[RESOLVED] PhP Posting to MySQL via Form

mramonster

I am posting information for a database via a form (and that's all working fine). However I keep getting errors when trying to post this to a database:

Undefined variable: POST in C:\website\eventdb.php on line 11 PHP
and several, several other errors

<?php
function setinclude(){
	$levels = substr_count($_SERVER['PHP_SELF'],'/');
	$root = '';
	for($i = 1; $i < $levels; $i++){$root .= '../';}   

	set_include_path($root);
}      

setinclude();

/**START
* GET POST
*/ 
$dash = "-";
$url_start = "http://www.motorcyclemonster.com/motorcycle-event/";
$url_end = ".php";

//Event Start Date
$e_start_y = $POST['e_start_y'];
$e_start_m = $POST['e_start_m'];
$e_start_m = $POST['e_start_d'];
$e_start_date = $e_start_y. $dash. $e_start_m. $dash. $e_start_d;

//Event End Date
$e_end_y = $POST['e_end_y'];
$e_end_m = $POST['e_end_m'];
$e_end_m = $POST['e_end_d'];
$e_end_date = $e_end_y. $dash. $e_end_m. $dash. $e_end_d;

//Event Phone Number
$e_phone_1a = $POST['e_phone_1a'];
$e_phone_1b = $POST['e_phone_1b'];
$e_phone_1c = $POST['e_phone_1c'];
$e_phone_1 = $e_phone_1a. $dash. $e_phone_1b. $dash. $e_phone_1c;

$e_phone_2a = $POST['e_phone_2a'];
$e_phone_2b = $POST['e_phone_2b'];
$e_phone_2c = $POST['e_phone_2c'];
$e_phone_2 = $e_phone_2a. $dash. $e_phone_2b. $dash. $e_phone_2c;

$e_phone_3a = $POST['e_phone_3a'];
$e_phone_3b = $POST['e_phone_3b'];
$e_phone_3c = $POST['e_phone_3c'];
$e_phone_3 = $e_phone_3a. $dash. $e_phone_3b. $dash. $e_phone_3c;

$e_fsx_1a = $POST['e_fax_1a'];
$e_fax_1b = $POST['e_fax_1b'];
$e_fax_1c = $POST['e_fax_1c'];
$e_fax_1 = $e_fax_1a. $dash. $e_fax_1b. $dash. $e_fax_1c;

//Event Information
$e_title = $_POST['e_title'];

$e_city = $_POST['e_city'];
$e_state = $_POST['e_state'];

$e_desc = $POST['e_desc'];

$e_site = $POST['e_site'];
$e_mail = $POST['e_mail'];
$e_contact = $POST['e_contact'];
$e_vendor = $POST['e_vendor'];
$e_bike_nite = $POST['e_bike_nite'];

//Event Bikes
$e_bike_cruiser = $POST['e_bike_cruiser'];
$e_bike_goldwing = $POST['e_bike_goldwing'];
$e_bike_bmw = $POST['e_bike_bmw'];
$e_bike_street = $POST['e_bike_street'];
$e_bike_dirt = $POST['e_bike_dirt'];

//Event Page URL
$e_file = $e_start_date. $dash. $e_title. $url_end;
$e_url = $url_start. $e_file;

echo "Event Grabbed!";
/**END
* GET POST
*/ 


/**START
* POST TO MYSQL
*/
mysql_connect("localhost", "mmevent", "35s64q72l") or die(mysql_error());
mysql_select_db("etest") or die(mysql_error());

// Insert a row of information into the table "events"
mysql_query("INSERT INTO events 
	(title, start_date, end_date, city, state, description, site, email, contact, phone1, phone2, phone3, fax, vendor, bike_nite, cruiser, goldwing, bmw, street, dirt, URL)
	VALUES(
	'$e_title', '$e_start_date', '$e_end_date', '$e_city', '$e_state', '$e_desc', '$e_site', '$e_mail', '$e_contact', '$e_phone_1', '$e_phone_2', '$e_phone_2', '$e_phone_3', '$e_fax_1', '$e_vendor', '$e_bike_nite', '$e_bike_cruiser', '$e_bike_goldwing', '$e_bike_bmw', '$e_bike_street', '$e_bike_dirt''$e_url' 
	) ") 
or die(mysql_error()); 
echo "Event $e_title Added!";
echo "<br />";
/**END
* POST TO MYSQL
*/

?>

woodeye

If you're getting that error on line 11, it seems as though PHP isn't seeing that comment as a comment. When I tried running it on my server, I'm not getting the error on 11. I get it on 18, but that's to be expected because I don't have the originating form.

