Please help simple for a lot of you

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cybertrip
Forum Newbie
Posts: 4
Joined: Sat Apr 01, 2006 10:41 pm

Please help simple for a lot of you

Post by cybertrip »

Ok so im a complete noob when it comes to php done a lot of stuff in vbscript but not a lot in php told it wasn't to different but anyways to the point im trying to add news to a database but i cant seem to get this to work and i have no clue why...

Code: Select all

<html>
<head>
<title>Untitled Document</title>
</head>

<body>
<? 

if($_POST['submit']) //If submit is hit
{
   mysql_connect("localhost","uname","pass"); 
	
   mysql_select_db("news"); 
	
   $title = $_POST['title'];
   $desc = $_POST['desc'];

   $result=MYSQL_QUERY("INSERT INTO news (id,title,desc)".
      "VALUES ('NULL', '$title', '$desc')"); 

   echo "Finished"; 
}
else
{
?>
<form method="post" action="add.php">
<TABLE>
<TR>
   <TD>Title:</TD>
   <TD><INPUT TYPE='TEXT' NAME='title' VALUE='' size=60></TD>
</TR>
<TR>
   <TD>News:</TD>
   <TD><INPUT TYPE='TEXT' NAME='desc' VALUE='' size=60></TD>
</TR><br>
<TR>
   <TD></TD><br>
   <TD><INPUT TYPE="submit" name="submit" value="submit"></TD> 
</TR>
</TABLE>
</form>

<?
}
?>

</body>
</html>
User name and password were removed by me. Thanks for the help
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

"desc" is a MySQL reserved word. You need to use backticks:

Code: Select all

"INSERT INTO `news` (`id`,`title`,`desc`)".
      "VALUES (NULL, '$title', '$desc')"
Although your script will work as a basic introduction, be very careful using it in publicly used scripts as it does allow SQL injection. Read up on mysql_real_escape_string() on how it can help avoid it, and other syntax errors you may get when using certain characters in your inputs.
cybertrip
Forum Newbie
Posts: 4
Joined: Sat Apr 01, 2006 10:41 pm

Post by cybertrip »

thanks so much...this is just goin to be on an internal server for adding news thanks for the quick help i appreciate it.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Be aware that any single quotes in the title or desc fields will break the SQL syntax parser.
cybertrip
Forum Newbie
Posts: 4
Joined: Sat Apr 01, 2006 10:41 pm

Post by cybertrip »

oh...ok so do i just put something like

Do i just place it anywhere or does it have to surrond the variable in the insert statement?
cybertrip
Forum Newbie
Posts: 4
Joined: Sat Apr 01, 2006 10:41 pm

Post by cybertrip »

sorry for the double post but would this work

Code: Select all

<? 
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

if($_POST['submit']) 
{

   mysql_connect("localhost","uname","pass"); 
	
   mysql_select_db("news"); 
	
   $title = $_POST['title'];
   $desc = $_POST['desc'];
   
   $result=MYSQL_QUERY("INSERT INTO `news` (`id`,`quote_smart(title)`,`quote_smart(desc)`)".
      "VALUES (NULL, '$title', '$desc')"); 

   echo "Finished"; 
}
else
{
?>
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

looks good
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

cybertrip wrote:would this work
not exactly.

$title and $desc should be the result of running the function.

The query should remain the same except you can now remove the single quotes around both of the variable as your code is adding them in ~as needed.
Post Reply