[RESOLVED] Data not inserting to database

mrjoeblack

Has anyone any idea why this is not working. I have a form to database issue. The form submits fine and give a sucessful result message BUT the data does not get inserted into the database. Help appreciate 🙂

<?php

if (isset($_POST['submitted'] )) {

	include('connect-mysql.php' ) ;

	$area = $_POST['area'] ;
	$fname = $_POST['fname'] ;
	$lname = $_POST['lname'] ;
	$sex = $_POST['sex'] ;
	$age = $_POST['age'] ;
	$email = $_POST['email'] ;
	$pcode = $_POST['pcode'] ;
	$promo = $_POST['promo'] ;
	$word = $_POST['word'] ;

	$sqlinsert = "INSERT INTO members (area, firstname, lastname, sex, age, email, postcode, promo, word)  VALUES ( '$area' , '$fname' , '$lname' , '$sex', '$age', '$email', '$pcode', '$promo', '$word' )" ;

	if(!$email == "" && (!strstr($email,"@") || !strstr($email,"."))) 
{
echo "<p>Please Go Back and enter a valid e-mail address</p>\n"; 
$badinput = "<p>we need your valid email in order to keep you informed and send out your members manual</p>\n";
echo $badinput;
die ("Use the BACK button ! ");
}

if(empty($fname) || (empty($lname) ||empty($sex) ||empty($age) ||empty($email) || empty($pcode) ||empty($word)))
 {
echo "<p>You have not completed all fields, please Go Back and fill out all the fields</p>\n";
die ("Use the BACK button ! "); 
}

mysql_query($query);


  // end of nested if statement

		$newrecord = "Ok! ... registration successful";
		echo $newrecord ;


}  // end of the main if statement


?>

Derokorian

    mysql_query($query);

$query is undefined. I believe you meant to use $sqlinsert which you defined as

        $sqlinsert = "INSERT INTO members (area, firstname, lastname, sex, age, email, postcode, promo, word)  VALUES ( '$area' , '$fname' , '$lname' , '$sex', '$age', '$email', '$pcode', '$promo', '$word' )" ;

bradgrafelman

When posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags (not HTML - save that for HTML code) as they make your code much easier to read and analyze.

As for your problem, here are a few issues I see:

You might want to get in the habit of always properly indenting your code. It's not just a matter of looking nice/professional:
```
p  oo rl y  s  p ac ed cod e    i   s     har   d  t o    r     ea     d  !
```
User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize the data such as with a function like [man]mysql_real_escape_string/man (for string data) or by using prepared statements.
This if() statement:
```
if(!$email == "" && (!strstr($email,"@") || !strstr($email,".")))
```
has a few issues with it. Rather than go into detail for those issues, I'll simply say this: a more sensible way to check for a valid e-mail address might be to use [man]filter_var/man with the FILTER_VALIDATE_EMAIL filter/option.
This:
```
mysql_query($query); 
```
has two major problems:
1. The variable $query is undefined.
2. You should always check to see if [man]mysql_query/man returned boolean FALSE (indicating an error has occurred) and take appropriate action if so. See the "MySQL(i) PHP warning" link in my signature for a longer explanation of this.

mrjoeblack

Derokorian - thank you sir for that fast help, it works nice now - appreciate that!!! cheers

Bradgrafelman - Thanks for that, not sure my skills are up to your upgrade advice. I would like to make the code as secure as possible, so all help is great. I will try to see if I can figure out what you suggest.

This forum is superb, you're top guys for sure, thank you!!

samuelcook

here is an email function that I particularly like and haven't had any troubles with

function validEmail($email = ''){
	$atIndex = strrpos($email, "@");
	$domain = substr($email, $atIndex+1);
	$local = substr($email, 0, $atIndex);
	$localLen = strlen($local);
	$domainLen = strlen($domain);

switch(TRUE) {
	case empty($email):
	case (is_bool($atIndex) && !$atIndex):
	case ($localLen < 1 || $localLen > 64):
	case ($domainLen < 1 || $domainLen > 255):
	case ($local[0] == '.' || $local[$localLen-1] == '.'):
	case (preg_match('/\\.\\./', $local)):
	case (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)):
	case (preg_match('/\\.\\./', $domain)):
	case (!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', str_replace("\\\\","",$local))) && (!preg_match('/^"(\\\\"|[^"])+"$/',str_replace("\\\\","",$local))):
		return false;
}
return true;
}

// FOR IMPLEMENTATION //
if(!validEmail($email)){
	// code to handle an invalid email
}

mrjoeblack

Samuel, thank you for that ... but being honest I frankly would know what to do with it hahaha!!! Not being an expert in these matters. Appreciate your input tho.

mrjoeblack

Ok actually this is what I altered the code to. It now works but I'm sure it's not quite right. Can anyone tidy it up for me please ??