Not sure if you're aware of it, but you could cut a lot of lines of code out if you use "extract($_POST);". It takes all the keys from an array and makes them variables, which it looks like you're doing one at a time.

I don't know if you're just testing at this point, so you don't have any checks in there, but you shouldn't trust data even if it's coming in on via POST. You should at least use something to remove special characters like mysql_real_escape_string or something like that.

If I were you though, I'd try removing the comment from line 11, and see if the code works, if it does, then there's your problem.

mramonster

I was able to fix the errors by changing the php.ini file.

And I fixed a few more stupid errors:

<?php
function setinclude(){
	$levels = substr_count($_SERVER['PHP_SELF'],'/');
	$root = '';
	for($i = 1; $i < $levels; $i++){$root .= '../';}   

	set_include_path($root);
}      

setinclude();

/**START
* GET POST
*/ 
$dash = "-";
$url_start = "http://www.motorcyclemonster.com/motorcycle-event/";
$url_end = ".php";

//Event Start Date
$e_start_y = $_POST['e_start_y'];
$e_start_m = $_POST['e_start_m'];
$e_start_d = $_POST['e_start_d'];
$e_start_date = $e_start_y. $dash. $e_start_m. $dash. $e_start_d;


//Event End Date
$e_end_y = $_POST['e_end_y'];
$e_end_m = $_POST['e_end_m'];
$e_end_d = $_POST['e_end_d'];
$e_end_date = $e_end_y. $dash. $e_end_m. $dash. $e_end_d;

//Event Phone Number
$e_phone_1a = $_POST['e_phone_1a'];
$e_phone_1b = $_POST['e_phone_1b'];
$e_phone_1c = $_POST['e_phone_1c'];
$e_phone_1 = $e_phone_1a. $dash. $e_phone_1b. $dash. $e_phone_1c;

$e_phone_2a = $_POST['e_phone_2a'];
$e_phone_2b = $_POST['e_phone_2b'];
$e_phone_2c = $_POST['e_phone_2c'];
$e_phone_2 = $e_phone_2a. $dash. $e_phone_2b. $dash. $e_phone_2c;

$e_phone_3a = $_POST['e_phone_3a'];
$e_phone_3b = $_POST['e_phone_3b'];
$e_phone_3c = $_POST['e_phone_3c'];
$e_phone_3 = $e_phone_3a. $dash. $e_phone_3b. $dash. $e_phone_3c;

$e_fsx_1a = $_POST['e_fax_1a'];
$e_fax_1b = $_POST['e_fax_1b'];
$e_fax_1c = $_POST['e_fax_1c'];
$e_fax_1 = $e_fax_1a. $dash. $e_fax_1b. $dash. $e_fax_1c;

//Event Information
$e_title = $_POST['e_title'];

$e_city = $_POST['e_city'];
$e_state = $_POST['e_state'];

$e_desc = $POST['e_desc'];

$e_site = $_POST['e_site'];
$e_mail = $_POST['e_mail'];
$e_contact = $_POST['e_contact'];
$e_vendor = $_POST['e_vendor'];
$e_bike_nite = $_POST['e_bike_nite'];

//Event Bikes
$e_bike_cruiser = $_POST['e_bike_cruiser'];
$e_bike_goldwing = $_POST['e_bike_goldwing'];
$e_bike_bmw = $_POST['e_bike_bmw'];
$e_bike_street = $_POST['e_bike_street'];
$e_bike_dirt = $_POST['e_bike_dirt'];

//Event Page URL
$e_file = $e_start_date. $dash. $e_title. $url_end;
$e_url = $url_start. $e_file;

echo "Event Grabbed!";
/**END
* GET POST
*/ 


/**START
* POST TO MYSQL
*/
mysql_connect("localhost", "mmevent", "35s64q72l") or die(mysql_error());
mysql_select_db("etest") or die(mysql_error());

