Help with output results

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ShawnH20
Forum Newbie
Posts: 12
Joined: Thu Nov 03, 2011 12:41 pm

Help with output results

Post by ShawnH20 »

Yet another noob trying to deal with php, well here it goes: I am having a problem with the actual results showing up and I keep getting this error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Any advice would be great, thanks!

This is my show_addrecord.html

Code: Select all

<html>
<head>
<title>Adding a Record</title>
<h1> Adding a record to my_roster</h1>
<form method= "post" action= "showrecord.php">

<br> Jersey Number: <input type= "text" name= "mid"> <br>

<br>Birthday(YYYY-MM-DD): <input type= "text" name= "birthday" ><br>

<br>Athletes Last Name (or Nickname): <input type= "text" name= "artist_ln" ><br>

<br>Format: <input type= 'radio' name = "format" value= 'Guard'>Guard
	<input type= 'radio' name= "format" value= 'Forward'>Forward
	<input type= 'radio' name= "format" value= 'Pointguard'>Pointguard
	<input type= 'radio' name= "format" value= 'Center'>Center</br>

<br><h2>Stats:</h2></br>
<textarea rows= '5' cols= '20' name= "notes" wrap= "physical"></textarea>
<p><input type= "submit" name= "submit" value= "add record" </p><br>
</html>
</form>]

This is my php code to output the "results"

Code: Select all

<?
if ((!$_POST['mid']) || (!$_POST['format']) || (!$_POST['artist_ln'])) {
	header("Location: show_addrecord.html");
	exit;
}

$db_name="my_roster";
$table_name="players";

// Create the connection
$connection = @mysql_connect( "localhost", "Shawn", "1234" );

$db = @mysql_select_db( $db_name,$connection) or die (mysql_error());

$sql = "INSERT INTO $table_name (mid, format, artist_ln, birthday, notes) VALUES ('$_POST[mid]', ('$_POST[format]', '$_POST[artist_ln]', '$_POST[birthday]', '$_POST[notes]')";

$result = @mysql_query($sql,$connection) or die(mysql_error());

?>


<P><STRONG>Jersey Number:</STRONG><BR>
<? echo stripslashes ("$_POST[mid]"); ?>

This is where it will be shown ^^ just did one to see if it works but did not (p.s. I have to use stripslashes)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Help with output results

Post by Celauran »

Code: Select all

$sql = "INSERT INTO $table_name (mid, format, artist_ln, birthday, notes) VALUES ('$_POST[mid]', ('$_POST[format]', '$_POST[artist_ln]', '$_POST[birthday]', '$_POST[notes]')";
You've got an extra ( in there before $_POST['format'], which is why the query is failing.

Also, inserting unvalidated, unsanitized data into your database will end in tears.
ShawnH20
Forum Newbie
Posts: 12
Joined: Thu Nov 03, 2011 12:41 pm

Re: Help with output results

Post by ShawnH20 »

Thanks Celauran, I've fixed that problem not it seems to say this
Unknown column 'mid' in 'field list'
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Help with output results

Post by pickle »

That error means "mid" is not a column in the table you're querying.
Celauran wrote:Also, inserting unvalidated, unsanitized data into your database will end in tears.
This cannot be understated. You absolutely should sanitize the data (running it through mysql_real_escape_string() is a good place to start). For example, all I need to do to completely destroy your database is submit form data with "mid" being:

Code: Select all

','','','','');DROP DATABASE `my_roster`;
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
ShawnH20
Forum Newbie
Posts: 12
Joined: Thu Nov 03, 2011 12:41 pm

Re: Help with output results

Post by ShawnH20 »

Im so confused
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Help with output results

Post by Celauran »

About what?
ShawnH20
Forum Newbie
Posts: 12
Joined: Thu Nov 03, 2011 12:41 pm

Re: Help with output results

Post by ShawnH20 »

About not having the columns in the table, im using PHPmyadmin and I shouldnt have to add any of this in there. Its not outputting anything
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Help with output results

Post by Celauran »

ShawnH20 wrote:About not having the columns in the table, im using PHPmyadmin and I shouldnt have to add any of this in there.
Open up phpMyAdmin and look at the structure of `my_roster` to confirm the column mid does, in fact, exist.
ShawnH20 wrote:Its not outputting anything
This is a bit vague. What isn't outputting anything? This?

Code: Select all

<? echo stripslashes ("$_POST[mid]"); ?>
ShawnH20
Forum Newbie
Posts: 12
Joined: Thu Nov 03, 2011 12:41 pm

Re: Help with output results

Post by ShawnH20 »

I guess thats what I really dont know is how to work in phpmyadmin, how do you add columns?
ShawnH20
Forum Newbie
Posts: 12
Joined: Thu Nov 03, 2011 12:41 pm

Re: Help with output results

Post by ShawnH20 »

Nevermind the last post, I figured out what I did wrong just didnt realize I had to go through the whole process of adding fields
ShawnH20
Forum Newbie
Posts: 12
Joined: Thu Nov 03, 2011 12:41 pm

Re: Help with output results

Post by ShawnH20 »

Now since im in college, I wanted to learn about what you meant by "sanitize your data" my teacher hasn't really gone over that, what does it do and what do I need to do to do so?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Help with output results

Post by pickle »

Sanitization in this case basically means to "make safe for database entry". The example I gave is un-sanitized data. If that were to be put into a query, it would be bad. Sanitizing it would involve putting \ in front of all the quotes, so MySQL treats it as a string, and not part of the query language. mysql_real_escape_string() does all that for you.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Gopesh
Forum Contributor
Posts: 143
Joined: Fri Dec 24, 2010 12:48 am
Location: India

Re: Help with output results

Post by Gopesh »

$connection = @mysql_connect( "localhost", "Shawn", "1234" );
Don't put @ in the connection statements or any other important working statements.@ is used to supress the error messages.
Post Reply