Page 1 of 1

html interface

Posted: Mon Dec 17, 2007 3:46 am
by seriousdamage
Hi,
I have the below code which I will use to add a record into a database.
Could someone help me to create an html interface where I have a field to add the record and a submit button to process the form?

Code: Select all

<?PHP

$user_name = "root";
$password = "";
$database = "addressbook";
$server = "127.0.0.1";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$SQL = "INSERT INTO tb_address_book (First_Name, Surname, Address) VALUES ('bill', 'gates', 'Microsoft')";
$result = mysql_query($SQL);

mysql_close($db_handle);

print "Records added to the database";
}
else {
print "Database NOT Found ";
mysql_close($db_handle);
}

?>

Posted: Mon Dec 17, 2007 4:09 am
by Inkyskin
This is assuming the name fields are varchar and the address field takes longtext or similar:

Code: Select all

<?PHP

if(isset($_POST[action]) && $_POST[action] == 'Submit'){

  $user_name = "root";
  $password = "";
  $database = "addressbook";
  $server = "127.0.0.1";
  $db_handle = mysql_connect($server, $user_name, $password);
  $db_found = mysql_select_db($database, $db_handle);

  if ($db_found) {

  $SQL = "INSERT INTO tb_address_book (First_Name, Surname, Address) VALUES ('".$_POST[first_name]."', '".$_POST[last_name]."', '".$_POST[address]."')";
  $result = mysql_query($SQL);

  mysql_close($db_handle);

  print "Records added to the database";
  }
  else {
  print "Database NOT Found ";
  mysql_close($db_handle);
  }

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>My Form</title>
</head>

<body>

<form name="address" action="" method="post">

  <input type="text" name="first_name" />
  <input type="text" name="last_name" />
  <textarea name="address"></textarea>
  <input type="submit" name="action" value="Submit">

</form>

</body>
</html>
That should work, its a form in it's most basic form.

Posted: Mon Dec 17, 2007 7:57 am
by webspider
Inkyskin wrote: <form name="address" action="" method="post">
in action attribute of form tag we are supposed to give a file name that will process the form. In this case

Code: Select all

<form name="address" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
if no file name is given in action attributes it takes the current file for processing the form. So is there any difference using blank or $_SERVER['PHP_SELF'] ?

Posted: Mon Dec 17, 2007 8:11 am
by Inkyskin
Im not sure if there is a right way or not, but both ways would validate.

Posted: Mon Dec 17, 2007 9:32 am
by feyd
Never ever ever use PHP_SELF. It contains user input and can therefore also contain XSS. You can often use alternate actions like "#" instead with the same outcome and no XSS possibilities.

Posted: Mon Dec 17, 2007 9:52 am
by seriousdamage
Hi, I think I went way over my head in posting the above message,
it is already getting way to complicated for me.

I have posted a new message with different subject,
I really think I should start from the beginning with this :-)

Thanks a lot all for your help.

Regards
Nic

Posted: Mon Dec 17, 2007 10:06 am
by Mordred
Not

Code: Select all

$_POST[first_name]
but

Code: Select all

$_POST['first_name']
and actually in this case

Code: Select all

mysql_real_escape_string($_POST['first_name'])