// Insert a row of information into the table "events"
mysql_query("INSERT INTO events 
	(title, start_date, end_date, city, state, description, site, email, contact, phone1, phone2, phone3, fax, vendor, bike_nite, cruiser, goldwing, bmw, street, dirt, URL)
	VALUES(
	'$e_title', '$e_start_date', '$e_end_date', '$e_city', '$e_state', '$e_desc', '$e_site', '$e_mail', '$e_contact', '$e_phone_1', '$e_phone_2', '$e_phone_2', '$e_phone_3', '$e_fax_1', '$e_vendor', '$e_bike_nite', '$e_bike_cruiser', '$e_bike_goldwing', '$e_bike_bmw', '$e_bike_street', '$e_bike_dirt''$e_url' 
	) ") 
or die(mysql_error()); 
echo "Event $e_title Added!";
echo "<br />";
/**END
* POST TO MYSQL
*/


/**START
* Create PhP File
*/

/**END
* Create PhP File
*/


?>

Now I'm getting:

Data truncated for column 'bike_nite' at row 1

The values it enters is either 1 or 0 and I don't understand how this error could occur.

mramonster

woodeye;10878671 wrote:
Not sure if you're aware of it, but you could cut a lot of lines of code out if you use "extract($_POST);". It takes all the keys from an array and makes them variables, which it looks like you're doing one at a time.

So basically

extract($_POST);

does all of the:

$e_start_y = $_POST['e_start_y'];
$e_start_m = $_POST['e_start_m'];
$e_start_d = $_POST['e_start_d'];

and then I would have to do:

$e_start_date = $e_start_y. $dash. $e_start_m. $dash. $e_start_d;

woodeye;10878671 wrote:
I don't know if you're just testing at this point, so you don't have any checks in there, but you shouldn't trust data even if it's coming in on via POST. You should at least use something to remove special characters like mysql_real_escape_string or something like that.

Yes, at this point I'm just testing. I'm new to PhP and MySQL. The most I've done with PhP so far is a massive amounts of Includes. The I will be adding a password protection to this page as well as the Real Escape String.

Once I get this part done the next is querying the the information and such, which I have little idea how to do.

woodeye

Glad to hear that you got it worked out.

Yeah that's exactly how you could put it into your code. It does virtually the same thing, but it's a lot easier coding it.

Good Luck!

mramonster

Thanks! That'll make things easier

So now I'm getting this error and I can't find anything on it:

Now I'm getting:

Data truncated for column 'bike_nite' at row 1
The values it enters is either 1 or 0 and I don't understand how this error could occur.

mramonster

Stupid, stupid error in my coding! I had the same value listed twice which offset the other values!

Thanks for your help!

Onto the Query!

bradgrafelman

Also note a couple of things:

You should not just do extract($_POST);. This is replicating the behavior of register_globals, a directive that has long ago been identified as a security threat and is no longer available as of PHP6.

You should never place user-supplied data directly into a SQL query. As woodeye mentioned above, you should always run this data through a sanitizing function such as [man]mysql_real_escape_string/man.

Don't forget to mark this thread resolved (using the link on the Thread Tools menu).

mramonster

bradgrafelman;10878916 wrote:
Also note a couple of things:

You should not just do extract($_POST);. This is replicating the behavior of register_globals, a directive that has long ago been identified as a security threat and is no longer available as of PHP6.

You should never place user-supplied data directly into a SQL query. As woodeye mentioned above, you should always run this data through a sanitizing function such as [man]mysql_real_escape_string/man.

Don't forget to mark this thread resolved (using the link on the Thread Tools menu).

Yeah, I'm trying to learn this piece by piece. I updated my code on Friday to the Following. Also this code is NOT going to be user submitted. However, I am still taking the extra precautions of Real Escapes and Password Protection.

Here's what I have before the Password Protection:

<?php

$dash = "-";

if (isset($_POST['e_phone_1a']) && isset($_POST['e_phone_1b']) 	&& isset($_POST['e_phone_1c'])
 && isset($_POST['e_phone_2a']) && isset($_POST['e_phone_2b']) 	&& isset($_POST['e_phone_2c'])
 && isset($_POST['e_phone_3a']) && isset($_POST['e_phone_3b']) 	&& isset($_POST['e_phone_3c']) 
 && isset($_POST['e_fax_1a']) 	&& isset($_POST['e_fax_1b']) 	&& isset($_POST['e_fax_1c']) 
 && isset($_POST['e_title']) 	&& isset($_POST['e_city']) 		&& isset($_POST['e_state'])
 && isset($_POST['e_site']) 	&& isset($_POST['e_mail']) 		&& isset($_POST['e_contact']) 
 && isset($_POST['e_desc']) 	&& isset($_POST['e_vendor'])) {
    // Connect

