Page 1 of 1

Please help simple for a lot of you

Posted: Sat Apr 01, 2006 10:44 pm
by cybertrip
Ok so im a complete noob when it comes to php done a lot of stuff in vbscript but not a lot in php told it wasn't to different but anyways to the point im trying to add news to a database but i cant seem to get this to work and i have no clue why...

Code: Select all

<html>
<head>
<title>Untitled Document</title>
</head>

<body>
<? 

if($_POST['submit']) //If submit is hit
{
   mysql_connect("localhost","uname","pass"); 
	
   mysql_select_db("news"); 
	
   $title = $_POST['title'];
   $desc = $_POST['desc'];

   $result=MYSQL_QUERY("INSERT INTO news (id,title,desc)".
      "VALUES ('NULL', '$title', '$desc')"); 

   echo "Finished"; 
}
else
{
?>
<form method="post" action="add.php">
<TABLE>
<TR>
   <TD>Title:</TD>
   <TD><INPUT TYPE='TEXT' NAME='title' VALUE='' size=60></TD>
</TR>
<TR>
   <TD>News:</TD>
   <TD><INPUT TYPE='TEXT' NAME='desc' VALUE='' size=60></TD>
</TR><br>
<TR>
   <TD></TD><br>
   <TD><INPUT TYPE="submit" name="submit" value="submit"></TD> 
</TR>
</TABLE>
</form>

<?
}
?>

</body>
</html>
User name and password were removed by me. Thanks for the help

Posted: Sat Apr 01, 2006 10:51 pm
by feyd
"desc" is a MySQL reserved word. You need to use backticks:

Code: Select all

"INSERT INTO `news` (`id`,`title`,`desc`)".
      "VALUES (NULL, '$title', '$desc')"
Although your script will work as a basic introduction, be very careful using it in publicly used scripts as it does allow SQL injection. Read up on mysql_real_escape_string() on how it can help avoid it, and other syntax errors you may get when using certain characters in your inputs.

Posted: Sat Apr 01, 2006 10:59 pm
by cybertrip
thanks so much...this is just goin to be on an internal server for adding news thanks for the quick help i appreciate it.

Posted: Sat Apr 01, 2006 11:06 pm
by feyd
Be aware that any single quotes in the title or desc fields will break the SQL syntax parser.

Posted: Sat Apr 01, 2006 11:11 pm
by cybertrip
oh...ok so do i just put something like

Do i just place it anywhere or does it have to surrond the variable in the insert statement?

Posted: Sat Apr 01, 2006 11:14 pm
by cybertrip
sorry for the double post but would this work

Code: Select all

<? 
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

if($_POST['submit']) 
{

   mysql_connect("localhost","uname","pass"); 
	
   mysql_select_db("news"); 
	
   $title = $_POST['title'];
   $desc = $_POST['desc'];
   
   $result=MYSQL_QUERY("INSERT INTO `news` (`id`,`quote_smart(title)`,`quote_smart(desc)`)".
      "VALUES (NULL, '$title', '$desc')"); 

   echo "Finished"; 
}
else
{
?>

Posted: Sat Apr 01, 2006 11:17 pm
by s.dot
looks good

Posted: Sat Apr 01, 2006 11:20 pm
by feyd
cybertrip wrote:would this work
not exactly.

$title and $desc should be the result of running the function.

The query should remain the same except you can now remove the single quotes around both of the variable as your code is adding them in ~as needed.