Date from form.

[vorticalbox]

@SSL please forgive me

 

so i'm creating a web based system for college that has to be in PHP and MYSQL. it's on managing a rugby team so without boring you with all the details i'll keep it short.

 

I need to add fixtures (games) to the system pretty simple two teams and a date but when I add the date it does so weird things.

 

posting the date 23-05-2015 posts ok, once the sql query is run it changes to 2015 and then in the database it's 1981 -.-

 

I have another section that posts dates and it is working just fine.

 

html form

	<form method='post' action='includes/process.php'>		<table>			<tr>				<td>					<select name="team1">						<option value="Gowwer FC">Gowwer FC</option>						<option value="Livington">Livington</option>						<option value="Harmly Vail">Harmly Vail</option>					</select>				</td>				<td>					<p>VS</p>				</td>				<td>					<select name="team2">						<option value="Gowwer FC">Gowwer FC</option>						<option value="Livington">Livington</option>						<option value="Harmly Vail">Harmly Vail</option>					</select>								</td>			<tr>			<tr>				<td colspan='3' class='centre'>					<input type='date' name='date'>				</td>			</tr>			<tr>				<td colspan='3' class='centre'>				<input type='submit' name='fixture'>			</tr>		</table>	</form> 

processing part

} else if(isset($_POST['fixture']))	{		$team1 = $_POST['team1'];		$team2 = $_POST['team2'];		$date = $_POST['date'];				$sql = "INSERT INTO fixture (team1, team2, date)		VALUE ('$team1','$team2',$date)";		if ($conn->query($sql) === TRUE) 		{			//display message			do_alert("fixture added");			redirect("../index.php?page=fixture");				} else 		{			//diplay error			do_alert("Error could not connect to database");			redirect("../index.php?page=fixture");		}					}	

date in database is varchar(10) though i have tried text and still didn't work

[Ivyk]

Correct me if I'm wrong but I thought MYSQL is not being supported anymore.

[dom1310df]

Correct me if I'm wrong but I thought MYSQL is not being supported anymore.

Not supported by what? Oracle released a new version  ~6 weeks ago

[vorticalbox]

Correct me if I'm wrong but I thought MYSQL is not being supported anymore.

even if that was true, the server i have to use in college is running an old version, the server date is set to 2004....

[Eniqmatic]

Lol I read the title and thought it was going to be about something else  :lol:

[keja]

Have a look at http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html#function_str-to-date

[vorticalbox]

Have a look at http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html#function_str-to-date

thanks but that doesn't explain why the same code doesn't work here but does somewhere else.

 

this code posts date correctly

if(isset($_POST['addsession'])){	// add username to $user	$user = $_SESSION['username'];	//add form data to variables	$location = $_POST['location'];	$date = $_POST['date'];	$time = $_POST['time'];		//if submitted data is empty	if ($location=='' || $date=='' || $time=='')	{		//display alert 		do_alert("All fields must be filled in");		//redirect to home page		redirect("../index.php");	}else	{		//insert data into database		$sql = "INSERT INTO sessions (createdby, location, date, time)		VALUES ('$user','$location', '$date', '$time')";				//if session as inserted into databe		if ($conn->query($sql) === TRUE) 		{			//display message			do_alert("Session created");			redirect("../index.php");				} else 		{			//diplay error			do_alert("Error could not connect to database");			redirect("../index.php");		}	}}

code is OP doesn't and i can't see for the life on my why, I have a number of forms that post a date and this is the only one that isn't working. I hate PHP sometimes

[keja]

thanks but that doesn't explain why the same code doesn't work here but does somewhere else.

 

this code posts date correctly

if(isset($_POST['addsession'])){	// add username to $user	$user = $_SESSION['username'];	//add form data to variables	$location = $_POST['location'];	$date = $_POST['date'];	$time = $_POST['time'];		//if submitted data is empty	if ($location=='' || $date=='' || $time=='')	{		//display alert 		do_alert("All fields must be filled in");		//redirect to home page		redirect("../index.php");	}else	{		//insert data into database		$sql = "INSERT INTO sessions (createdby, location, date, time)		VALUES ('$user','$location', '$date', '$time')";				//if session as inserted into databe		if ($conn->query($sql) === TRUE) 		{			//display message			do_alert("Session created");			redirect("../index.php");				} else 		{			//diplay error			do_alert("Error could not connect to database");			redirect("../index.php");		}	}}

code is OP doesn't and i can't see for the life on my why, I have a number of forms that post a date and this is the only one that isn't working. I hate PHP sometimes

 

it works there because its treated like a string as you have single quotes wrapped around $date.

