Page 1 of 1
Inserting into mySQL database using a form
Posted: Sun Feb 08, 2004 10:25 pm
by efriese
I'm trying to use a simple form to add information to a mySQL data base. I can't see what is wrong with me code. I can hit submit and it seems to work, but when I log in to the mySQL server and use select event from report, it says that it is empty. Here's the code, any help would be much appreciated!
Code: Select all
<?php
$event = addslashes($event);
$date = addslashes($date);
$sponsor = addslashes($sponsor);
$cosponsor = addslashes($cosponsor);
$type = addslashes($type);
$attendance = addslashes($attendance);
$advisor = addslashes($advisor);
$evaluation = addslashes($evaluation);
$recommendation = addslashes($recommendations);
@ $db = mysql_pconnect("server", "database", "pw");
if (!$db)
{
echo "Error: Could connect to database";
exit;
}
mysql_select_db("database");
$query = "insert into 'reports' ('event', 'date', 'sponsor', 'cosponsor', 'type', 'attendance', 'advisor', 'evaluation', 'recommendation') values
('{$_POSTї'event']}', '{$_POSTї'date']}', '{$_POSTї'sponsor']}', '{$_POSTї'cosponsor']}', '{$_POSTї'type']}', '{$_POSTї'attendance']}', '{$_POSTї'advisor']}', '{$_POSTї'evaluation']}', '{$_POSTї'recommendations']}')";
?>
Posted: Sun Feb 08, 2004 11:14 pm
by Michael 01
You have already defined the variables through this method:
Code: Select all
$event = addslashes($event);
$date = addslashes($date);
$sponsor = addslashes($sponsor);
$cosponsor = addslashes($cosponsor);
$type = addslashes($type);
$attendance = addslashes($attendance);
$advisor = addslashes($advisor);
$evaluation = addslashes($evaluation);
$recommendation = addslashes($recommendations);
So, use those above, and not what is listed here in ex. A:
EX.A
Code: Select all
('{$_POSTї'event']}', '{$_POSTї'date']}', '{$_POSTї'sponsor']}', '{$_POSTї'cosponsor']}', '{$_POSTї'type']}', '{$_POSTї'attendance']}', '{$_POSTї'advisor']}', '{$_POSTї'evaluation']}', '{$_POSTї'recommendations']}')";
Why? You have already defined the variables with addslashes (should have also added striptags there to..), and now with the above mentioned EX.A you are basically going back, and allowing the variables to be without any editing via strpislashes/striptags (very dangerous). That, and the variables are already defined, so again, you are redifining them.
Your Insert text Should be:
Code: Select all
$query = "INSERT INTO reports('event', 'date', 'sponsor', 'cosponsor', 'type', 'attendance', 'advisor', 'evaluation', 'recommendation') values('$event','$date','$sponsor','$cosponsor','$type','$attendance','$advisor','$evaluation','$recommendations')";
Posted: Sun Feb 08, 2004 11:31 pm
by efriese
A book that I have said to do the stripping first, but maybe I misunderstood. I made the corrections that you suggested and it still did not fix my problem. Any other ideas? Thanks for your help.
Posted: Sun Feb 08, 2004 11:41 pm
by Michael 01
Add this to your above code:
Code: Select all
$event = htmlspecialchars(addslashes($event));
$date = htmlspecialchars(addslashes($date));
$sponsor = htmlspecialchars(addslashes($sponsor));
$cosponsor = htmlspecialchars(addslashes($cosponsor));
$type = htmlspecialchars(addslashes($type));
$attendance = htmlspecialchars(addslashes($attendance));
$advisor = htmlspecialchars(addslashes($advisor));
$evaluation = htmlspecialchars(addslashes($evaluation));
$recommendation = htmlspecialchars(addslashes($recommendation));
Never allow a person to add slashes or HTML to your DB.

Posted: Sun Feb 08, 2004 11:47 pm
by Michael 01
Another thing is that you are using pconnect in your MSQL statement. If you are not set up for persistant connections, you have to just simply use:
msql_connect
Posted: Sun Feb 08, 2004 11:49 pm
by Michael 01
That was my screw up. Now try that code above. addslashes are supposed to be used, and not stripslashes.
Posted: Sun Feb 08, 2004 11:50 pm
by Michael 01
Also, do you have magic quotes on?
Posted: Mon Feb 09, 2004 9:36 am
by efriese
I did not turn magic quotes on because I've always been told that they can be trouble. I'm not sure if the server default is for them to be on, but I do not have access to the php.ini file or the .htaccess file.
Thank you for the suggestions. I made the changes....but I am still not getting anything in my database! I know I am connecting to the database because I'm not getting an error message. Any other ideas? The help is much appreciated.
Posted: Mon Feb 09, 2004 6:44 pm
by Michael 01
Do a echo or print statement, than a die or exit command before the DB code, just to see if your variables are even being passed through the form or not.

Posted: Tue Feb 10, 2004 12:09 am
by oldtimer
Every time I have a problem entering something that is what I do. echo "$whatever<BR>"; Then I see what is passing along. It has bailed my butt out several times.
Posted: Tue Feb 10, 2004 1:41 am
by efriese
All the variables are being passed, I checked that first! Hmmm...I don't think it is connecting properly, but I am not getting an error. This is really starting to bug me...