PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
cybertrip
Forum Newbie
Posts: 4 Joined: Sat Apr 01, 2006 10:41 pm
Post
by cybertrip » Sat Apr 01, 2006 10:44 pm
Ok so im a complete noob when it comes to php done a lot of stuff in vbscript but not a lot in php told it wasn't to different but anyways to the point im trying to add news to a database but i cant seem to get this to work and i have no clue why...
Code: Select all
<html>
<head>
<title>Untitled Document</title>
</head>
<body>
<?
if($_POST['submit']) //If submit is hit
{
mysql_connect("localhost","uname","pass");
mysql_select_db("news");
$title = $_POST['title'];
$desc = $_POST['desc'];
$result=MYSQL_QUERY("INSERT INTO news (id,title,desc)".
"VALUES ('NULL', '$title', '$desc')");
echo "Finished";
}
else
{
?>
<form method="post" action="add.php">
<TABLE>
<TR>
<TD>Title:</TD>
<TD><INPUT TYPE='TEXT' NAME='title' VALUE='' size=60></TD>
</TR>
<TR>
<TD>News:</TD>
<TD><INPUT TYPE='TEXT' NAME='desc' VALUE='' size=60></TD>
</TR><br>
<TR>
<TD></TD><br>
<TD><INPUT TYPE="submit" name="submit" value="submit"></TD>
</TR>
</TABLE>
</form>
<?
}
?>
</body>
</html>
User name and password were removed by me. Thanks for the help
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Sat Apr 01, 2006 10:51 pm
"desc" is a MySQL reserved word. You need to use backticks:
Code: Select all
"INSERT INTO `news` (`id`,`title`,`desc`)".
"VALUES (NULL, '$title', '$desc')"
Although your script will work as a basic introduction, be very careful using it in publicly used scripts as it does allow SQL injection. Read up on
mysql_real_escape_string() on how it can help avoid it, and other syntax errors you may get when using certain characters in your inputs.
cybertrip
Forum Newbie
Posts: 4 Joined: Sat Apr 01, 2006 10:41 pm
Post
by cybertrip » Sat Apr 01, 2006 10:59 pm
thanks so much...this is just goin to be on an internal server for adding news thanks for the quick help i appreciate it.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Sat Apr 01, 2006 11:06 pm
Be aware that any single quotes in the title or desc fields will break the SQL syntax parser.
cybertrip
Forum Newbie
Posts: 4 Joined: Sat Apr 01, 2006 10:41 pm
Post
by cybertrip » Sat Apr 01, 2006 11:11 pm
oh...ok so do i just put something like
Do i just place it anywhere or does it have to surrond the variable in the insert statement?
cybertrip
Forum Newbie
Posts: 4 Joined: Sat Apr 01, 2006 10:41 pm
Post
by cybertrip » Sat Apr 01, 2006 11:14 pm
sorry for the double post but would this work
Code: Select all
<?
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
if($_POST['submit'])
{
mysql_connect("localhost","uname","pass");
mysql_select_db("news");
$title = $_POST['title'];
$desc = $_POST['desc'];
$result=MYSQL_QUERY("INSERT INTO `news` (`id`,`quote_smart(title)`,`quote_smart(desc)`)".
"VALUES (NULL, '$title', '$desc')");
echo "Finished";
}
else
{
?>
s.dot
Tranquility In Moderation
Posts: 5001 Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana
Post
by s.dot » Sat Apr 01, 2006 11:17 pm
looks good
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Sat Apr 01, 2006 11:20 pm
cybertrip wrote: would this work
not exactly.
$title and $desc should be the result of running the function.
The query should remain the same except you can now remove the single quotes around both of the variable as your code is adding them in ~as needed.