[SSL]

[vorticalbox]

it works there because its treated like a string as you have single quotes wrapped around $date.

 I see i missed ' ' around $date in the SQL query -.- thanks so much been hours, i just left it and just moved on

[keja]

 I see i missed ' ' around $date in the SQL query -.- thanks so much been hours, i just left it and just moved on

 

no problem

 

another thing, i would really suggest you to sanitize all data received from the browser, right now you are open for sql injections.

its pretty simple just run something like this:

$var = $conn->real_escape_string($_POST["var"]);

 

Read more here http://php.net/manual/en/mysqli.real-escape-string.php

[vorticalbox]

 

no problem

 

another thing, i would really suggest you to sanitize all data received from the browser, right now you are open for sql injections.

its pretty simple just run something like this:

$var = $conn->real_escape_string($_POST["var"]);

 

Read more here http://php.net/manual/en/mysqli.real-escape-string.php

 

thanks ill get around to that it's not going out into the real world so its not so much on an issue. 

[keja]

thanks ill get around to that it's not going out into the real world so its not so much on an issue. 

True, but you could run into a bug if you need to add any data that contains ' etc.

[vorticalbox]

True, but you could run into a bug if you need to add any data that contains ' etc.

yeah dates are taken from input type='date' i did have a notes section thats a massive text area that really would make errors

[Neil]

Correct me if I'm wrong but I thought MYSQL is not being supported anymore.

Semi-correct. It's being supported, but most sane people are switching to using MariaDB

 

 

@OP/Everyone:

 

Your nested if statements make me cry. You're redirecting the user. There's no reason to have else {} statements. It's implied:

if(isset($_POST['addsession'])){	// add username to $user	$user = $_SESSION['username'];	//add form data to variables	$location = $_POST['location'];	$date = $_POST['date'];	$time = $_POST['time'];		//if submitted data is empty	if ($location=='' || $date=='' || $time=='')	{		//display alert 		do_alert("All fields must be filled in");		//redirect to home page		redirect("../index.php");	}		//insert data into database	$sql = "INSERT INTO sessions (createdby, location, date, time)	VALUES ('$user','$location', '$date', '$time')";			//if session as inserted into databe	if ($conn->query($sql) === TRUE) 	{			//display message		do_alert("Session created");		redirect("../index.php");			} 			//diplay error	do_alert("Error could not connect to database");	redirect("../index.php");}

Also you shouldn't check data for being empty as '' -- use empty()

 

OH. And WHY THE HELL IS THAT MYSQL QUERY NOT PARAMETERIZED!??!??

[vorticalbox]

-snip-

 

would you liek a list?

 

1. I dislike PHP

2. Haven't done it for years

3. This is my graded unit for college that was meant to be in java however that lecture was the leading member of strikes that lead to him getting an "offer he can't refuse" which the college took over half a year before giving me an actual lecture.

 

this lead to most of my units being given to another member of staff who knows nothing but flash and PHP, she taught is very little and the code she was teaching us was worse than my poor attempt. cookies to store login information anyone?

 

though I do like to learn so ty for the empty().

 

could you explain parametrized? literally no idea what that is.

[Neil]

What are you using for a database driver? PDO?

 

http://stackoverflow.com/questions/4712037/what-is-parameterized-query

[vorticalbox]

What are you using for a database driver? PDO?

 

http://stackoverflow.com/questions/4712037/what-is-parameterized-query

 

thanks for the link, I have no idea what software is running on the server all i am allowed to know is that it is a ubuntu LAMP. the server thinks it's in 2004 -.-

 

as for para is this right?

$createdby = $_POST['createdby'];$location = $_POST['location'];$params = array($createdby, $location);$sql = 'INSERT INTO session (createdby, location) VALUES (?, ?)';$stmt = sqlsrv_query($conn, $tsql, $params);

how would i check that that had been executed?

