot connect to database: ".mysql_error();
        exit;
    }

    if (isset($_POST['submit'])) {
        $fname = addslashes(trim($_POST['fname']));
        $mname = addslashes(trim($_POST['mname']));
        $lname = addslashes(trim($_POST['lname']));

        $query = "INSERT INTO tablename (LNAME,FNAME,MNAME) VALUES ('$lname','$fname','$mname')";

        $result = @mysql_query($query,$link);
            if (!$result) {
                echo "Query failed: ".mysql_error();
                exit;
	}
        print_r($_POST);
    }
    mysql_close($link);
?>

<form enctype="text/plain" method="post" action="<?php echo $_SERVER[$PHP_SELF] ?>">
    <input name="fname" type="text" size="25" maxlength="25" /> 
    <input name="mname" type="text" size="1" maxlength="1" /> 
    <input name="lname" type="text" size="25" maxlength="25" />
    <input name="submit" type="submit" value="submit" />
</form>

<?php echo "<p>request method: ".$_SERVER['REQUEST_METHOD']."</p>" ?>

7/15/2008 10:17:26 AM

$_SERVER[$PHP_SELF] should be $_SERVER['PHP_SELF']

7/15/2008 10:28:27 AM

^ Good point. I changed it, and it still isn't submitting to the database and I'm still not getting any errors.

7/15/2008 11:16:38 AM

try print_r($_REQUEST); that will display all GET and POST vars. also, if you want to do a post-back (submit to the same page) just leave the entire action attribute off the form tag.

7/15/2008 11:53:00 AM

If I put that inside the isset, then it displays nothing. If I put it right after the request method echo, I get:

Array ( )

display vars: 1

7/15/2008 12:43:30 PM

make a (temporary page) with this: echo phpinfo();

then refresh the page and look for these two lines:

register_globals (should be "off")
variables_order (should be "EGPCS")

i don't know why these two would say anything different but if variables_order is blank, that would be why there is nothing in those superglobals.

also, you probably have error reporting turned off. put these two lines at the top of your script (in php tags, but NOT in any conditional statement) for debugging. don't forget to remove them or comment them out when you're done.

error_reporting(E_ALL);
ini_set('display_errors','on');

[Edited on July 15, 2008 at 1:53 PM. Reason : errors]

7/15/2008 1:52:09 PM

Those two are directives are as you said they would be. I put in those two lines regarding error reporting, at the top without any conditions. When I run the page (either initially or after submitting something), I see nothing different.

This is becoming very annoying. It's GOT to be a setting somwhere - PHP and SQL aren't THAT difficult. What little experience I have is in Oracle (as the beginning of the thread shows), and so the servers were managed in-house. What else could this be?



[Edited on July 15, 2008 at 3:09 PM. Reason : Frustrated. Thanks for all the suggestions and help, though!]

7/15/2008 3:07:56 PM

can you post your phpinfo() output? if you'd rather not you can PM me.

7/15/2008 4:10:17 PM

I'll send it to you. I stripped out most of the identifying information (not because I don't trust you - because, after all, most of you have been very helpful, and I sincerely appreciate it), but because there is stuff shared on that server that is not mine that I am responsible for, and I'd like to take as much precaution as possible against something happening.

Actually, I didn't remove anything, really - I just renamed directories, the URL, and IP addresses that I came across. That said, I'm sure I missed something, but I can only do so much.

Anyone else who wouldn't mind taking a look at it, let me know - I'll send you the file, as well. Thanks!

7/15/2008 5:19:07 PM

get rid of all the @ symbols, those suppress errors- that's why you're not getting anything showing up when you turned errors on

7/15/2008 8:47:51 PM

well that's true, but the problem looks like $_POST (or $_REQUEST) is not being set when the form is submitted, regardless of any possible mysql connection errors.

7/15/2008 9:46:37 PM

^^ Ah, I did that because of the "messy" errors that were being displayed - I set it so that it would show me error messages in a more readable format. I didn't think about it suppressing all the other errors (though why would it, if the @ symbol only suppresses the errors on that particular function?).

^ Email sent - THANK YOU!

[Edited on July 15, 2008 at 10:36 PM. Reason : Email.]

7/15/2008 10:36:35 PM

Is there any reason doing something like this is a bad idea?

<?php
    if(isset($_GET['p'])) {
        $page = $_GET['p'];
    }
    else {
        page = "home";
    }
    switch($page) {
        case $page: include($page.".html"); break;
        default: echo "<div>page error!</div>"; break;
    }
?>

<a href="?p=pagename">page name</a>

9/6/2008 5:28:52 PM

they could travel down the directory to root files, potentially

9/6/2008 5:33:07 PM

Quote :

"The only thing I can think of is that this naming scheme might be insecure, since someone could put in "securepage" and it would automatically bring up securepage.html. But couldn't you just use .htaccess to protect those pages anyway?"

uh... yea, but they'd be able to type "securepage.html" anyway, right?

I think bigman is right though, I don't think .htaccess would prevent an include...

9/6/2008 5:52:06 PM

Do you have any suggestions for an alternative?

This is for another non-profit that doesn't have the money for a web person, full-time or part-time. I had originally decided to do it like this so that the person maintaining the site, who has very little web experience but understands the very basics, could just create new pages by copying an existing page and then giving it a common-sense name. By doing it like this, there'd be no need for an addition to the PHP script. I realize that it would be a small thing for them to just add a line to the script by copying one above it, but I'm trying to minimize the number of steps.

I know there are a number of other ways I could do this without the complexity of PHP, but I'm trying to do it this way.

Thanks!

9/6/2008 7:17:29 PM

Use .htaccess to prevent direct access to the .html files, while including them from your .php file, as ^^ stated above.

9/6/2008 8:18:20 PM