[RESOLVED] Problem sending form data to mysql

redsox8185

I've been using html for a while now in school, and I'm attempting to learn php with this book, so this is probably a really dumb mistake, however, I can't find anything on the web to help me. I was finally able to have information sent to my database, however, the info is simply the variables, not the input from the form.

Heres my html form:

<!DOCTYPE HTML PUBLIC
                 "-//W3C//DTD HTML 4.01 Transitional//EN"
                 "http://www.w3.org/TR/html401/loose.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <title>Add a Phonebook Entry</title>
</head>
<body>

<h1>Insurance Quote</h1>
<p>Personal Information</p>
<form name="form" method="POST" action="final.php">
  *First Name 
  <input type="text" name="firstname" id="firstname" />
  <p>*Last Name 
    <input type="text" name="lastname" id="lastname" />
  </p>
  <p>Address 
    <input type="text" name="address" id="address" />
  <p>City  

    <input type="text" name="city" id="city" />
  </p>
  <p>State 
    <input type="text" name="state" id="state" />
  </p>
  <p>Birthdate
    <input type="text" name="birthdate" id="birthdate" />
  </p>
  <p>Contact Information</p>
  <p>* Telephone Number 
    <input type="text" name="telephone" id="telephone" />
  </p>
  <p>Email 
    <input type="text" name="email" id="email" />
  </p>
  <p>
    <input type="submit" name="submit" value="submit" />
  </p>
</form>
<p>&nbsp;</p>
</body>
</html>

Here is the php file:

<?php


$con = mysql_connect ("localhost", "user", "pass") or die ('I cannot connect to the database because: ' . mysql_error());
$db = mysql_select_db ("insurance", $con);



$sql = 'INSERT INTO `insurance`.`info` (`ID`, `firstname`, `lastname`, `address`, `city`, `state`, `birthdate`, `telephone`, `email`)
VALUES (NULL, \'$firstname\', \'$lastname\', \'$address\', \'$city\', \'$state\', \'$birthdate\', \'$telephone\', \'$email\');';



if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

?>

Please help! Thanks, Kyle.

Kudose

Welcome to PHPBuilder!

You assume register_globals is On, which it should not be, but that's not your problem. Your problem is that variable interpolation only occurs within double quotes.

Change the single quotes around your SQL to double quotes.

bradgrafelman

And once you do fix the quotes, you'll have to tackle the register_globals problem (which, as Kudose pointed out, should be disabled, aka set to "Off"). Instead of creating variables, PHP now uses new superglobal arrays (manual page: [man]variables.superglobal[/man]). In your case, for example, you should be looking in the $_POST/B] array for the POST'ed data.

Also, it appears that your code is vulnerable to SQL injection attack. User-supplied data should never be placed directly into a SQL query. Instead, you should first sanitize it with a function such as [man]mysql_real_escape_string/man. In addition, if 'ID' is an AUTO_INCREMENT field, you could/should simply leave it out of the INSERT query altogether.

redsox8185

I changed everything in which I was told to and now I'm getting errors such as T string and unexpected ','. Sorry, I'm really new to php.., please bear with me. Here's my updated php code.

<?php


$con = mysql_connect ("localhost", "user", "pass") or die ('I cannot connect to the database because: ' . mysql_error());
$db = mysql_select_db ("insurance", $con);



$sql = ("INSERT INTO info ('firstname', 'lastname', 'address', 'city', 'state', 'birthdate', 'telephone', 'email')
VALUES ('$firstname', '$lastname', '$address', '$city', '$state', '$birthdate', '$telephone', '$email')",
	mysql_real_escape_string($firstname),
    mysql_real_escape_string($lastname),
	mysql_real_escape_string($address),
    mysql_real_escape_string($city),
	mysql_real_escape_string($state),
    mysql_real_escape_string($birthdate),
	mysql_real_escape_string($telephone),
    mysql_real_escape_string($email),
		$_POST['$firstname'],
		$_POST['$lastname'],
		$_POST['$address'],
		$_POST['$city'],
		$_POST['$state'],
		$_POST['$birthdate'],
		$_POST['$telephone'],
		$_POST['$email']);

mysql_query($sql, $con);



if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

?>

bradgrafelman

You might want to be careful about screening code snippets you post, such as removing MySQL login credentials from them.

As for your errors, where did you find that syntax? You can't simply string a bunch of pieces together with commas in between and expect PHP to know what you want done. You can either use [man]sprintf/man (my personal choice - makes code look cleaner):

$query = sprintf('SELECT * FROM myTable WHERE foo='%s' AND bar=%d',
    mysql_real_escape_string($_POST['foo']),
    $_POST['bar'] // the '%d' modifier takes care of any non-integer characters we might encounter
);

or concatenation:

$query = 'SELECT * FROM myTable WHERE foo=\'' . mysql_real_escape_string($_POST['foo']) . '\' AND bar=' . (int)$_POST['bar'];

There are also some other issues with what you posted. For example, as we've pointed out, variables such as $firstname, et al. won't exist unless you create them. Also, $POST['$firstname'] is referencing a key name of a dollar sign followed by 'firstname'. Since the keys of the $POST array are simply the names of the form fields (with a couple of exceptions), you don't want a dollar sign in there. Finally, you execute this query two times, so you will have two duplicate rows INSERT'ed. Either assign the result of the first mysql_query() call to a variable and check that variable in the if() statement, or simply get rid of the first mysql_query() call.