  <?php

if (isset($_POST['submitted'] )) {

	include('connect-mysql.php' ) ;

	$area = $_POST['area'] ;
	$fname = $_POST['fname'] ;
	$lname = $_POST['lname'] ;
	$sex = $_POST['sex'] ;
	$age = $_POST['age'] ;
	$email = $_POST['email'] ;
	$pcode = $_POST['pcode'] ;
	$promo = $_POST['promo'] ;
	$word = $_POST['word'] ;

	$sqlinsert = "INSERT INTO members (area, firstname, lastname, sex, age, email, postcode, promo, word)  VALUES ( '$area' , '$fname' , '$lname' , '$sex', '$age', '$email', '$pcode', '$promo', '$word' )" ;

	if(!$email == "" && (!strstr($email,"@") || !strstr($email,"."))) 
{
echo "<p>Please Go Back and enter a valid e-mail address</p>\n"; 
$badinput = "<p>we need your valid email in order to keep you informed and send out your members manual</p>\n";
echo $badinput;
die ("Use the BACK button ! ");
}

if(empty($fname) || (empty($lname) ||empty($sex) ||empty($age) ||empty($email) || empty($pcode) ||empty($word)))
 {
echo "<p>You have not completed all fields, please Go Back and fill out all the fields</p>\n";
die ("Use the BACK button ! "); 
}

	mysql_query($sqlinsert = "INSERT INTO members (area, firstname, lastname, sex, age, email, postcode, promo, word)  VALUES ( '$area' , '$fname' , '$lname' , '$sex', '$age', '$email', '$pcode', '$promo', '$word' )"); 



  // end of nested if statement

		$newrecord = " Ok! ... registration successful ";
		echo $newrecord ;


}  // end of the main if statement


?>

bradgrafelman

samuelcook;10996235 wrote:

function validEmail($email = ''){
	$atIndex = strrpos($email, "@");
	$domain = substr($email, $atIndex+1);
	$local = substr($email, 0, $atIndex);
	$localLen = strlen($local);
	$domainLen = strlen($domain);

switch(TRUE) {
	case empty($email):
	case (is_bool($atIndex) && !$atIndex):
	case ($localLen < 1 || $localLen > 64):
	case ($domainLen < 1 || $domainLen > 255):
	case ($local[0] == '.' || $local[$localLen-1] == '.'):
	case (preg_match('/\\.\\./', $local)):
	case (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)):
	case (preg_match('/\\.\\./', $domain)):
	case (!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', str_replace("\\\\","",$local))) && (!preg_match('/^"(\\\\"|[^"])+"$/',str_replace("\\\\","",$local))):
		return false;
}
return true;
}

// FOR IMPLEMENTATION //
if(!validEmail($email)){
	// code to handle an invalid email
}

Er... why on earth would anyone want to manage all that rather than just:

if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    // code to handle an invalid email
}

johanafm

mrjoeblack;10996238 wrote:
Ok actually this is what I altered the code to. It now works but I'm sure it's not quite right. Can anyone tidy it up for me please ??

As previously suggested by brad, indent your code. There are a few common ways of doing this. Wether you follow one of those or choose your own style doesn't matter. But actually indenting code and always staying consistent is a must.

Looking at an existing way of doing it may also make it easier.

Personally I prefer Allman style for a few reasons. Whenever you have a conditional expression (used with if (...), while (...) etc) that spans several lines, it's still easy to see where the block begins, and you can simply place the cursor over this curly bracer and scroll down to find its match. 1TBS is another common way of doing it.

# higher level of indentation than on the following lines is not good.
# choose the same for php opening tags so that code always can start at the very left edge
/*  <?php */
<?php

# Sinc I prefer Allman, I moved the { down one line
# The dual tab indentation is bad though. If you wish to change the amount of space used in
# indentation, change the setting in your editor (and get an editor with this cabability if
# you want it.
# Also, include is not a function, it's a language construct and using parenthesis around
# what you believe is the included file will only fool you, since it does NOT say anything
# about what file is included.
/*
if (isset($_POST['submitted'] )) {

	include('connect-mysql.php' ) ;

	$area = $_POST['area'] ;
*/
if (isset($_POST['submitted'] ))
{
	include 'connect-mysql.php';
	$area = $_POST['area'];

# Since SQL code is rather likely to end up in error logs sooner or later, or will need to
# be printed to screen for inspection while developing, I prefer keeping SQL code properly
# formatted. You can pretty much go two ways. One is by always starting them to the very left,
# i.e. with 0 indentation. Keeping closing " on its own line means you won't forget adding
# line breaks between statements where needed or when concatenating parts into a statement.
# Especially useful for longer statements.
$sqlinsert =
"INSERT INTO members
	(
		area, firstname, lastname, sex, age,
		email, postcode, promo, word
	)
VALUES
	(
		'$area' , '$fname' , '$lname' , '$sex', '$age',
		'$email', '$pcode', '$promo', '$word'
	),
	(
		'$area' , '$fname' , '$lname' , '$sex', '$age',
		'$email', '$pcode', '$promo', '$word'
	)	
";
	# Another way would be to use string contentation to stay within the current indentation
	# while formatting SQL code to also be indented
	$sqlinsert = "INSERT INTO members " .
				"	(".
				"		area, firstname, lastname, sex, age,".
				"		email, postcode, promo, word".
				"	)".
				"	VALUES".
				"		(".
				"			'$area' , '$fname' , '$lname' , '$sex', '$age',".
				"			'$email', '$pcode', '$promo', '$word'".
				"		)";


