6 replies to this topic

[hoku_2000 _99]

http://starr05.comul...m/guestbook.php <---My link


When I actually try to sign my guestbook, I get my error message and it wont let me sign it. Not sure what I did wrong.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
Author: Reality Software
Website: http://www.realitysoftware.ca
Note: This is a free template released under the Creative Commons Attribution 3.0 license, 
which means you can use it in any way you want provided you keep the link to the author 

intact.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<link href="style.css" rel="stylesheet" type="text/css" /></head>
<body>


    <!-- header -->
    <div id="header">
        <div id="logo"><a href="index.html">Header</a></div>
        <ul id="menu">
            <ul>
            <li><a href="index.html">Home</a></li>
            <li><a href="">Link 1</a></li>
            <li><a href="">Link 2</a></li>
            <li><a href="">Link 3</a></li>
            <li><a href="">Contact</a></li>
        <li><a href="guestbook.php">Guestbook</a></li>
                  </ul>
<div id="icon"><a href="twitter.com/">
<img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" 

width="58px;" height="53px;" />
</a></div>

   
  </div>
    <!--end header -->
    <!-- main -->
    <div id="main">
    <div id="content">  
 
 
 <div id="text">
                <h1><strong>Guestbook</strong></h1>
</div>

<?php  
$mysql_host = "localhost";
$mysql_database = "a7560006_guest";
$mysql_user = "a7560006_host";
$mysql_password = "mypassword";

// Connect to server and select database.
mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect 

server");
mysql_select_db("$mysql_database") or die("cannot select DB");

$name = $_POST['name'];   
$comment = $_POST['comment'];   
$comment  = stripslashes($comment);   
$name = stripslashes($name);   
$comment = str_replace("<","<",$comment);   
$name = str_replace("<","<",$name);   

$datetime=date("M-d-Y h:i:s A"); //date time   
$verif_box = $_POST['verif_box'];  
  
if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> 
<table width="400" border="0" align="center">    
<tr><td align="center"><h4>You have not entered captcha or entered incorrect 

captcha!</h4></td></tr>      
</table>  
        
</div>  
     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality 

Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 
     
</body> 
</html> 

<? 
exit;  
} 

if(empty($name) || empty($comment)) { ?>    
  <table width="400" border="0" align="center">    
  <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>      
  </table>    
<?      
} else {    

$sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', 

'$datetime')";   
$result=mysql_query($sql);   

//check if query successful   
if($result) { ?>  
<table width="400" border="0" align="center">    
<tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>      
</table>    
<?   
echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>";  // link to view 

guestbook page   
} else {   
echo "ERROR";   
}   

mysql_close();  
}  
?> 

</div>  

     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality 

Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 

</body> 
</html>
?>

[Eieio]

From briefly reading the code I would think that your .php script is not able to connect to the MySQL database.

Also you have a random ?> that is not needed... get rid of it... its towards the bottom where it reads ERROR.

[hoku_2000 _99]

I just got rid of the ?> and still getting the error. :confused:

[Vaielab]

So you are connected to your database, but the error is when you do the query
For testing purpose ONLY do a

echo mysql_error();

just above the echo "ERROR";
But don't forget to remove this after testing.

By the way, you know that your code is absolutly not protected against mysql injection, html injection, xss and many more?

[hoku_2000 _99]

This is what I got:
have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(name, comment, datetime) VALUES ('Kat', 'Test', 'Nov-15-2011 08:14:21 PM')' at line 1ERROR

Yes, I do know that my code is not protected, I am also working on using mysql_real_escape_string.

[Vaielab]

$tbl_name is empty
I don't see anywhere where you set it
so mysql receive insert into (name, comment, datetime) VALUES ('Kat', 'Test', 'Nov-15-2011 08:14:21 PM')
without the table name

[hoku_2000 _99]

Nevermind, I was missing table name in my code.