Export user data from html for to SQL

jrashle2

I built a basic form to get a users name, email, and zip code and I am trying to get the information entered to be imported into a sql database when the user hits submit. This is the code, hopefully someone can help. Thanks

<!--?php mysql_connect(" documailsvr.Docusource.local", "DOCUSOURCE\12admin", "") or die(mysql_error()); 
mysql_select_db("DocuSource") or die(mysql_error());    

mysql_query("INSERT INTO `tester` VALUES ('$name', '$email', '$zip')");     Print "Thank you";   ?--> 
<form method="post"> 
Your Name: <input name="name" type="text" /><br />
E-mail: <input name="email" type="text" /><br /> 
Zip: <input name="zip" type="text" /><br /> 
<input type="submit" value="Submit" /> </form>

bradgrafelman

Welcome to PHPBuilder! When posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

As for your code, here are several issues I see:

The opening PHP tag is '<?php', not '<!--?'.
The closing PHP tag is '?>', not '?-->'.
Your PHP code is going to be evaluated every time that page loads - including the first page request before the form has ever been submitted.

As such, you should instead wrap your processing code in an if() branch and use something like [man]isset/man or [man]empty/man to check if data has been POST'ed to the script yet. If so, process it. If not, display the HTML form.
The variables $name, $email, and $zip are all undefined. Perhaps you meant to use the $_POST array instead? See [man]variables.external[/man] for more information about how to get external data.
User-supplied data should never be placed directly into a SQL query, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man (for string data).
You should always check the value returned by [man]mysql_query/man to see if it was boolean FALSE (indicating an error has occured) and, if so, log or output the MySQL error message (see [man]mysql_error/man) and perhaps the SQL query itself as it was sent to the MySQL server (useful when debugging a failing query).

jrashle2

@ thank you so much for your help I incorporated the different items you told me and it is still not working, this is my updated code. I really appreciate the help this is my first time working in php and html and it has been fun and interesting learning the language.

<?php
$host = "localhost";
$user = "DOUCUSOURCE\12admin";
$pass = "";
$dbname = "DocuSource";
$Name =$_POST['Name'];
$Email =$_POST['Email'];
$Zip =$_POST['Zip'];

$connection = mysql_connect($host,$user,$pass) or die (mysql_error());
mysql_select_db($dbname) or die(mysql_error()); 
mysql_query("INSERT INTO `tester` VALUES ('$name', '$email', '$zip')") or die(mysql_error());

$var = 'null';

if (empty($var)) 
  {
    echo '$var is either 0, empty, or not set at all';
  }

if (isset($var)) 
   {
    echo '$var is set even though it is empty';
   }

function PrepSQL($value)
    {

    if(get_magic_quotes_gpc()) 
    {
        $value = stripslashes($value);
    }

    // Quote
    $value = "'" . mysql_real_escape_string($value) . "'";

    return($value);
} 

?>

<html>

<head>
<title>Contact Form</title>

<script>
function ValidateContactForm()
{
    var name = document.ContactForm.Name;
    var email = document.ContactForm.Email;
    var zip = document.ContactForm.Zip;

if (name.value == "")
{
    window.alert("Please enter your name.");
    name.focus();
    return false;
}

if (email.value == "")
{
    window.alert("Please enter a valid e-mail address.");
    email.focus();
    return false;
}
if (email.value.indexOf("@", 0) < 0)
{
    window.alert("Please enter a valid e-mail address.");
    email.focus();
    return false;
}
if (email.value.indexOf(".", 0) < 0)
{
    window.alert("Please enter a valid e-mail address.");
    email.focus();
    return false;
}

if (zip.value == "")
{
    window.alert("Please enter your zip code.");
    zip.focus();
    return false;
}
return true;
}

</script>
</head>

<body>
<form method="post" 
name="ContactForm" onsubmit="return ValidateContactForm();">
    <p>Name: <input type="text" size="65" name="Name"></p>
    <p>E-mail Address:  <input type="text" size="65" name="Email"></p>
    <p>Zip:  <input type="text" size="65" name="Zip"></p>
    <p><input type="submit" value="Send" name="submit">
    <input type="reset" value="Reset" name="reset"></p>
</form>
</body>
</html>

dagon

$zip != $Zip != $ZiP

php variable names are case sensitive

also "not working" is not a very helpful description of your problem

johanafm

Apart from whatever "not working" might be, you seem to have several missconceptions about different things.

# Here you define the variable, and initialize it to a non-empty value
# Do note the difference between 'null' (non-empty, 4 character string) and
# null (empty, the null-value)
$var = 'null';

# Which means that this is NEVER true
if (empty($var)) 
{
	# This sentence covers all cases by simply using the word "empty",
	# but since you also include 0 as a possibility, which is only one of the
	# many meanins of "empty", the sentence is rather confusing.
	# Stick to empty, or list all possibilities:
	# 	0.0, 0, '0', , '', false, array(), null
	# But do note that '0.0' is NOT empty, just like 'null' isn't.
    echo '$var is either 0, empty, or not set at all';
}

# While this is ALWAYS true.
# This statement is also not at all related to the previous statement, just
# like $i = 4; has absolutely no relation to $j = 'animal';
# If you want there to be any kind of relationship between these two statements,
# you would need to use:
#	elseif
# which still wouldn't give it the meaning of your english sentence below. It would
# become "$var is set, even though it is NOT empty"
if (isset($var)) 
{
	# Which means that the meaning of this sentence is ALWAYS false:
	# 	$var is after all NOT empty.
	echo '$var is set even though it is empty';
}

# And this function makes little sense if you pass in values that are stored
# as non-strings in the database, such as int and float. It also makes little sense
# to have one function for each specific case of data type used rather than handle all
# types in the same place.
# Or better yet, use prepared statements and have it done for you.
function PrepSQL($value)
{
        $value = "'" . mysql_real_escape_string($value) . "'";

	# return is not a function, it's a languge construct, and the manual
	# lists _several_ good reasons for NOT using it as a function
    return($value);
}