Is There Anything Wrong With This PHP Code

vitalXvital · September 20, 2013, 7:09pm

<?php

$conn = mysql_connect('localhost', 'user', 'password');

mysql_select_db('scores', $conn);

$name = $_GET['name'];

$score = $_GET['score'];

$name = mysql_real_escape_string($name);

$query = "INSERT INTO 'cj' ( 'Name', 'Score' ) VALUES ( $name, $score );";

mysql_query($query);

mysql_close();

mysql_error();

?>

Goofy · September 20, 2013, 9:34pm

I'm not a pro, but isn't there something wrong with where you put spaces? And I think you need to add an i to everywhere you've written mysql, so it says mysqli_connect for example. I'm just referring looking up on this link.

CaribouLou · September 20, 2013, 10:15pm

Looks pretty good, my advice is change it to look like this:

<?php $conn = mysql_connect('localhost', 'user', 'password') or die("Could not connect to database: " . mysql_error());

// these lines check to see if the command succeeds, and if not, it stops executing the code and prints an error.

mysql_select_db('scores', $conn) or die("Could not select DB: " . mysql_error());

$name = $_GET['name'];

$score = $_GET['score'];

$name = mysql_real_escape_string($name);

$query = "INSERT INTO 'cj' ( 'Name', 'Score' ) VALUES ( $name, $score );";

$result = mysql_query($query);

if(!$result){ // what this does is check if the query has thrown an error.

mysql_error();

}

mysql_close();

?>

The code itself works fine, I'm just giving you advice for error-handling, which comes in handy.

wickedwig · September 20, 2013, 11:32pm

Oh my God.

?score=DROP TABLE cj

wendell · September 21, 2013, 1:21am

+1 wickedwig plus also OH GOD MY EYES

http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

Read that. Do it that way.

PDO is your friend a lot.

There are a lot of tutorials on the internet. People that have time to do tutorials are very nearly always very terrible at what they're doing a tutorial on.

vitalXvital · September 21, 2013, 9:26am

Sorry for any offense caused to your eyes. This is my first time using SQL so I don't really know what I'm doing.
Could someone please explain the code for opening a connection to the database using PDO?
Thanks

wendell · September 21, 2013, 1:18pm

Did you read the link? How to do it with PDo is explained there. Do you have a specific question about that?

Also the manual has more complete examples.

http://php.net/manual/en/book.pdo.php