Click here to Skip to main content
14,602,510 members
Rate this:
Please Sign up or sign in to vote.
See more:

<!doctype html>
<head><meta charset="utf-8">
<title>Employee Add</title></head>
	<h1> Employee Table </h1>
	<form action="EmployeeAdd.cgi" method="get">
	<input type="hidden" value="add" name="choice">
	<p>Email: <input type="text" name="Email"><p>
	<p>First_Name: <input type="text" name="First Name"><p>
	<p>Last_Name: <input type="text" name="Last Name"><p>
	<p>Phone: <input type="int" name="Phone"><p>
	<p>Admin: <input type="text" name="Admin"><p>
	<p>Active: <input type="text" name="Active"><p>
	<input type="submit" value="Add Employee">



#! /usr/bin/env python3
print('Content-type: text/html\n')

import MySQLdb, cgi

def results_table(records):
    html = """ <!doctype html>
    <head><meta charset="utf-8">
    <link rel="stylesheet" href="">
    <title>Employee Add</title></head>
            <h1>New Employee Added!</h1>
            <table border='1' width='100%'>
            <p><a href="EmployeeAdd.html">Go Back</a></p>

    table = ""
    for row in records:
            table += "<tr>"
            for item in row:
                table += "<td  align='center'>"+str(item)+"</td>"
            table += "</tr>"
    print(html.format(content = table))

form = cgi.FieldStorage()

email = form.getfirst("email", "")
first_name = form.getfirst("first_name", "")
last_name = form.getfirst("last_name", "")
phone = form.getfirst("phone", "")
admin = form.getfirst("admin", "")
active = form.getfirst("active", "")
#establish DB connection
string = "i495u20_bpmullen" 	#change this to yours
password = "my+sql=i495u20_bpmullen"	#change this to yours
db_con = MySQLdb.connect(host="", port = 3306, user=string, passwd=password, db=string)
cursor = db_con.cursor()

try:				#Always surround .execute with a try!
        SQL = "INSERT INTO Employee (Email, First_name, Last_name,  Phone, Admin, Active)"
        SQL += "VALUES ('" + email + "','" + first_name + "','" + last_name + "','" + phone + "','" + admin + "','" + active + "');"

        SQL = "SELECT * FROM Employee; "
        results = cursor.fetchall()
except Exception as e:		#Here we handle the error
        print('<p>Something went wrong with the SQL!</p>')
        print("\nError:", e)
else:				#This runs if there was no error

Exmple: Employee Add[^]

What I have tried:

Unsure if syntax error in cgi file
Tried checking to see if error was in Mariadb
Updated 23-Jun-20 7:44am

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

SQL = "INSERT INTO Employee (Email, First_name, Last_name,  Phone, Admin, Active)"
SQL += "VALUES ('" + email + "','" + first_name + "','" + last_name + "','" + phone + "','" + admin + "','" + active + "');"

Not necessary a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
0x01AA 23-Jun-20 14:25pm
Yawning. The last answer you gave on his similar last question is still wrong...

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100