Entries Tagged as ''

phonebook example in php mysql insert delete confirm basic demo

This is a very basic example of php/mysql.We used to make use of mysql database and a php file for getting this done.To run this code you can first create database as provided in sql here and after creating database run this code.Make modifications as you want to do in it.

<html>
<head>
<title>Phone Book Example</title>
</head>
<body bgcolor=”#f6f6f6″ style=”font-family:arial”>
<marquee behavior=”alternate”>
<font size=’7′>Welcome to Phone Book Demo</font>
</marquee>
<br/><hr/><br/>

<table border=”1″ align=”center” width=”100%”>
<tr>
<td>
<h2 align=”center”>Enter Details</h2>
<table border=”1″ align=”center”>
<form action=”phonebookDemo.php” method=”post”>
<tr><td>First Name:</td><td><input type=”text” name=”FirstName” /></td></tr>
<tr><td>Last Name:</td><td><input type=”text” name=”LastName” /></td></tr>
<tr><td>Phone Number:</td><td><input type=”text” name=”PhoneNumber” /></td></tr>
<tr><td colspan=”2″ align=”center”><input type=”submit” value=”Add Contact” /></td></tr>
</form>
</table>
</td>
<td>
<?php
//Connectivity with MySql
$con=mysql_connect(”localhost”,”root”,”");
if(!$con)
{
echo “You are unable to connect with server</br>”;
die(”Error : “.mysql_error());
}
//Connectivity with database in MySql.
mysql_select_db(”phonebook”,$con);

$firstname = $_REQUEST['FirstName'];
$lastname = $_REQUEST['LastName'];
$phone      = $_REQUEST['PhoneNumber'];
if($firstname  != “” )
{
@mysql_query(”INSERT INTO contacts (FirstName,LastName,PhoneNumber) VALUES(’”.mysql_escape_string($firstname).”‘, ‘”.mysql_escape_string($lastname).”‘, ‘”.mysql_escape_string($phone).”‘)”);
$msg=”Record Added in phonebook”;
}
if($_REQUEST['action']==”del”)
{
@mysql_query(”DELETE FROM contacts WHERE id=”.intval($_REQUEST['id']).”;”);
}
$result = mysql_query(”SELECT * FROM contacts”);
echo “<table border=’1′ align=’center’ cellpadding=’5′>”;
echo “<tr><th>First Name</th>
<th>Last Name</th>
<th>Phone Number</th>
<th>Action</th>”;
if(!mysql_num_rows($result))echo “<tr><td colspan=4>No entry in phonebook</td></tr>”;
if($result)
{
while($row = mysql_fetch_array($result))
{
echo “<tr>”;
echo “<td>”.$row['FirstName'].”</td>”;
echo “<td>”.$row['LastName'].”</td>”;
echo “<td>”.$row['PhoneNumber'].”</td>”;
echo “<td><a onclick=\”return confirm(’Are u sure to delete this entry?’);\” href=’phonebookDemo.php?action=del&id=”.$row['id'].”‘>Delete</a></td>”;
echo “</tr>”;
}
}
echo “</table>”;

//mysql_query(”DELETE FROM contacts WHERE FirstName=’Kuldeep’”);
mysql_query($sql,$con);
mysql_close($con);

?>
</td>
</tr>
</table>
</body>
</html>

SQl for This exampple:-


CREATE TABLE `contacts` (
  `id` int(10) NOT NULL auto_increment,
  `FirstName` varchar(200) NOT NULL,
  `LastName` varchar(200) NOT NULL,
  `PhoneNumber` varchar(200) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=6 ;

–
– Dumping data for table `contacts`
– 

INSERT INTO `contacts` (`id`, `FirstName`, `LastName`, `PhoneNumber`) VALUES (3, ‘Inder’, ‘Singh’, ‘98726-82279′),
(5, ‘Inderweb’, ‘India’, ‘98726-82279′);

—–Demo provided by KK BHARDWAJ -HP


Tags: Mysql, PHP, Programming by Inder Singh
No Comments »

Preventing MySQL Injection attacks with good PHP code- Using PHP for preventing MySQL injection attacks on your site

A Mysql injection is attack tried by site visitors/users to get/damage data in databases by taking benefit from poor programming of websites.An injection attack occurs when a visitor to your site types something into a form input with the purpose of changing the outcome of your MySQL query. For example, at a login screen someone may try this type of attack to gain access to a secure area of the website.

If your query to check the username and password entered by the user was this:

“SELECT * FROM users WHERE username = ‘”.$_POST['username'].”‘ AND password = ‘”.$_POST['password'].”‘”

Someone could login by using any username and for the password they would type ‘ OR ”=” which would be placed into your MySQL query changing it to be:

“SELECT * FROM users WHERE username = ‘anyuser’ AND password = ” OR ”=””

As you can see, MySQL injection attacks can be pretty serious depending on the information the person has access to once they are logged in. It is very important for you to secure your site against injection attacks. Luckily, PHP can aid you in preventing injection attacks.

MySQL will then return all the rows in the table and then, depending on your script’s logic, you will probably log them in because there was a match. Now, in most cases, people have magic_quotes_gpc turned on (it’s the PHP default) which will add backslashes to escape all ‘ (single-quote), ” (double quote), (backslash) and NULL characters. This is not foolproof though because there are other characters that should be escaped to be safe.

Preventing Mysql/PHP injections:-

There are php mysql functions to prevent such type of things:
into your queries. One of The function is mysql_real_escape_string().

use Like :- $value = “‘” . mysql_real_escape_string($value) . “‘”;

For integer values dont forgot to use intval() function


Tags: CMS(Content management System), Drupal, Hacking, Linux, Mysql, Mysql injection, PHP, Programming, Programming Technologies, RDBMS/DBMS SQL, Web technologies by Inder Singh
No Comments »