$link = mysql_connect('data', 'base', 'info');

$select = mysql_select_db('rmation', $link);

if(!is_resource($link)) {

    echo "Failed to connect to the server";

} elseif(!$select) {

    echo "Failed to select database";

} else {

    // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.

    if(get_magic_quotes_gpc()) {
        if(ini_get('magic_quotes_sybase')) {
            $e_phone_1a		= str_replace("''", "'", $_POST['e_phone_1a']);
            $e_phone_1b 	= str_replace("''", "'", $_POST['e_phone_1b']);
            $e_phone_1c		= str_replace("''", "'", $_POST['e_phone_1c']);
            $e_phone_2a		= str_replace("''", "'", $_POST['e_phone_2a']);
            $e_phone_2b 	= str_replace("''", "'", $_POST['e_phone_2b']);
            $e_phone_2c		= str_replace("''", "'", $_POST['e_phone_2c']);
            $e_phone_3a		= str_replace("''", "'", $_POST['e_phone_3a']);
            $e_phone_3b 	= str_replace("''", "'", $_POST['e_phone_3b']);
            $e_phone_3c		= str_replace("''", "'", $_POST['e_phone_3c']);
            $e_fax_1a		= str_replace("''", "'", $_POST['e_fax_1a']);
            $e_fax_1b		= str_replace("''", "'", $_POST['e_fax_1b']);
            $e_fax_1c		= str_replace("''", "'", $_POST['e_fax_1c']);
            $e_title		= str_replace("''", "'", $_POST['e_title']);
            $e_city			= str_replace("''", "'", $_POST['e_city']);
            $e_state		= str_replace("''", "'", $_POST['e_state']);
            $e_site			= str_replace("''", "'", $_POST['e_site']);
            $e_mail			= str_replace("''", "'", $_POST['e_mail']);
            $e_contact		= str_replace("''", "'", $_POST['e_contact']);
            $e_desc			= str_replace("''", "'", $_POST['e_desc']);
            $e_vendor		= str_replace("''", "'", $_POST['e_vendor']);

        } else {
            $e_phone_1a		= stripslashes($_POST['e_phone_1a']);
            $e_phone_1b 	= stripslashes($_POST['e_phone_1b']);
            $e_phone_1c 	= stripslashes($_POST['e_phone_1c']);
            $e_phone_2a		= stripslashes($_POST['e_phone_2a']);
            $e_phone_2b 	= stripslashes($_POST['e_phone_2b']);
            $e_phone_2c 	= stripslashes($_POST['e_phone_2c']);
            $e_phone_3a		= stripslashes($_POST['e_phone_3a']);
            $e_phone_3b 	= stripslashes($_POST['e_phone_3b']);
            $e_phone_3c 	= stripslashes($_POST['e_phone_3c']);
            $e_fax_1a 		= stripslashes($_POST['e_fax_1a']);
            $e_fax_1b 		= stripslashes($_POST['e_fax_1b']);
            $e_fax_1c 		= stripslashes($_POST['e_fax_1c']);
            $e_title 		= stripslashes($_POST['e_title']);
            $e_city	 		= stripslashes($_POST['e_city']);
            $e_state 		= stripslashes($_POST['e_state']);
            $e_site 		= stripslashes($_POST['e_site']);
            $e_mail	 		= stripslashes($_POST['e_mail']);
            $e_contact 		= stripslashes($_POST['e_contact']);
            $e_desc	 		= stripslashes($_POST['e_desc']);
            $e_vendor 		= stripslashes($_POST['e_vendor']);
        }
    } else {
		$e_phone_1a		= $_POST['e_phone_1a'];
		$e_phone_1b 	= $_POST['e_phone_1b'];
		$e_phone_1c 	= $_POST['e_phone_1c'];
		$e_phone_2a		= $_POST['e_phone_2a'];
		$e_phone_2b 	= $_POST['e_phone_2b'];
		$e_phone_2c 	= $_POST['e_phone_2c'];
		$e_phone_3a		= $_POST['e_phone_3a'];
		$e_phone_3b 	= $_POST['e_phone_3b'];
		$e_phone_3c 	= $_POST['e_phone_3c'];
		$e_fax_1a 		= $_POST['e_fax_1a'];
		$e_fax_1b 		= $_POST['e_fax_1b'];
		$e_fax_1c 		= $_POST['e_fax_1c'];
		$e_title 		= $_POST['e_title'];
		$e_city	 		= $_POST['e_city'];
		$e_state 		= $_POST['e_state'];
		$e_site 		= $_POST['e_site'];
		$e_mail	 		= $_POST['e_mail'];
		$e_contact 		= $_POST['e_contact'];
		$e_desc	 		= $_POST['e_desc'];
		$e_vendor 		= $_POST['e_vendor'];
    }

