Page 1 of 1

Noob PHP Help

Posted: Sat Mar 21, 2009 1:02 pm
by Foxy999
The database: ITEM; table: SELL
title (primary)
desc //description
name
email
image //not used
price //not used

This is my code to insert values into the db:

mysql_select_db("ITEM", $con);
mysql_query("INSERT INTO SELL (title, desc, name, email)
VALUES ('title', 'desc', 'name', 'email')");

Now, 'title' is an input field, with <input name="title ..>, is this the correct way to do this? Also 'desc' is a textarea, where <textarea name="desc" ..> is the the correct way to do this?

I also want to have this code run when a submit button is pressed, along with the mysql_connect, ect.

Please Help
Foxy

Re: Noob PHP Help

Posted: Sat Mar 21, 2009 1:06 pm
by Foxy999
I have now changed this code:

VALUES ('$_POST[title]', '$_POST[desc]', '$_POST[name]', '$_POST[email]')");

but I cannot test it because I need to know how to run a block of code on a button press.

Re: Noob PHP Help

Posted: Sat Mar 21, 2009 2:15 pm
by califdon

Re: Noob PHP Help

Posted: Sat Mar 21, 2009 2:31 pm
by Foxy999
I have gotten it to work, but I am now getting errors when I try to insert into a table. This is my code:

<?php
$con = mysql_connect("localhost", "yourcol1_default", "default");
if(!$con)
{
die('Cannot connect: ' .mysql_error());
}

mysql_select_db("yourcol1_ITEM", $con);
$sql = ("INSERT INTO SELL (title, desc, name, email)
VALUES ('$_POST[title]','$_POST[desc]','$_POST[name]','$_POST[email]')");

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";

mysql_close($con);

?>

And I get this error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc,name,email) VALUES ('x','x','x','x')' at line 1

And the html code:

<form method="post" action="tmp.php">
Title:<input type="text" name="title" maxlength="50" size="50"/>

Description:<input type="text" name="desc" maxlength="100" size="50" />

Name:<input type="text" name="name" maxlength="50" size="50" />

Email:<input type="text" name="email" maxlength="70" size="50" />

<p align="center">&nbsp;</p>
<p align="center">
<input type="submit" name="sell_submit" id="sell_submit" value="Next ->" />
</p>
</form>

I don't know what I am doing wrong, everything looks right.

Re: Noob PHP Help

Posted: Sat Mar 21, 2009 3:22 pm
by califdon
Change this line:

Code: Select all

die('Error: ' . mysql_error());
to this

Code: Select all

die(mysql_error()."<br>$sql");
I don't see any syntax error in what you posted, but possibly you copied something wrong. Printing out the exact SQL statement when there's an error will often save you a lot of time debugging.

Re: Noob PHP Help

Posted: Sat Mar 21, 2009 3:34 pm
by Foxy999
I am still getting the same error, and with the new code it says:

INSERT INTO SELL (title, desc, name, email) VALUES ('x','x','x','x')

Which is right, and I try to the same query with phpmyadmin and I get the same errors, I think the problem resides in my database. Attached is a picture of my database in phpmyadmin.

Please help


Foxyy

Re: Noob PHP Help

Posted: Sat Mar 21, 2009 6:23 pm
by califdon
Would you please show your exact SQL statement? The error you are receiving says that it is a syntax error, so that's the place to start.

Probably not a factor in this problem, but your use of TEXT data type for such fields is highly questionable. That data type is intended for storing extremely large text strings in a field. Ordinarily, anything that's not going to be longer than 255 characters should be a VARCHAR(n) data type. Also, you don't have a primary key designated, which is also not recommended.

Re: Noob PHP Help

Posted: Sat Mar 21, 2009 11:41 pm
by Foxy999
This is it:

INSERT INTO SELL (title, desc, name, email) VALUES ('x','x','x','x')

Im not sure what else you want. Also I have messed around with the types and made them VARCHAR but it didn't solve the problem.

Re: Noob PHP Help

Posted: Sun Mar 22, 2009 4:03 am
by JAB Creations
Since you're using phpMyAdmin why not do a manual INSERT?

Then compare the MySQL statement phpMyAdmin gives you compared to the one you're using.

Granted I think the MySQL statements phpMyAdmin generates have some unnecessary/excessive code but removing other people's code and getting a minimum test case will help you zero in on how you should write/fix the query you're having trouble with. :)

Re: Noob PHP Help

Posted: Sun Mar 22, 2009 4:21 am
by php_east

Code: Select all

$sql = ("INSERT INTO SELL (`title`, `desc`, `name`, `email`)
VALUES ('$_POST[title]','$_POST[desc]','$_POST[name]','$_POST[email]')");
 

Re: Noob PHP Help

Posted: Sun Mar 22, 2009 10:35 am
by Foxy999
Foxy999 wrote:This is it:

INSERT INTO SELL (title, desc, name, email) VALUES ('x','x','x','x')

Im not sure what else you want. Also I have messed around with the types and made them VARCHAR but it didn't solve the problem.
If you read you will see that I did try that in phpmyadmin.

Re: Noob PHP Help

Posted: Sun Mar 22, 2009 10:40 am
by Foxy999
php_east wrote:

Code: Select all

$sql = ("INSERT INTO SELL (`title`, `desc`, `name`, `email`)
VALUES ('$_POST[title]','$_POST[desc]','$_POST[name]','$_POST[email]')");
 

Thank you so much!

Re: Noob PHP Help

Posted: Mon Mar 23, 2009 4:32 pm
by JAB Creations
WHOA HOLD ON THERE!

DO NOT DIRECTLY PUT $_POST or any other user generated data directly in to the database!

That leaves you open to SQL injection attacks!

Code: Select all

<?php
$title = mysql_real_escape_string($_POST[title]);
$desc = mysql_real_escape_string($_POST[desc]);
$name = mysql_real_escape_string($_POST[name]);
$email = mysql_real_escape_string($_POST[email])
 
$sql = ("INSERT INTO SELL (title, desc, name, email) VALUES ('$title','$desc','$name','$email')");
?>