1

I very recently started learning php, and with the help of some examples I managed to make this code (mainly from W3Schools):

<?php
$con=mysqli_connect("Data Removed for Privacy");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$sql= "INSERT INTO EventRecord (PlayerName, EventType, Value, Time)
VALUES
('$_Get[PlayerName]', '$_Get[Event]' ,'$_Get[Value]' ,'$_Get[Time]')";
if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";
mysqli_close($con);
?>

However, when doing something like 

http://example.com/MyData.php?PlayerName=Test2&EventType=Test&Value=Test&Time=500

It comes up in my database as all of the values being null.

Additional information: The table has 5 columns, the four noted above and EventId (primary index, auto-incrementing). Sorry if this is a stupid question or I did anything wrong.

Improve this question
6
  • Danger: You are vulnerable to SQL injection attacks that you need to defend yourself from. Commented Dec 17, 2013 at 12:09
  • Your SQL code is very vulnerable towards SQL injection. Use prepared statements and bind variables or at least escape your variables. Commented Dec 17, 2013 at 12:10
  • It actually isn't, for the purposes that I'm using this for. Users can't submit their own data. Commented Dec 17, 2013 at 12:16
  • The only reason it isn't vulnerable is because you are using $_GET wrong. If you fix the problem that is giving you null for all your columns, then you will be vulnerable to SQL injection. Commented Dec 17, 2013 at 12:17
  • 1
    You can make typos. (Probably not one that will cause a security problem, but quite possibly one that will cause the query to abort). Commented Dec 17, 2013 at 12:21

4 Answers 4

Reset to default
5

$_GET is a superglobal array , it should be in block letters and not like $_get

Some disclaimers >>

  • Never visit www.w3schools.com for browsing resources. You can find the reason here.
  • Never pass foreign parameters like $_GET, $_POST directly into your query as it leads to SQL Injection. Switch to Prepared Statements such that escaping is automatically taken care of.
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

@Quentin, Thanks ! Deleted it.
I will certainly keep that in mind. I was only using W3Schools as it seemed like the best example for what I actually needed, though I'm learning the actual language at Codecademy, so I'll keep working on it.
Good and yes it's not your fault. Blame it on Google !
The downvotes am getting right now is probably from a trusted member of w3schools.com i guess ;)
1

The expressions like $_Get[PlayerName] should be $_GET['PlayerName']. Here's why:

  1. The variable you are trying to use is the reserved variable $_GET. But variable names are case-sensitive, which means that the variables $_Get and $_GET are not the same. So when you try to use $_Get, PHP complains about an "undefined variable".

  2. $_GET is an associative array, which maps integers or strings to values. In your case, it maps the string 'PlayerName' to a value, so you want to pass the string 'PlayerName' to the array index operator. However, the unquoted string PlayerName is interpreted as a constant. This constant is undefined, so PHP complains about an "undefined constant".

Improve this answer

Comments

0

It's not 

$_Get[PlayerName]

but 

$_GET['PlayerName']

Otherwise you won't get the values. Note both the UPPERCASE GET and the single quotes around the name!

Besides that, (Edit, not W3C, but:) W3Schools is NOT a good place to start learning, there are other and better resources available. You should NEVER use the $_GET or $_POST variables straight in your query!!!

Improve this answer

4 Comments

Don't confuse the W3C (who produce web standards) with W3Schools (who write awful tutorials)
Very much true!!! Thanks for pointing out my mistake, changed my answer accordingly.
W3C is a wonderful place to learn - Seeing they produce the standards, as @Quentin mentioned.
@FrederikSpang It sure is, I mixed them both up, but corrected my answer! ;-)
-1

Try:

$PlayerName=$_GET["PlayerName"];
$Event=$_GET["Event"];
$Value=$_GET["Value"];
$Time=$_GET["Time"];

$sql= "INSERT INTO EventRecord (PlayerName, EventType, Value, Time)
VALUES
('$PlayerName', '$Event' ,'$Value' ,'$Time')";
Improve this answer

1 Comment

Can you explain your answer rather then just providing a wodge of code?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.