[Neil]

How do you set up your $conn?

[vorticalbox]

How do you set up your $conn?

<?php	$servername = "localhost";	$username = "root";	$password = "";	$database = "simp";	// Create connection	$conn = new mysqli($servername, $username, $password, $database);	// Check connection	if ($conn->connect_error) {		die("Connection failed: " . $conn->connect_error);	} 		?

no password is just on my PC, the file is same in college but it does have a password

[keja]

 

You're redirecting the user. There's no reason to have else {} statements. It's implied

 

Well php redirects are done by headers, i dont know how his redirect function looks, but if he does not kill the script within that function, other parts of the code can still get accessed before the redirect takes place.

 

OP:

make sure your redirect function has exit(); or die(); after setting your header, so something like this, or stick with your if/else's

function redirect($uri){  header("location: {$uri}");  exit();}

OH. And WHY THE HELL IS THAT MYSQL QUERY NOT PARAMETERIZED!??!??

 

i 100% agree with you that prepared statements are the way to go.

 

OP:

if you are going to rewrite your code, then change to pdo, the mysqli prepared statements are hell to work with and debug sometimes. + pdo makes more readable code.

[vorticalbox]

 

 

 

Well php redirects are done by headers, i dont know how his redirect function looks, but if he does not kill the script within that function, other parts of the code can still get accessed before the redirect takes place.

 

OP:

make sure your redirect function has exit(); or die(); after setting your header, so something like this, or stick with your if/else's

function redirect($uri){  header("location: {$uri}");  exit();}

 

i 100% agree with you that prepared statements are the way to go.

 

OP:

if you are going to rewrite your code, then change to pdo, the mysqli prepared statements are hell to work with and debug sometimes. + pdo makes more readable code.

 

 

yeah my function is exactly like that. also pdo? i'm very out of web development as you can probably tell. i'm probably not going to rewrite my code just yet as the system needs to be finished in a little under a week, if i have time i will if i dont it can be part of my conclusion lol

[keja]

yeah my function is exactly like that. also pdo? i'm very out of web development as you can probably tell. i'm probably not going to rewrite my code just yet as the system needs to be finished in a little under a week, if i have time i will if i dont it can be part of my conclusion lol

 

i just ment if you where going to use prepared statements change to pdo instead of mysqli

 

a simple way to write you SQL with PDO could be:

db::connect("127.0.0.1", "myUser", "", "database");$login = db::query("SELECT something FROM prefix_user WHERE username=:u && password= LIMIT 1", array(    ":u" => $_POST["username"],    ":p" => hash("sha512", "salt?".$_POST["password"])));if($login->rowCount()){    $_SESSION["login"] = $login->fetch(PDO::FETCH_ASSOC);}

if you use a simple wrapper like this

class db {    private static $handle;    public static function connect($host, $username, $password, $db){        self::$handle = new PDO("mysql:host={$host};dbname={$db}", $username, $password);        self::$handle->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );    }    public static function query($sql, $args=null){        $sth = self::$handle->prepare($sql);        $sth->execute($args);        return $sth;    }}

[vorticalbox]

-snip-

 

Not sure what version of php my server at college not completely sure any of this work work. i know sha1($password, $salt) works which what i'm currently using for my log in.

 

i understand the first part the wrapper part i don't really get.

[keja]

Not sure what version of php my server at college not completely sure any of this work work. i know sha1($password, $salt) works which what i'm currently using for my log in.

 

i understand the first part the wrapper part i don't really get.

you can use what hash you want, was just an example

 

and dont worry about the code within the wrapper, you can just include the file if you like, but i can explan if you care about it. just put it in a php file called somelike like database.php

 

and replace this part of you code

<?php	$servername = "localhost";	$username = "root";	$password = "";	$database = "simp";	// Create connection	$conn = new mysqli($servername, $username, $password, $database);	// Check connection	if ($conn->connect_error) {		die("Connection failed: " . $conn->connect_error);	} 		?

with

<?phprequire_once "path/to/database.php";db::connect("127.0.0.1", "root", "", "simp");?>