G+_Michael Maxfield Posted February 5, 2015 Share Posted February 5, 2015 Been doing a crash course in PHP and mysql with little more than the couple of episodes of Coding 101 on PHP and a non-conclusive 13 part series by Eli The Computer Guy on YouTube. With that and a few extra Google searches as questions arose, and a lot of sweat and tears, I think I integrated the mysql database into my concrete5 based website without many holes. ie, it works as I want, but I'm sure there are security holes in my coding, such as I'm not parsing the entries for perhaps bad escape sequences and such. I guess what I want t ask is "Is my database showing?" In an earlier attempt, I was able to see ll about my database, address and password, just by viewing the page source. I've got the database display in an iframe now, and from what I can tell, it's not showing. Does anyone care to give it a try and see if you can spot mistakes or errors? Thanks, Mike BTW, pay no attention to the domain name. It has nothing to do with Leo or Leoville. It's the city I live in, and prior to about 1998, never heard of (even though my great grandparents were married here)... I've known about Leo LaPorte much longer (since his Dvorack on Computers days.) The website is www.MyLaPorte.Info and the page with the database calls is "The Petition" http://mylaporte.info/petition/ Link to comment Share on other sites More sharing options...
G+_Jeff Brand Posted February 5, 2015 Share Posted February 5, 2015 The short answer is, "yes" :) Take a look at the docs for mysql_real_escape_string() which is the simplest way to escape user-submitted content for use in SQL queries. The easy way to break your current code is to use a single quote. Be careful because bots are constantly looking for scripts like yours to exploit and the output of the query in the error message leaks a ton of useful information. This is something to avoid on a public production site. I don't know much about Concrete5 but if they have their own DB abstraction layer, you may want to check their docs and use those functions for this project. If not, then take a look at the PDO library. If you plan to continue learning PHP that will be the most helpful since mysql_* functions are deprecated in an upcoming version of PHP (5.6, I believe.) mysqli_* functions will be available in their place but PDO will let you support MySQL and more in an object-based, future-proofed way. Here's a link: http://php.net/manual/en/book.pdo.php Happy coding! Link to comment Share on other sites More sharing options...
G+_Michael Maxfield Posted February 5, 2015 Author Share Posted February 5, 2015 Thanks. I do see where I can't put files to the DB when I have exclamations as the input. Once I fix the forms input, then I'll see how sql (actually mysqli) deals with it once the PHP errors are fixed on unexpected input. Yes, I do plan to move on further with HP and SQL since after this petition my next project will be a classifieds DB or a pothole reporting system. For PHO I have PHP For The Web by Larry Ullman and for the sql I have on loan from the library SQL A Beginners Guide by Forrest Houlette. I'll also make use of the online PDO manual you suggested. Link to comment Share on other sites More sharing options...
G+_Michael Maxfield Posted February 7, 2015 Author Share Posted February 7, 2015 Thanks Jeff, for causing me to look where I haven't already. Concrete5 is so simple, so intuitive (as well as lacks decent documentation) that I hadn't looked into it having the facilities in itself. Concrete5 5 is so simple that I was able to figure it out right out of the box (and due to the poor documentation, never set out to check it out.) Of course looking at the documentation there was no clear cut info that such facilities exist or how to deal with them, but using the built in forms blocks and putting all sorts of "@$!<,' info in and seeing that it ends up in the database by viewing with phpMyAdmin and seeing the characters in there without erors. Of course the documentation doesn't tell me how to use the stock forms block to put the data in a database separate from the operational CMS database for the website nor how to extract the different forms from a single table.(all forms created under the the form block wind up in the same table of the site's CMS database. aID asID msqID answer answerLong 1 1 8 no 2 2 9 Johnny Jay 3 2 10 Sheep don't think for themselves 4 2 8 no 5 3 9 Jeff Walker 6 3 10 Bahhh 7 3 8 yes 8 4 9 Jack A' Roberts 9 4 10 Whn I say "I am not" that means I am not! period. 10 4 8 no 11 5 11 a new name 12 5 12 No 13 6 9 freak 14 6 10 what, and not 15 6 8 no first field line second field is sequential form, third field question id,, etc. But I know it's there, just need to figure a way to manage it efficiently for multiple forms, preferably in their own databases or at least separate tables. I think I will prefer to write my own controls for my presentation outside the Concrete5 structure however, so I am currently viewing the following video which looks like it isthe best answer for my task. Link to comment Share on other sites More sharing options...
Recommended Posts