Page 1 of 1

Help with output results

Posted: Thu Nov 03, 2011 12:49 pm
by ShawnH20
Yet another noob trying to deal with php, well here it goes: I am having a problem with the actual results showing up and I keep getting this error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Any advice would be great, thanks!

This is my show_addrecord.html

Code: Select all

<html>
<head>
<title>Adding a Record</title>
<h1> Adding a record to my_roster</h1>
<form method= "post" action= "showrecord.php">

<br> Jersey Number: <input type= "text" name= "mid"> <br>

<br>Birthday(YYYY-MM-DD): <input type= "text" name= "birthday" ><br>

<br>Athletes Last Name (or Nickname): <input type= "text" name= "artist_ln" ><br>

<br>Format: <input type= 'radio' name = "format" value= 'Guard'>Guard
	<input type= 'radio' name= "format" value= 'Forward'>Forward
	<input type= 'radio' name= "format" value= 'Pointguard'>Pointguard
	<input type= 'radio' name= "format" value= 'Center'>Center</br>

<br><h2>Stats:</h2></br>
<textarea rows= '5' cols= '20' name= "notes" wrap= "physical"></textarea>
<p><input type= "submit" name= "submit" value= "add record" </p><br>
</html>
</form>]

This is my php code to output the "results"

Code: Select all

<?
if ((!$_POST['mid']) || (!$_POST['format']) || (!$_POST['artist_ln'])) {
	header("Location: show_addrecord.html");
	exit;
}

$db_name="my_roster";
$table_name="players";

// Create the connection
$connection = @mysql_connect( "localhost", "Shawn", "1234" );

$db = @mysql_select_db( $db_name,$connection) or die (mysql_error());

$sql = "INSERT INTO $table_name (mid, format, artist_ln, birthday, notes) VALUES ('$_POST[mid]', ('$_POST[format]', '$_POST[artist_ln]', '$_POST[birthday]', '$_POST[notes]')";

$result = @mysql_query($sql,$connection) or die(mysql_error());

?>


<P><STRONG>Jersey Number:</STRONG><BR>
<? echo stripslashes ("$_POST[mid]"); ?>

This is where it will be shown ^^ just did one to see if it works but did not (p.s. I have to use stripslashes)

Re: Help with output results

Posted: Thu Nov 03, 2011 2:54 pm
by Celauran

Code: Select all

$sql = "INSERT INTO $table_name (mid, format, artist_ln, birthday, notes) VALUES ('$_POST[mid]', ('$_POST[format]', '$_POST[artist_ln]', '$_POST[birthday]', '$_POST[notes]')";
You've got an extra ( in there before $_POST['format'], which is why the query is failing.

Also, inserting unvalidated, unsanitized data into your database will end in tears.

Re: Help with output results

Posted: Thu Nov 03, 2011 3:20 pm
by ShawnH20
Thanks Celauran, I've fixed that problem not it seems to say this
Unknown column 'mid' in 'field list'

Re: Help with output results

Posted: Thu Nov 03, 2011 3:24 pm
by pickle
That error means "mid" is not a column in the table you're querying.
Celauran wrote:Also, inserting unvalidated, unsanitized data into your database will end in tears.
This cannot be understated. You absolutely should sanitize the data (running it through mysql_real_escape_string() is a good place to start). For example, all I need to do to completely destroy your database is submit form data with "mid" being:

Code: Select all

','','','','');DROP DATABASE `my_roster`;

Re: Help with output results

Posted: Thu Nov 03, 2011 3:42 pm
by ShawnH20
Im so confused

Re: Help with output results

Posted: Thu Nov 03, 2011 3:43 pm
by Celauran
About what?

Re: Help with output results

Posted: Thu Nov 03, 2011 3:59 pm
by ShawnH20
About not having the columns in the table, im using PHPmyadmin and I shouldnt have to add any of this in there. Its not outputting anything

Re: Help with output results

Posted: Thu Nov 03, 2011 4:17 pm
by Celauran
ShawnH20 wrote:About not having the columns in the table, im using PHPmyadmin and I shouldnt have to add any of this in there.
Open up phpMyAdmin and look at the structure of `my_roster` to confirm the column mid does, in fact, exist.
ShawnH20 wrote:Its not outputting anything
This is a bit vague. What isn't outputting anything? This?

Code: Select all

<? echo stripslashes ("$_POST[mid]"); ?>

Re: Help with output results

Posted: Thu Nov 03, 2011 5:25 pm
by ShawnH20
I guess thats what I really dont know is how to work in phpmyadmin, how do you add columns?

Re: Help with output results

Posted: Thu Nov 03, 2011 5:36 pm
by ShawnH20
Nevermind the last post, I figured out what I did wrong just didnt realize I had to go through the whole process of adding fields

Re: Help with output results

Posted: Thu Nov 03, 2011 9:22 pm
by ShawnH20
Now since im in college, I wanted to learn about what you meant by "sanitize your data" my teacher hasn't really gone over that, what does it do and what do I need to do to do so?

Re: Help with output results

Posted: Fri Nov 04, 2011 9:51 am
by pickle
Sanitization in this case basically means to "make safe for database entry". The example I gave is un-sanitized data. If that were to be put into a query, it would be bad. Sanitizing it would involve putting \ in front of all the quotes, so MySQL treats it as a string, and not part of the query language. mysql_real_escape_string() does all that for you.

Re: Help with output results

Posted: Sat Nov 05, 2011 12:27 am
by Gopesh
$connection = @mysql_connect( "localhost", "Shawn", "1234" );
Don't put @ in the connection statements or any other important working statements.@ is used to supress the error messages.