Inserting into mySQL database using a form

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
efriese
Forum Newbie
Posts: 9
Joined: Sun Feb 08, 2004 10:25 pm
Location: Auburn, AL

Inserting into mySQL database using a form

Post by efriese »

I'm trying to use a simple form to add information to a mySQL data base. I can't see what is wrong with me code. I can hit submit and it seems to work, but when I log in to the mySQL server and use select event from report, it says that it is empty. Here's the code, any help would be much appreciated!

Code: Select all

<?php
$event = addslashes($event);
$date = addslashes($date);
$sponsor = addslashes($sponsor);
$cosponsor = addslashes($cosponsor);
$type = addslashes($type);
$attendance = addslashes($attendance);
$advisor = addslashes($advisor);
$evaluation = addslashes($evaluation);
$recommendation = addslashes($recommendations);

@ $db = mysql_pconnect("server", "database", "pw");
if (!$db)
&#123;
	echo "Error: Could connect to database";
	exit;
&#125;

mysql_select_db("database");
$query = "insert into 'reports' ('event', 'date', 'sponsor', 'cosponsor', 'type', 'attendance', 'advisor', 'evaluation', 'recommendation') values
('&#123;$_POST&#1111;'event']&#125;', '&#123;$_POST&#1111;'date']&#125;', '&#123;$_POST&#1111;'sponsor']&#125;', '&#123;$_POST&#1111;'cosponsor']&#125;', '&#123;$_POST&#1111;'type']&#125;', '&#123;$_POST&#1111;'attendance']&#125;', '&#123;$_POST&#1111;'advisor']&#125;', '&#123;$_POST&#1111;'evaluation']&#125;', '&#123;$_POST&#1111;'recommendations']&#125;')";
		
?>
User avatar
Michael 01
Forum Commoner
Posts: 87
Joined: Wed Feb 04, 2004 12:26 am

Post by Michael 01 »

You have already defined the variables through this method:

Code: Select all

$event = addslashes($event); 
$date = addslashes($date); 
$sponsor = addslashes($sponsor); 
$cosponsor = addslashes($cosponsor); 
$type = addslashes($type); 
$attendance = addslashes($attendance); 
$advisor = addslashes($advisor); 
$evaluation = addslashes($evaluation); 
$recommendation = addslashes($recommendations);
So, use those above, and not what is listed here in ex. A:

EX.A

Code: Select all

('&#123;$_POST&#1111;'event']&#125;', '&#123;$_POST&#1111;'date']&#125;', '&#123;$_POST&#1111;'sponsor']&#125;', '&#123;$_POST&#1111;'cosponsor']&#125;', '&#123;$_POST&#1111;'type']&#125;', '&#123;$_POST&#1111;'attendance']&#125;', '&#123;$_POST&#1111;'advisor']&#125;', '&#123;$_POST&#1111;'evaluation']&#125;', '&#123;$_POST&#1111;'recommendations']&#125;')";
Why? You have already defined the variables with addslashes (should have also added striptags there to..), and now with the above mentioned EX.A you are basically going back, and allowing the variables to be without any editing via strpislashes/striptags (very dangerous). That, and the variables are already defined, so again, you are redifining them.

Your Insert text Should be:

Code: Select all

$query = "INSERT INTO reports('event', 'date', 'sponsor', 'cosponsor', 'type', 'attendance', 'advisor', 'evaluation', 'recommendation') values('$event','$date','$sponsor','$cosponsor','$type','$attendance','$advisor','$evaluation','$recommendations')";
efriese
Forum Newbie
Posts: 9
Joined: Sun Feb 08, 2004 10:25 pm
Location: Auburn, AL

Post by efriese »

A book that I have said to do the stripping first, but maybe I misunderstood. I made the corrections that you suggested and it still did not fix my problem. Any other ideas? Thanks for your help.
User avatar
Michael 01
Forum Commoner
Posts: 87
Joined: Wed Feb 04, 2004 12:26 am

Post by Michael 01 »

Add this to your above code:

Code: Select all

$event = htmlspecialchars(addslashes($event)); 
$date = htmlspecialchars(addslashes($date)); 
$sponsor = htmlspecialchars(addslashes($sponsor)); 
$cosponsor = htmlspecialchars(addslashes($cosponsor));  
$type = htmlspecialchars(addslashes($type));  
$attendance = htmlspecialchars(addslashes($attendance));  
$advisor = htmlspecialchars(addslashes($advisor)); 
$evaluation = htmlspecialchars(addslashes($evaluation)); 
$recommendation = htmlspecialchars(addslashes($recommendation));
Never allow a person to add slashes or HTML to your DB. :)
Last edited by Michael 01 on Sun Feb 08, 2004 11:49 pm, edited 1 time in total.
User avatar
Michael 01
Forum Commoner
Posts: 87
Joined: Wed Feb 04, 2004 12:26 am

Post by Michael 01 »

Another thing is that you are using pconnect in your MSQL statement. If you are not set up for persistant connections, you have to just simply use:

msql_connect
User avatar
Michael 01
Forum Commoner
Posts: 87
Joined: Wed Feb 04, 2004 12:26 am

Post by Michael 01 »

That was my screw up. Now try that code above. addslashes are supposed to be used, and not stripslashes.
User avatar
Michael 01
Forum Commoner
Posts: 87
Joined: Wed Feb 04, 2004 12:26 am

Post by Michael 01 »

Also, do you have magic quotes on?
efriese
Forum Newbie
Posts: 9
Joined: Sun Feb 08, 2004 10:25 pm
Location: Auburn, AL

Post by efriese »

I did not turn magic quotes on because I've always been told that they can be trouble. I'm not sure if the server default is for them to be on, but I do not have access to the php.ini file or the .htaccess file.

Thank you for the suggestions. I made the changes....but I am still not getting anything in my database! I know I am connecting to the database because I'm not getting an error message. Any other ideas? The help is much appreciated.
User avatar
Michael 01
Forum Commoner
Posts: 87
Joined: Wed Feb 04, 2004 12:26 am

Post by Michael 01 »

Do a echo or print statement, than a die or exit command before the DB code, just to see if your variables are even being passed through the form or not. :)
oldtimer
Forum Contributor
Posts: 204
Joined: Sun Nov 03, 2002 8:21 pm
Location: Washington State

Post by oldtimer »

Every time I have a problem entering something that is what I do. echo "$whatever<BR>"; Then I see what is passing along. It has bailed my butt out several times.
efriese
Forum Newbie
Posts: 9
Joined: Sun Feb 08, 2004 10:25 pm
Location: Auburn, AL

Post by efriese »

All the variables are being passed, I checked that first! Hmmm...I don't think it is connecting properly, but I am not getting an error. This is really starting to bug me...
Post Reply