1

Sorry for an amateur question but I have no idea why this does not work. I have a "add.php" to connect to the SQL server

<?php
    include("connect.php");

    $link=Connection();

    $ID1=$_POST["ID1"];
    $ID2=$_POST["ID2"];
    $ID3=$_POST["ID3"];
    $ID4=$_POST["ID4"];
    $ID5=$_POST["ID5"];

    $query = "INSERT INTO Battery (ID01, ID02, ID03, ID04, ID05) 
        VALUES ('".$ID1."','".$ID2.",'".$ID3.",'".$ID4."','".$ID5."')"; 

    mysql_query($query,$link);
    mysql_close($link);

    header("Location: index.php");
?>

I use a simple HTTP 1.1 protocols 

GET /add.php?ID1=1int&ID2=2char&ID3=3char&ID4=4int&ID5=2015-04-13 01:00:00 HTTP/1.1\r\myhost\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection:close\r\n\r\n\r\n

The host throw me this error:

+IPD,168:<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>hosting</center>
</body>
</html>

If anyone have any idea for my to try out, I would be grateful! I'm really clueless...

tadman
  • 194,930
  • 21
  • 217
  • 240
Nhan Le
  • 157
  • 5
  • This is a PHP question rather than a DBA one. Please take the dba.stackexchange tour and also see the "help us to help you" blog - both at the bottom of the page. – Vérace Apr 21 '15 at 18:07
  • oh sorry, I thought it has something to do with the HTTP1.1 protocols, which is related to MySQL dba.. So I was hoping someone with experience of getting/inserting data from and to MySQL using HTTP1.1. – Nhan Le Apr 21 '15 at 19:26
  • If you do decide to repost on stackoverflow, please point here to indicate that the question has been posted but that you have been told to check over there. Also, please edit the question to point "forward" to your new post - that way others with a similar problem may be able to find a solution. – Vérace Apr 21 '15 at 19:33
  • Do not use the deprecated mysql_* interface, use mysqli_* or PDO. – Rick James Apr 21 '15 at 21:05
  • Check for errors after each mysqli statement. Don't do header() until you have debugged it. – Rick James Apr 21 '15 at 21:05
  • **WARNING**: This is terrifyingly insecure because those parameters are not [properly escaped](http://bobby-tables.com/php). You should **NEVER** put `$_POST` data directly into the query: it creates a gigantic [SQL injection bug](http://bobby-tables.com/). `mysql_query` is an obsolete interface and should not be used, it's being removed from PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. – tadman Apr 21 '15 at 21:43

1 Answers1

-1

Here the PHP code is handling a POST request while you are making a GET call. Try changing the $_POST to $_GET like below:

<?php
    include("connect.php");

    $link=Connection();

    $ID1=$_GET["ID1"];
    $ID2=$_GET["ID2"];
    $ID3=$_GET["ID3"];
    $ID4=$_GET["ID4"];
    $ID5=$_GET["ID5"];

    $query = "INSERT INTO Battery (ID01, ID02, ID03, ID04, ID05) 
            VALUES ('".$ID1."','".$ID2.",'".$ID3.",'".$ID4."','".$ID5."')"; 

    mysql_query($query,$link);
    mysql_close($link);

    header("Location: index.php");
?>

And if you don't wanna change your PHP code then make a POST request to the file.

EDIT:

Sorry, I just saw that you are using POST request. The Content-Type: application/x-www-form-urlencoded. Still I'll keep the above content.

Please refer to this answer.

Try passing the data through HTTP request through XML, It will be more structured and manageable.

POST Method

The POST method is used when you want to send some data to the server, for example, file update, form data, etc. The following example makes use of POST method to send a form data to the server, which will be processed by a process.cgi and finally a response will be returned:

POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.domain.com/add.php
Content-Type: text/xml; charset=utf-8
Content-Length: <!-- The Content Length -->
Accept-Language: en-us
Accept-Encoding: gzip, deflate <!-- optional -->
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?>
<DATA>    
    <ID>ID01</ID>
    <ID>ID02</ID>
    <ID>ID03</ID>
    <ID>ID04</ID>
    <ID>ID05</ID>
</DATA>

Maybe you need to change the XML as per your need or format of Data.

For more info please refer LinkA, LinkB and LinkC


Hope this helps...

Community
  • 1
  • 1
Benison Sam
  • 2,547
  • 4
  • 22
  • 34
  • @tadman. I thought, it was not always meant to be for the good answer. Sometime its meant to give direction and some idea to solve the issue and probably fairly answer the questioner. Isn't it about the participation...?? – Benison Sam Apr 22 '15 at 10:31
  • Participation is a factor, but spending the extra minute it takes to do it properly is key. It's way too dangerous to have queries without escaped components, and besides, the code is not technically correct without it. – tadman Apr 22 '15 at 15:11
  • @tadman which is the correct escaping? comments usually should be useful. – Fernando Baltazar Jul 12 '19 at 18:36
  • 1
    @FernandoBaltazar This is using the deleted `mysql_query` interface, so it's not really relevant any more, but at the time you had to call manual escaping functions and use concatenation, one of the reasons why `mysql_query` was removed from PHP: It was never really safe. Newer interfaces like `mysqli` and PDO support placeholder values, so instead of `$ID1` you'd have `?` or `:id1` and then bind against that using the correct method, either `bind_param` or `execute`. – tadman Jul 12 '19 at 19:33
  • @tadman Great! this is because I have to change to new mysqli but I wanted to understand why this change and the why of comments, since I stopped using php :D ten years ago. This comment is really helpful. – Fernando Baltazar Jul 13 '19 at 04:18
  • @FernandoBaltazar Was just explaining in relation to your comment on a comment of mine...from five years ago. – tadman Jul 13 '19 at 21:19