PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
Cep
Forum Newbie
Posts: 16 Joined: Fri Mar 04, 2005 4:45 am
Post
by Cep » Mon May 16, 2005 8:16 am
I need to know how to pull data from an HTML form element on an htm page into an SQL query on a php page. The form method is POST.
So far I have this as my SQL but I keep getting parse errors when the form is submitted
Code: Select all
$sql = "INSERT INTO `table` ('name','address') VALUES ($_REQUEST['nameelement'], $_REQUEST['addressele'])";
What is wrong with the above line?
JayBird
Admin
Posts: 4524 Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:
Post
by JayBird » Mon May 16, 2005 8:17 am
Code: Select all
$sql = "INSERT INTO `table` ('name','address') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'])."";
I hope you are aware of the security risk of using form values directly in a query!
Cep
Forum Newbie
Posts: 16 Joined: Fri Mar 04, 2005 4:45 am
Post
by Cep » Mon May 16, 2005 8:48 am
Are you referring to sql injection? Do you think I should create an array first?
JayBird
Admin
Posts: 4524 Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:
Post
by JayBird » Mon May 16, 2005 9:04 am
before using the form values, do some checking to see if the values are what you expect
Cep
Forum Newbie
Posts: 16 Joined: Fri Mar 04, 2005 4:45 am
Post
by Cep » Mon May 16, 2005 9:16 am
Ok
One other thing,
I notice that you close your statement like this,
Is the bracket meant to be after the full stop and between the " marks?
Also say I wanted to add additional defaults values like a timestamp.
could I add them to the end of the statement like this,
Code: Select all
, ".$_REQUEST['addressele'].","Now()","No")";
Or would that cause more problems?
JayBird
Admin
Posts: 4524 Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:
Post
by JayBird » Mon May 16, 2005 9:20 am
Oooops, it should have been this
Code: Select all
$sql = "INSERT INTO `table` ('name','address') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'].")";
More fields would be like this
Code: Select all
$sql = "INSERT INTO `table` ('name','address', 'time', 'answer') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'].", NOW(), 'No')";
Cep
Forum Newbie
Posts: 16 Joined: Fri Mar 04, 2005 4:45 am
Post
by Cep » Mon May 16, 2005 9:25 am
Ah so functions like Now() do not need quotes and strings do. *scribbles down*
I guess then the only other thing is if I passed the form element value to a variable before it reaches the SQL.
Like
Code: Select all
$var1 = ".$_REQUEST['nameelement']."
$var2 = ".$_REQUEST['addressele']."
then the sql could be,
Code: Select all
$sql = "INSERT INTO `table` ('name','address') VALUES ("$var1", "$var2")";
JayBird
Admin
Posts: 4524 Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:
Post
by JayBird » Mon May 16, 2005 9:27 am
this would be the way you did it. use single quotes
Code: Select all
$sql = "INSERT INTO `table` ('name','address') VALUES ('$var1', '$var2')";
Cep
Forum Newbie
Posts: 16 Joined: Fri Mar 04, 2005 4:45 am
Post
by Cep » Mon May 16, 2005 9:43 am
I thought things were sorted out but I keep getting a T_string parse error now on line 4.
Ill post the script up as it stands, even though its not finished yet the basics should still work regardless.
Code: Select all
<?php
require "./database_conn.php";
$var1 = (".$_REQUEST['requested_by']."); //LINE 4
$var2 = (".$_REQUEST['deadline'].");
$var3 = (".$_REQUEST['priority'].");
$var4 = (".$_REQUEST['department'].");
$var5 = (".$_REQUEST['request'].");
$var6 = (".$_REQUEST['nature'].");
$var7 = (".$_REQUEST['specs'].");
$sql = "INSERT INTO `ICT` ('request_by', 'deadline', 'priority', 'department', 'request_type', 'nature', 'specification', 'request_date', 'completed') VALUES ('$var1', '$var2', '$var3', '$var4', '$var5', '$var6', '$var7', NOW(), 'No')";
$insertsql = mysql_query($sql,db());
?>
JayBird
Admin
Posts: 4524 Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:
Post
by JayBird » Mon May 16, 2005 9:45 am
just make your lines like this
Code: Select all
$var1 = $_REQUEST['requested_by']; //LINE 4
Cep
Forum Newbie
Posts: 16 Joined: Fri Mar 04, 2005 4:45 am
Post
by Cep » Mon May 16, 2005 9:53 am
Well at least that has stopped the parse errors but the script doesnt actually appear to do anything, I just get a white screen in my browser and nothing gets written to the database. I know the connection settings are correct because I can use another script I wrote to view them perfectly fine.
Can't understand it.
phpScott
DevNet Resident
Posts: 1206 Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.
Post
by phpScott » Mon May 16, 2005 10:01 am
check to make sure your query is correct try.
Code: Select all
$result = mysql_query($sql) or die('Query failed: ' . mysql_error(). ' using<br />'.$sql);
JayBird
Admin
Posts: 4524 Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:
Post
by JayBird » Mon May 16, 2005 10:02 am
you should always put some kind of debugging into your queries
Change this line
Code: Select all
$insertsql = mysql_query($sql,db());
to
Code: Select all
$insertsql = mysql_query($sql,db()) or die(mysql_error());
This will display errors in your query
Cep
Forum Newbie
Posts: 16 Joined: Fri Mar 04, 2005 4:45 am
Post
by Cep » Mon May 16, 2005 10:16 am
Oh wow great stuff
Got rid of a couple of syntax errors and now its all up n running!
Many thanks for all your help!