cholthi/Using Mysql with php

## Using Mysql with php

//Hello Jiep,
// Your code in the email is not looking ok, first you're mixing the APIs.
// There are two types of php Mysql apis ;1- the old `mysql_*` functions, 2- the `Mysqli` extension. is OOP api.

## Mysql_* functions

$db = mysql_connect($host ,$username , $password); // returns a database resource type
# example
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password'); // password is optional
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);

mysql_select_db($db_name, $link) // returns bool
$result = mysql_query($sql, $link) // returns resource or bool
$row = mysql_fetch_assoc($result) // fetches row from database and returns it.

## Mysqli Extension

The Mysqli (notice the `i` at the end) stands for _Mysql Improved_. It is a new more improved mysql api for Php which provides OOP acces to
Mysql databse instance.

$this->conn = new \mysqli($host, $user, $passwd, $database, $port);
$this->conn->select_db($database) // selects db, similar to old mysql_select_db function.
$this->conn->query($query) // again, similar to mysql_query function.
Read more [here](http://php.net/manual/en/book.mysqli.php).

## Your code
| $link =mysqli_connect("localhost","root","");
  Mysqli_select_db($link, "system");
  Mysqli_query($link, "INSERT INTO tablename  VALUES ('', '$_POST[firstname]','$_POST[lastname]','$_POST[username]','$_POST[password]',
  '$_POST[email]',
  '$_POST[contact]','$_POST[reollmntno]')");

As you can see above, you're mixing mysql_* functions and Mysqli api. Based on the above example, it appears you intended to use old mysql functions
. To correct it, remove the `i` at the end of all function calls.

## Corrected

$link =mysql_connect('localhost','root','');
  mysql_select_db('system',$link);
  mysql_query($link, "INSERT INTO tablename  VALUES ('', '".$_POST[firstname]."','".$_POST[lastname].'",'".$_POST[username]."','".$_POST[password]."',
  '".$_POST[email]."',
  '".$_POST[contact]."','".$_POST[reollmntno]."')");

  Notice that I remove the  `i` from the function names. Those are the correct function names if using old mysql api.
  Also notice, your values in $_POST array are not properly quoted. String values in mysql query are supposed to quoted, this is important because can
  have any string even reserved mysql keywords.

  ## Security Considerations

  Your code is not secured as well. Inserting user data into database query is considered a security weakness and can expose your database
  to hackers. A popular attack known as `Sql injection` can happen.

  It is recommended to `escape` values from user submission incase they contain special strings which could confuse mysql engine.

  in Php, you can just call `mysql_real_escape_string($_POST['email'])`. But it is better to learn the more recent [PDO](php.net/manual/en/book.pdo.php)
  API as it supports `prepared statements` which makes your interaction with your database server secure.

  Written By Chol Tiopic.

	//Hello Jiep,
	// Your code in the email is not looking ok, first you're mixing the APIs.
	// There are two types of php Mysql apis ;1- the old `mysql_*` functions, 2- the `Mysqli` extension. is OOP api.

	## Mysql_* functions

	$db = mysql_connect($host ,$username , $password); // returns a database resource type
	# example
	$link = mysql_connect('localhost', 'mysql_user', 'mysql_password'); // password is optional
	if (!$link) {
	die('Could not connect: ' . mysql_error());
	}
	echo 'Connected successfully';
	mysql_close($link);

	mysql_select_db($db_name, $link) // returns bool
	$result = mysql_query($sql, $link) // returns resource or bool
	$row = mysql_fetch_assoc($result) // fetches row from database and returns it.

	## Mysqli Extension

	The Mysqli (notice the `i` at the end) stands for _Mysql Improved_. It is a new more improved mysql api for Php which provides OOP acces to
	Mysql databse instance.

	$this->conn = new \mysqli($host, $user, $passwd, $database, $port);
	$this->conn->select_db($database) // selects db, similar to old mysql_select_db function.
	$this->conn->query($query) // again, similar to mysql_query function.
	Read more [here](http://php.net/manual/en/book.mysqli.php).

	## Your code
	\| $link =mysqli_connect("localhost","root","");
	Mysqli_select_db($link, "system");
	Mysqli_query($link, "INSERT INTO tablename VALUES ('', '$_POST[firstname]','$_POST[lastname]','$_POST[username]','$_POST[password]',
	'$_POST[email]',
	'$_POST[contact]','$_POST[reollmntno]')");

	As you can see above, you're mixing mysql_* functions and Mysqli api. Based on the above example, it appears you intended to use old mysql functions
	. To correct it, remove the `i` at the end of all function calls.

	## Corrected

	$link =mysql_connect('localhost','root','');
	mysql_select_db('system',$link);
	mysql_query($link, "INSERT INTO tablename VALUES ('', '".$_POST[firstname]."','".$_POST[lastname].'",'".$_POST[username]."','".$_POST[password]."',
	'".$_POST[email]."',
	'".$_POST[contact]."','".$_POST[reollmntno]."')");

	Notice that I remove the `i` from the function names. Those are the correct function names if using old mysql api.
	Also notice, your values in $_POST array are not properly quoted. String values in mysql query are supposed to quoted, this is important because can
	have any string even reserved mysql keywords.

	## Security Considerations

	Your code is not secured as well. Inserting user data into database query is considered a security weakness and can expose your database
	to hackers. A popular attack known as `Sql injection` can happen.

	It is recommended to `escape` values from user submission incase they contain special strings which could confuse mysql engine.

	in Php, you can just call `mysql_real_escape_string($_POST['email'])`. But it is better to learn the more recent [PDO](php.net/manual/en/book.pdo.php)
	API as it supports `prepared statements` which makes your interaction with your database server secure.

	Written By Chol Tiopic.