//Event Phone Number
$e_phone_1 = $e_phone_1a. $dash. $e_phone_1b. $dash. $e_phone_1c;
$e_phone_2 = $e_phone_2a. $dash. $e_phone_2b. $dash. $e_phone_2c;
$e_phone_3 = $e_phone_3a. $dash. $e_phone_3b. $dash. $e_phone_3c;
$e_fax_1 = $e_fax_1a. $dash. $e_fax_1b. $dash. $e_fax_1c;

//Event Start Date
$e_start_y = $_POST['e_start_y'];
$e_start_m = $_POST['e_start_m'];
$e_start_d = $_POST['e_start_d'];
$e_start_date = $e_start_y. $dash. $e_start_m. $dash. $e_start_d;


//Event End Date
$e_end_y = $_POST['e_end_y'];
$e_end_m = $_POST['e_end_m'];
$e_end_d = $_POST['e_end_d'];
$e_end_date = $e_end_y. $dash. $e_end_m. $dash. $e_end_d;

//Event Bikes
$e_bike_nite = $_POST['e_bike_nite'];
$e_bike_cruiser = $_POST['e_bike_cruiser'];
$e_bike_goldwing = $_POST['e_bike_goldwing'];
$e_bike_bmw = $_POST['e_bike_bmw'];
$e_bike_street = $_POST['e_bike_street'];
$e_bike_dirt = $_POST['e_bike_dirt'];

//Event Page URL
$titlestrip = eregi_replace("[^a-z0-9.]", "-", $e_title);
$e_url = $e_start_date. $dash. $titlestrip;


    // Make a safe query
    $query = sprintf("INSERT INTO tablehere
					(title, start_date, end_date, city, state, description, site, email, contact, phone1, phone2, phone3, fax, vendor, bike_nite, cruiser, goldwing, bmw, street, dirt, URL) 
			VALUES 	('$e_title', '$e_start_date', '$e_end_date', '$e_city', '$e_state', '$e_desc', '$e_site', '$e_mail', '$e_contact', '$e_phone_1', '$e_phone_2', '$e_phone_3', '$e_fax_1', '$e_vendor', '$e_bike_nite', '$e_bike_cruiser', '$e_bike_goldwing', '$e_bike_bmw', '$e_bike_street', '$e_bike_dirt','$e_url')",
                mysql_real_escape_string($e_title, $link),
                mysql_real_escape_string($e_start_date, $link),
                mysql_real_escape_string($e_end_date, $link),
                mysql_real_escape_string($e_city, $link),
                mysql_real_escape_string($e_state, $link),
                mysql_real_escape_string($e_desc, $link),
                mysql_real_escape_string($e_site, $link),
                mysql_real_escape_string($e_mail, $link),
                mysql_real_escape_string($e_contact, $link),
                mysql_real_escape_string($e_phone_1, $link),
                mysql_real_escape_string($e_phone_2, $link),
                mysql_real_escape_string($e_phone_3, $link),
                mysql_real_escape_string($e_fax_1, $link),
                mysql_real_escape_string($e_vendor, $link),
				mysql_real_escape_string($e_bike_nite, $link),
                mysql_real_escape_string($e_bike_cruiser, $link),
                mysql_real_escape_string($e_bike_goldwing, $link),
                mysql_real_escape_string($e_bike_street, $link),
                mysql_real_escape_string($e_bike_dirt, $link),
                mysql_real_escape_string($e_url, $link)
				);

    mysql_query($query, $link);

    if (mysql_affected_rows($link) > 0) {
        echo "Event inserted\n";
    }
}
} else {
    echo "Fill the form properly\n";
}
?>