# Once again, outdenting { and then not indenting the following code at all...
/*
		if(!$email == "" && (!strstr($email,"@") || !strstr($email,"."))) 
{
echo "<p>Please Go Back and enter a valid e-mail address</p>\n"; 
$badinput = "<p>we need your valid email in order to keep you informed and send out your members manual</p>\n";
echo $badinput;
die ("Use the BACK button ! ");
}
*/

# and so on...

Just be aware that Allman style will break javascript when used with returning values

// This
return
{
	name: value;
}

// is actually interpreted as
return;
{
	name: value;
}

mrjoeblack

you said this "User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks"

can you explain what an "SQL injection attack" is?? and what it would do??

thanks!

mrjoeblack

boy!! that's too complicated for me lol

Derokorian

Short answer: http://lmgtfy.com/?q=SQL+Injection+Attack

Long answer: When a malicious user uses holes in your application design to take control of the system and possibly harm it in some way. If you had this code:

$username = $_POST['username'];
$password = md5($_POST['password']);

$result = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password");

Now if I was a malicious user, I could supply the username:

admin' ---

Which would make my query look like this:

SELECT * FROM users WHERE username = 'admin' ---' AND password = 'somepasswordhash'

The problem here is that this is exactly the same as SELECT * FROM users WHERE username = 'admin' with no password check as the dashes comment out the rest of the query!

bradgrafelman

Another resource that explains SQL injection a bit is the PHP manual itself: [man]security.database.sql-injection[/man].

mrjoeblack

ok thanks, not sure I could secure my form tho 🙁

my understanding of what you are saying is re an attack coming from the outside as a query on the DB. However, are there any issues to be concerned about over users only submitting data to a DB?

bradgrafelman

mrjoeblack;10996326 wrote:
my understanding of what you are saying is re an attack coming from the outside as a query on the DB.

Actually that has nothing to do with what we've been referring to. We're talking about user-supplied data being used in SQL queries by you, the programmer.

mrjoeblack;10996326 wrote:
However, are there any issues to be concerned about over users only submitting data to a DB?

Yes, that's the topic of the PHP manual page I linked to, Derokorian's examples, etc.

mrjoeblack

ok I admit it, totally confussed lol!!!

does anyone out there charge for doing the hard stuff for me? or maybe an exchange of knowledge would be good 🙂

mrjoeblack

Can anyone help me with this?? Is it possible to have a data form after submitted, echo back to the user a automatically incremented reference number. In my dbase I have a identifier column which automatically increments a number as each post is submitted, I'm wondering if this number can be sent back to the user success message, like for example.... "thanks for your submission, please keep a note of your reference number 00000 for your records"

I hope I make myself clear. Appreciate any help on this one.

Derokorian

mysql_insert_id()

mrjoeblack

Derok, ok here's my code again, it works but I know it has it's faults/security issues previously discussed haha!! Maybe I'll understand one day how to sort them out. For the moment, I dont suppose you could add the code for the insert thing in your last post so I can see what it does???

 <?php

if (isset($_POST['submitted'] )) {

	include('connect-mysql.php' ) ;

	$area = $_POST['area'] ;
	$fname = $_POST['fname'] ;
	$lname = $_POST['lname'] ;
	$sex = $_POST['sex'] ;
	$age = $_POST['age'] ;
	$email = $_POST['email'] ;
	$pcode = $_POST['pcode'] ;
	$promo = $_POST['promo'] ;
	$word = $_POST['word'] ;

	$sqlinsert = "INSERT INTO members (area, firstname, lastname, sex, age, email, postcode, promo, word)  VALUES ( '$area' , '$fname' , '$lname' , '$sex', '$age', '$email', '$pcode', '$promo', '$word' )" ;

	if(!$email == "" && (!strstr($email,"@") || !strstr($email,"."))) 
{
echo "<p>Please Go Back and enter a valid e-mail address</p>\n"; 
$badinput = "<p>we need your valid email in order to keep you informed and send out your members manual</p>\n";
echo $badinput;
die ("Use the BACK button ! ");
}

if(empty($fname) || (empty($lname) ||empty($sex) ||empty($age) ||empty($email) || empty($pcode) ||empty($word)))
 {
echo "<p>You have not completed all fields, please Go Back and fill out all the fields</p>\n";
die ("Use the BACK button ! "); 
}

	mysql_query($sqlinsert = "INSERT INTO members (area, firstname, lastname, sex, age, email, postcode, promo, word)  VALUES ( '$area' , '$fname' , '$lname' , '$sex', '$age', '$email', '$pcode', '$promo', '$word' )"); 


 	$newrecord = "<strong> Ok! ... registration was successful. <strong>";
		echo $newrecord ;


}  

?>

Weedpacket

Read the example on the [man]mysql_insert_id[/man] page and based on that try adding it yourself.