Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>As Theodore said, <strong>never</strong> use <code>htmlentities()</code> for "escaping" something you want to put in your DB.</p> <p>I strongly recommend to use prepared statements when anything that (could) come from outside (the user) is stored in a database.</p> <p>Prepared statements are really easy to use.</p> <p>If you use PDO to access you database help can be found <a href="http://php.net/manual/en/pdo.prepared-statements.php" rel="nofollow noreferrer">here</a>. As you can see the <code>bindParam()</code> method is used to assign any value to a placeholder in the query.</p> <p>If you use mysqli you can find the docs <a href="http://www.php.net/manual/en/mysqli-stmt.bind-param.php" rel="nofollow noreferrer">here</a>. The syntax of <code>bind_param()</code> is slightly different since the placeholders don't have names (order matters) and first argument is a string that determines what type the arguments have ("s" for string, "i" for integer and so on).</p> <p>Using prepared statements has several positive effects. First of all it automatically masks the data that is provided in the <code>bindParam()</code>/<code>bind_param()</code> method and is the best way to close the <a href="http://www.unixwiz.net/techtips/sql-injection.html" rel="nofollow noreferrer">SQL injection attack vector</a> and it even optimizes the performance of your queries by storing the execution plan in the database (this has a little overhead but if you execute a query twice it pays off double).</p> <p>PS: <code>htmlentities()</code> should only be used if you want to display some HTML as raw text to your users (code listings for instance).</p> <p>PPS: Don't use <code>real_escape_string()</code> to prevent SQL injection since it's not safe (<a href="http://www.suspekt.org/2008/09/18/slides-from-my-lesser-known-security-problems-in-php-applications-talk-at-zendcon/" rel="nofollow noreferrer">supeskt.org</a>) </p> <h1>Update</h1> <p>First of all, for a follow up you should ask a new question. People don't read questions that are already marked as answered and by opening new questions you give kind people an opportunity to get some reward. :)</p> <p>Nevertheless, the first argument "sssd" tells the database provider that you are passing four arguments, three of type string and a fourth of type double (in the example in the docs three strings and one double are bound ("DEU", "Bavarian", "F" and 11.2)). This is obviously not the case here, you are actually passing (binding) 21 values.</p> <p>Depending of the type that the columns in your <code>volunteers</code> table have you need to pass a string of 21 characters as the first argument. There are four possible chars that can be used to determine the type:</p> <ul> <li>i for integer</li> <li>d for double (floating point numbers)</li> <li>s for string</li> <li>b for boolean</li> </ul> <p>All you have to do is to check what types you DB columns have. You will see that the types in the database have different names (like varchar, float etc.). If you google for this names you will find out that they are similar to string, integer, double and boolean. So you have to choose the best matching type depending on the column type (string ≆ varchar, double ≆ float, string ≆ tinytext, string ≆ date/datetime etc. pp.) and you should ensure that the values (your $_POST variables) actually match the type you defined.</p> <p>Assuming that all your columns are of an text like type like varchar, the first argument would look like 'sssssssssssssssssssss' (21 times s) or 'ssssssssssssssissssss' if the column that takes the volunteer_cordinator is of type int (just for instance).</p> <p>After you have done this you should double check if <code>f (mysqli_connect_errno())</code> is a copy&amp;paste related mistake or if you have actually missed the <code>i</code> in your code (should be <code>if (mysqli_connect_errno())</code>).</p> <p>If you have checked that you should consider to write <code>$_POST['xyz']</code> instead of <code>'$_POST[xyz]'</code>, it will help you, really (<code>'</code> marks the start/end of a string and <em>xyz</em> is in fact the string here).</p> <p>If you still encounter errors enable more detailed error information by adding <code>error_reporting(E_ALL);</code> at the top of your file (you should remove this for security reasons when your site goes live) and ask a <strong>new</strong> question.</p> <h2>Update 2</h2> <p>Double check your MySQL connection string (the arguments you pass in the <code>mysql()</code> method). Are you sure that your password starts with an @ and ends with a full stop? By the way, you shouldn't post passwords etc. in the public.</p> <p>Ensure that you server supports the mysqli methods by running a script containing only </p> <pre><code>&lt;?php // Show all information, defaults to INFO_ALL phpinfo(); ?&gt; </code></pre> <p>and check the output for something like this:<img src="https://i.stack.imgur.com/oH42G.png" alt="MySQLi enabled"></p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload