Page 1 of 1

Confused in POST method

Posted: Fri Jul 11, 2008 9:45 am
by yoursanjay
I am a fresher in PHP & I have written a script to enter user data to database but it is not working rather than no error msg has been showing. It may be for using POST method wrongly but I am confused to find out the error. please assist me to solve it out..

Code: Select all

 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Adding data to the database</title>
</head>
 
<body>
<?php
 
 
 
if (isset($_POST[$user_name]) && isset($_POST[$password]) && isset($_POST[$prefix]) && isset($_POST[$first_name]) && isset($_POST[$last_name]) && isset($_POST[$email]) && isset($_POST[$address1]) && isset($_POST[$address2]) && isset($_POST[$city]) && isset($_POST[$state]) && isset($_POST[$code]) && isset($_POST[$country]) && isset($_POST[$phone]))
{
$dberror="";
$ret=add_to_database($_POST[$user_name],$_POST[$password],$_POST[$prefix],$_POST[$first_name],$_POST[$last_name],$_POST[$email],$_POST[$address1],$_POST[$address2],$_POST[$city],$_POST[$state],$_POST[$code],$_POST[$country],$_POST[$phone],$_POST[$dberror]);
 
if(!$ret)
{
print "Error:$dberror
\n";
}
else
{
print "Thank you very much!!";
}
}
else
{
write_form();
}
 
function add_to_database($user_name,$password,$prefix,$first_name,$last_name,$email,$address1,$address2,$city,$state,$code,$country,$phone,&$dberror)
{
/* $user_name=mysql_real_escape_string($user_name);
$password=mysql_real_escape_string($password);
$prefix=mysql_real_escape_string($prefix) ;
$first_name=mysql_real_escape_string($first_name);
$last_name=mysql_real_escape_string($last_name);
$email=mysql_real_escape_string($email);
$address1=mysql_real_escape_string($address1);
$address2=mysql_real_escape_string($address2);
$city=mysql_real_escape_string($city);
$state=mysql_real_escape_string($state);
$code=mysql_real_escape_string($code);
$country=mysql_real_escape_string($country);
$phone=mysql_real_escape_string($phone);
*/
 
$database="bluebell";
$username="root";
$password="";
 
$connect=mysql_pconnect("localhost",$username,$password);
if(!$connect)
{
$dberror="Couldn't connect to the MySql Server..";
return false;
}
 
if(!mysql_select_db($database,$connect))
{
$dberror=mysql_error();
return false;
}
 
$query="INSERT INTO user (user_name,password,prefix,first_name,last_name,email,address1,address2,city,state,code,country,phone) values ('$_POST[$user_name]','$_POST[$password]','$_POST[$prefix]','$_POST[$first_name]','$_POST[$last_name]','$_POST[$email]','$_POST[$address1]','$_POST[$address2]','$_POST[$city]','$_POST[$state]','$_POST[$code]','$_POST[$country]','$_POST[$phone]')";
 
if(!mysql_query($query,$connect))
{
$dberror=mysql_error();
return false;
}
return true;
}
 
function write_form()
{
global $PHP_SELF;
print "<form action=\"$PHP_SELF\" method=\"post\"> \n";
 
print "<input type='text' name='user_name'>Your User Name:\n";
print "<p><input type='password' name='password'>Your Password:</p>";
print "<p><select name='prefix'>";
print "<option value='Mr.'>Mr</option>";
print "<option value='Mrs.'>mrs</option>";
print "<option value='Dr.'>Dr</option>";
print "</select></p>";
print "<p><input type='text' name='first_name'>Your First Name:</p>";
print "<p><input type='text' name='last_name'>Your Last Name:</p>";
print "<p><input type='text' name='email'>Your Email Id:</p>";
print "<p><input type='text' name='address1'>Your Address Line1:</p>";
print "<p><input type='text' name='address2'>Your Address Line2:</p>";
print "<p><input type='text' name='city'>Your City:</p>";
print "<p><input type='text' name='state'>Your State:</p>";
print "<p><input type='text' name='code'>Your Postal Code:</p>";
print "<p><input type='text' name='country'>Your Country:</p>";
print "<p><input type='text' name='phone'>Your Phone Number:</p>";
 
print "<p><input type='submit' value='Submit'></p></form>";
 
 
}
?>
</body>
</html>
 

Re: Confused in POST method

Posted: Fri Jul 11, 2008 9:53 am
by tecktalkcm0391
You need to echo out database error, cause I didn't see where I could be displayed:

I am not sure if this may work, but its what I always do... Keep the variables out of "..." like this...

Code: Select all

 
$query="INSERT INTO user (user_name,pass, ... values ('".$_POST[$user_name]".','".$_POST[$password]".', ...  )";
 

Re: Confused in POST method

Posted: Fri Jul 11, 2008 10:34 am
by Apollo
1. You need to use $_POST['user_name'], not $_POST[$user_name]. $_POST is an associative array and 'user_name' is a key in this array. Please make sure you understand the difference, $user_name by itself is an empty variable, so $_POST[$user_name] would evaluate to $_POST[''] which doesn't exist.

2. You have commented the mysql_real_escape_string'ing of the arguments, that's a pretty bad idea. You are currently putting POST arguments (i.e. user input) directly in SQL queries, which is extremely vulnerable.

3. As for the error message: instead of passing $dberror to your db function (to store any error messages), you're using $_POST[$dberror]..?? (why?)
Besides the same error as above ($_POST[$dberror] = $_POST[''] = doesn't exist), you shouldn't use $_POST variable at all here. Just use $dberror as function argument, $_POST contains the stuff that comes from your form, the $dberror variable has nothing to do with that.

Re: Confused in POST method

Posted: Fri Jul 11, 2008 11:41 am
by tecktalkcm0391
Apollo wrote:1. You need to use $_POST['user_name'], not $_POST[$user_name]. $_POST is an associative array and 'user_name' is a key in this array. Please make sure you understand the difference, $user_name by itself is an empty variable, so $_POST[$user_name] would evaluate to $_POST[''] which doesn't exist.

2. You have commented the mysql_real_escape_string'ing of the arguments, that's a pretty bad idea. You are currently putting POST arguments (i.e. user input) directly in SQL queries, which is extremely vulnerable.

3. As for the error message: instead of passing $dberror to your db function (to store any error messages), you're using $_POST[$dberror]..?? (why?)
Besides the same error as above ($_POST[$dberror] = $_POST[''] = doesn't exist), you shouldn't use $_POST variable at all here. Just use $dberror as function argument, $_POST contains the stuff that comes from your form, the $dberror variable has nothing to do with that.
Wow... i missed a lot :?