PHP Version: 7.0
Script is sent data from a different website.
For some reason, the data is not being inserted into the database like it should be, and I don't think I have any SQL errors (this is done with PDO).
Here is the included functions code:
<?php
function escape($string){
return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}
?>
Script Code:
<html>
<head>
<title>Data from Roblox</title>
<h3>Data from Roblox</h3>
</head>
<body>
<?php
include '../includes/connection.php';
include '../scripts/functions.php'; //Remove if unknown error as well as the escapes
error_reporting(E_ALL);
ini_set('display_errors', 1);
$array = json_decode(file_get_contents('php://input'),1);
$SenderName = escape($array['SenderName']);
$SenderID = escape($array['SenderID']);
$PlayerName = escape($array['PlayerName']);
$PlayerID = escape($array['PlayerID']);
$Reason = escape($array['Reason']);
$PlaceLink = escape($array['PlaceLink']);
if(!$Reason){ $Reason = "Reason not provided."; }
if($SenderName !=NULL and $SenderID != NULL and $PlayerName != NULL and $PlayerID !=NULL and $PlaceLink !=NULL){
$query = $handler->prepare("INSERT INTO PlayerBans (`ID`, `Username`,`Reason`, `BannedDate`, `BannedBy`, `BannedAt`) VALUES (:pid, :pname, :reason, NOW(), :sname, :pl)");
$query->bindParam(':pid', $PlayerID);
$query->bindParam(':pname', $PlayerName);
$query->bindParam(':reason', $Reason);
$sender = $SenderName . " - " . $SenderID;
$query->bindParam(':sname', $sender);
$query->bindParam(':pl', $PlaceLink);
$query->execute();
}
?>
</body>
</html>
When go to the script URL in my web browser, the HTML shows up, and no errors.
Your problem is almost certainly with the request coming in, but here are a few issues you could address with your code.
htmlspecialchars() is not for inserting into a database. It's used when you want to display something as HTML.htmlspecialchars() which returns a string.PDOStatement::bindParam() unless you need to do something special with data types. Just pass an array to PDOStatement::execute() instead.With that in mind, I'd recommend trying this:
<?php
include("../includes/connection.php");
error_reporting(E_ALL);
ini_set("display_errors", true);
ini_set("error_log", "/var/log/php.log");
$json = file_get_contents("php://input");
$array = json_decode($json, true);
$SenderName = $array['SenderName'] ?? null;
$SenderID = $array['SenderID'] ?? null;
$PlayerName = $array['PlayerName'] ?? null;
$PlayerID = $array['PlayerID'] ?? null;
$Reason = $array['Reason'] ?? "Reason not provided";
$PlaceLink = $array['PlaceLink'] ?? null;
if($SenderName !== null && $SenderID !== null && $PlayerName !== null && $PlayerID !== null && $PlaceLink !== null) {
// prepare using ? for a shorter query; don't mix placeholders with other values
$query = $handler->prepare("INSERT INTO PlayerBans (`ID`, `Username`,`Reason`, `BannedBy`, `BannedAt`, `BannedDate`) VALUES (?,?,?,?,?,NOW())");
// double quotes interpolate variables!
$sender = "$SenderName - $SenderID";
// pass the values directly to execute
$result = $query->execute([$PlayerID, $PlayerName, $Reason, $sender, $PlaceLink]);
// check the result of this call and log some details if there's a problem
if (!$result) {
$e = $query->errorInfo();
error_log("SQL Error $e[0]: $e[2] ($e[1]) while inserting data: $json");
}
}
?>
You'll want to make sure that you create the log file ahead of time, with the correct permissions for your web server to be able to write to it. On a Linux platform this might look like sudo touch /var/log/php && sudo chown www-data /var/log/php
Also I'm assuming you're using a current version of PHP that supports the null coalesce operator; you'll need to replace $foo = $bar ?? null with $foo = isset($bar) ? $bar : null if that's not the case.
One more point, if each user on your system has an entry in a user table, you should really have UserID and SenderID columns in the PlayerBans table that are foreign keys back to your users table. If you're querying this column regularly it makes a whole lot more sense than having an unstructured text column.