-2

Hello guys I have this php code to register building data in a game that I'm developing. This code work fine.

What I like to know is how can I echo the auto increased ID of the object that I registered using this code when the register function successful.

<?php


$db = "database";//Your database name
$dbu = "username";//Your database username
$dbp = "password";//Your database users' password
$host = "localhost";//MySQL server - usually localhost

$dblink = mysql_connect($host,$dbu,$dbp);
$seldb = mysql_select_db($db);

if(isset($_GET['oid']) ){

     //Lightly sanitize the GET's to prevent SQL injections and possible XSS attacks
     $name = strip_tags(mysql_real_escape_string($_GET['oid']));
     $sql = mysql_query("INSERT INTO `$db`.`building` (`id`,`oid`) VALUES ('','$oid');");

     if($sql){

          //The query returned true echo the newly registered id
          echo '????'; 

     }else{

          //The query returned false - you might want to put some sort of error reporting here. Even logging the error to a text file is fine.
          echo 'Fail to save data';

     }

}else{
     echo 'Fail-No object owner ID';
}

mysql_close($dblink);//Close off the MySQL connection to save resources.
?>

Please help me.

teststack
  • 1
  • 4
  • http://php.net/manual/en/function.mysql-insert-id.php – David Jun 30 '15 at 17:58
  • 1
    **WARNING**: If you're just learning PHP, please, do not learn the obsolete `mysql_query` interface. It's awful and is being removed in future versions of PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) can help explain best practices. Always be absolutely **sure** your user parameters are [properly escaped](http://bobby-tables.com/php) or you will have severe [SQL injection bugs](http://bobby-tables.com/). – tadman Jun 30 '15 at 17:59
  • 1
    Additionally, `strip_tags` is supposed to be used when *displaying* HTML data, not *storing* it. – tadman Jun 30 '15 at 17:59
  • This is only a 2nd level injection risk. So your tables would be ok. For an hour – Drew Jun 30 '15 at 18:06

1 Answers1

0

Use mysql_insert_id()

if($sql){

          //The query returned true echo the newly registered id
          echo mysql_insert_id($dblink); 

     }else{

          //The query returned false - you might want to put some sort of error reporting here. Even logging the error to a text file is fine.
          echo 'Fail to save data';

     }

Notes:

Here is reasoning of why you should not use Mysql but mysqli extension for php MySQL vs MySQLi when using PHP

From PHP developers:

It is recommended to use either the mysqli or PDO_MySQL extensions. It is not recommended to use the old mysql extension for new development. A detailed feature comparison matrix is provided below. The overall performance of all three extensions is considered to be about the same. Although the performance of the extension contributes only a fraction of the total run time of a PHP web request. Often, the impact is as low as 0.1%.

Community
  • 1
  • 1
Patrick Murphy
  • 2,311
  • 14
  • 17
  • Next time someone Googles this question hopefully the first thing they will see is not to use mysql_* – Patrick Murphy Jun 30 '15 at 18:26
  • 1
    @DrewPierce I'm still learning at the moment, Yes I'm learning PDO at the same time but I have dateline to catch up with or Ill end up starving for the next month. Do you have little man syndrom? Negative your way out to the world? – teststack Jun 30 '15 at 18:30
  • Actually i spend a lot of time helping people for free. Keep the data safe – Drew Jun 30 '15 at 19:02