Page 1 of 2

Difficulty posting array data

Posted: Thu Jun 23, 2011 11:20 am
by digdigdig
Hi,

I am getting this error:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/sfayc/public_html/Form/updatedb.php on line 22

The code:

Code: Select all

$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)

 VALUES
   ('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']'.",'".$_POST['Status']."',Now(),'".$_POST['Source']."')"; // this is line 22

   if (isset($POST['Status'] || $Status<>'Other'){
   $Status=$POST['Status'];
	}
   else {
   $Status='Other';
The 'Status' field is for radio button responses which offer four radio button options where the last one is "Other". Next to the "Other" radio button is a textbox for users to enter data. The related HTML is:

Code: Select all

<input type=radio name='Status' value='Teacher' />Teacher<br>
                <input type=radio name='Status' value='Teacher_Aide'>Teacher Aide<br>
                <input type=radio name='Status' value='Administrator'>Administrator<br>
                <input type=radio name='Status' value='Parent'>Parent<br>
                <input type=radio name='Status' value='Student'>Student<br>
                <input type=radio name='Status' value='Other'>Other&nbsp;&nbsp;Other&nbsp;&nbsp;<input type=text name='Other' value='Other'>
I am a newbie at PHP....

Many thanks.

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 11:28 am
by twinedev
You have an extra single quote after the $_POST['Email']

-Greg

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 11:30 am
by social_experiment
Also

Code: Select all

if (isset($POST['Status'] || $Status<>'Other'){
 // needs to be
if (isset($_POST['Status']) || $Status <> 'Other') {
 // rest of your code
And $_POST instead of $POST

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 11:37 am
by digdigdig
Thanks.

Now i am getting this:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Teacher_Aide',Now(),'Website')' at line 4

any thoughts?

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 11:46 am
by social_experiment
You have to paste the code you use to create the SQL query :idea: :)

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 11:49 am
by twinedev
Also, can you past the final $insert value right before you try to execute it.

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 11:53 am
by digdigdig
This is most of the code:

//inserting records
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)

VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email'].",'".$_POST['Status']."',Now(),'".$_POST['Source']."')";
if (isset($_POST['Status']) || $Status <> 'Other'){
$Status=$POST['Status'];
}
else {
$Status='Other';
}

if(!mysql_query($Insert,$dbc)){
die('Error: '.mysql_error ());
}
$query=mysql_query("INSERT INTO formdata SET Date=now()");
echo "One Record Added";
mysql_close($dbc)

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 12:38 pm
by social_experiment

Code: Select all

<?php
$insert = "INSERT INTO formdata (FirstName, LastName, Email, Status, Data, Source) VALUES 
('" . $_POST['FirstName'] . "', '" . $_POST['LastName'] . "', '" . $_POST['Email'] . "', '" . $_POST['Status'] . "', 
NOW(), '" . $_POST['Source'] . "' )";
?>
You forgot a single quote near $_POST['Email']. Look at using a function that escapes the data you receive, if you are using SQL, use mysql_real_escape_string()

Re: Difficulty posting array data

Posted: Thu Jun 23, 2011 5:58 pm
by pickle
1) Please post your code in proper [syntax] tags
2) Never, EVER put user data (ie: $_POST) into a query. With one little call of your page I could empty out your database. Always run it through mysql_real_escape_string() like ~social_experiment suggested.

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 8:05 am
by digdigdig
Thanks Pickle for taking time to give me pointers.

What are the correct tags? I am using a guide by Murach and my code looks like what he has in the book.

Where would be a good place to learn more about mysql_real_escape_string()?

Cheers.

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 8:27 am
by Idri
I'm guessing Pickle's referring to the Syntax tags on the forum.

Use the tags like this

Code: Select all

[syntax=php] // Your code goes here [/syntax]
You can read more about mysql_real_escape_string (among other functions) in the PHP manual, which can be found at http://php.net/manual/en/function.mysql ... string.php

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 9:14 am
by digdigdig
So, am i getting the joke on the tags usage? Or use them every line?

Also did I get the Escape Sequence correct?

I don't think i understand about the "Never, EVER put user data (ie: $_POST) into a query." On the forum?

Code: Select all

 // 

//inserting records
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']."','".$_POST['Status']."',Now(),'".$_POST['Source']."')"; 
 $error = 0;
if(isset($_POST['Status'])){
    if($_POST['Status'] == 'Other'){
        if(isset($_POST['Other']) && trim($_POST['Other']) != ''){
            $status = $_POST['Other'];
        } else {
            $error++;
            echo "Please fill out the 'Other' box.<br />";
        }
    } else {
        $status = $_POST['Status'];
    }
} else {
    $error++;
    echo "Please select a 'Status'.<br />";
}
if($error){
    echo "<br />There were $error error".($error>1?'s':'').".";
} else {
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
    VALUES
    ('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']."','".$status."',Now(),'".$_POST['Source']."')"; 
}  
if(!mysql_query($Insert,$dbc)){
	die('Error: '.mysql_error ());
	}
$query=mysql_query("INSERT INTO formdata SET Date=now()"),
mysql_real_escape_string($Date);

echo "One Record Added";
mysql_close($dbc)
Thanks for your time and effort.

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 9:36 am
by Idri
I think you misinterpreted where to use the mysql_real_escape_string function. You should use it on whatever user-generated input you are going to use in a query.

Take for example your insert query;

Code: Select all

$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']."','".$_POST['Status']."',Now(),'".$_POST['Source']."')";
 $error = 0;
All of the $_POST variables are user-generated and could contain malicious input. You'll have to sanitize it before having the database process your query.

Code: Select all

$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".mysql_real_escape_string($_POST['FirstName'])."', // etc
Putting it inline can lead to very lengthy lines of code however, which can be tricky to maintain. Which is why I often use the sprintf function to format my queries (PHP.net - Sprintf). Though obviously you are in no way required to do this :)

Applying both sprintf and mysql_real_escape_string would lead to something along the lines of

Code: Select all

$Insert= sprintf("INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES ('%s', '%s', /* more parameters here */ )",
mysql_real_escape_string($_POST['FirstName']),
mysql_real_escape_string($_POST['LastName']),
// repeat for as many you need
);

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 9:52 am
by pickle
Data from the user should always be escaped so users can't break your query. With your query posted above, I could submit the following as my first name:

','','','',NOW(),'');DELETE FROM formdata;

and POOF - your database is gone. Running user data through mysql_real_escape_string() will escape all the quotes properly so the value of $_POST['first_name'] gets treated as just an ordinary string & not real query stuff.

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 9:58 am
by digdigdig
Ah ha!

This makes great sense. I will work on this today. Thanks again for your time.....