Variables not inserted in to MySQL database with $_POST

mr_nabo

Dear all,

Excuse the length of my code, but thought I'd post it all first time so you can see what I'm trying to do. I'm sure there are a few errors with my script below, but I'm new to php and trying to follow various threads of advice to compile a username/password interface to accept a wedding invitation and leave comments. I've left the password field in there just to check it's been put in to the database.

First off, the isset() function doesn't seem to be preventing users from just clicking submit without entering something in to the form fields - am I using the isset() function correctly as well?

Secondly, apart from the ID number that is on autoincrement, nothing is inserted in to the database so I guess something in my form is returning 'true' regardless and allowing the script to go ahead.

Anyone offer any advice on how to get this script working?

Many thanks

<body>

<p>This is the update page</p>

<?php require_once('dbconnect.php'); ?>

<!-- FORM -->

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" />
 ID<br />
 <input type="text" name="id" /><br />
 First Name<br />
 <input type="text" name="first_name" /><br />
 Surname<br />
 <input type="text" name="surname" /><br />
 Password<br />
 <input type="text" name="password" /><br />
 <input type="radio" name="attending" value="yes" checked />Yes I'm attending<br />
 <input type="radio" name="attending" value="no" />No I'm not attending<br />
 Comments<br />
 <textarea name="comments" cols=40 rows=6></textarea><br />
 <input type="submit" value="Submit" />
</form>

<!-- MySQL UPDATE -->

<?php 

// Select the Database

if (!@mysql_select_db('wedding')) {
	exit('<p>Can\'t select the WEDDING database</p>');

}

// Add to the database

if (isset($_POST['id']) AND
   isset($_POST['first_name']) AND
   isset($_POST['surname']) AND	 
   isset($_POST['password']) AND
   isset($_POST['accepted']) AND
   isset($_POST['comments']))

{

	 $id = $_POST['id'];
	 $id = $_POST['first_name'];
	 $id = $_POST['surname'];
	 $id = $_POST['password'];
	 $id = $_POST['accepted'];
	 $id = $_POST['comments'];

	 $sql = "INSERT INTO people SET
	 id='$id',
	 first_name='$first_name',
	 surname='$surname',
	 password='$password',
	 accepted='$accepted',
	 comments='$comments',
	 last_modified=CURDATE()";

if (@mysql_query($sql)) {

	echo '<p>Details added!</p>';

} else {

	echo '<p>Error updating PEOPLE table' . mysql_error() . '</p>';

}

}


?>


<p><strong>Here's the data for database WEDDING and table PEOPLE</strong></p>


<!-- DATABASE ENTRIES -->

<?php

// This is where you see the database results
$result = @mysql_query('SELECT * FROM people');

if (!$result) {

exit('<p>Error with query: ' . mysql_error() . '</p>');

}

echo '<table><tr><th>ID</th><th>First Name</th><th>Surname</th><th>Password</th><th style="color:red">Attending wedding?</th><th>Comments</th><th>Last Modified</th></tr><tr>';

while ($row = mysql_fetch_array($result)){

echo '<td>' . $row['id'] . '</td>';
echo '<td>' . $row['first_name'] . '</td>';
echo '<td>' . $row['surname'] . '</td>';
echo '<td>' . $row['password'] . '</td>';

if (!$row['accepted'] == No) {

// Colour 'yes' as red
	echo '<td style="color:red">' . $row['accepted'] . '</td>';

} else {

// Colour 'no' as blue
	echo '<td style="color:blue">' . $row['accepted'] . '</td>';

}

echo '<td>' . $row['comments'] . '</td>';
echo '<td>' . $row['last_modified'] . '</td></tr>';

}
	echo '</tr></table></p>';

?>

</body>

wilku

isset won't prevent empty varibles. As long as the varible is set it will return true even if, such as in your case, the varible is empty (contains an empty string).
You have to use other validation routines - for simple exists/not exists you can use [man]strlen[/man].
Secondly, you're assigning all POST varibles to $id. Why? You use separate varibles when building the query, but they are not defined.
Don't use $_POST (or other user-supplied varibles) without sanitation in sql query. Read on sql injection for more information. Try [man]mysql_real_escape_string[/man]

mr_nabo

Thanks for the reply wilku,

I realised I set the variables all as $id afterwards, what I dummy I am. Here's my revised code with your suggestion to put mysql_real_escape_string in there. Are there any other security holes I should know about?

Thanks for your time, it's really appreciated

(Form to input data as before here)

<?php 

// Check that something has been put in to the form fields

if (!$_POST['first_name'] || !$_POST['surname']) {

exit('<p>Forgotten your name? Go back and enter it please</p>');

}

if (!$_POST['password']) {

exit('<p>Forgotten your password? Please go back and edit it</p>');

}


if (!$_POST['attending']) {

exit('<p>You didn\'t say if you\'re coming to the wedding or not!</p>');

} else {


// Select the Database

if (!@mysql_select_db('wedding')) {
	exit('<p>Can\'t select the WEDDING database</p>');

}


// Add information to the database and escape special characters

$id 		= mysql_real_escape_string($_POST['id']);
$first_name = mysql_real_escape_string($_POST['first_name']);
$surname 	= mysql_real_escape_string($_POST['surname']);
$password 	= mysql_real_escape_string($_POST['password']);
$attending	= mysql_real_escape_string($_POST['attending']);
$comments 	= mysql_real_escape_string($_POST['comments']);

$sql = "INSERT INTO people SET
		id='$id',
		first_name='$first_name',
		surname='$surname',
		password='$password',
		accepted='$attending',
		comments='$comments',
		last_modified=CURDATE()";

if (@mysql_query($sql)) {

	echo '<p>Details added!</p>';

} else {

	echo '<p>Error updating PEOPLE table' . mysql_error() . '</p>';

}

}

?>

(Then display output: yada yada yada)

wilku

You might think of storing your passwords as [man]md5[/man] hash instead of plain text. There won't be a possibility of reminding a user his password, but others won't be able to see the password (and that's good for security).
When you want to authenticate, compare md5 hash of user input and the one stored in the database.