where is my form or script breaking?

carlgordonjr

Hello. I designed the attached contact page as a dynamic form in DW. I also attached the accompanying .php script that posts it to phpmyadmin. It shows that the table has recieved something from the form but none of the data entered into the form is visable. Can anyone tell me where this form is breaking? I have attached an image of both the structure and browse view in myphpadmin. Thanks a heap.

THE HTML FORM:

 <fieldset>
      <h3>&nbsp;</h3>
      <form id="form1" name="form1" method="POST" action="gogreencontact.php">
      <h3>
          <label for="yourname">Your Name:</label>
          <input type="text" name="yourname" id="yourname" />
        </h3>
        <h3>
          <label for="youremail">Your E-Mail:</label>
          <input type="text" name="youremail" id="youremail" />
        </h3>
        <h3>
          <label for="subject"> Subject:</label>
          <img src="gogreenholder.gif" width="30" height="21" alt="gogreenholder" />
          <input type="text" name="subject" id="subject" />
        </h3>
        <h3>
          <label for="gogreenmessage">
            Message:
              <img src="gogreenholder.gif" width="17" height="21" alt="gogreenholder" />
              <textarea name="gogreenmessage" id="gogreenmessage" cols="30" rows="3"></textarea>
          </label>
        </h3>
        <p align="right">
      <p><input name="formsubmit" type="submit" value="Submit" />
        </p>
      </form>
    </fieldset>

THE PHP SCRIPT:

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL
$hostname_gogreencomputerservices = 
$database_gogreencomputerservices = 
$username_gogreencomputerservices = 
$password_gogreencomputerservices = 
$con = mysql_pconnect($hostname_gogreencomputerservices, $username_gogreencomputerservices, $password_gogreencomputerservices) or trigger_error(mysql_error(),E_USER_ERROR); 


$yourname = $_POST['YourName'];
$youremail = $_POST['YourEMail'];
$subject = $_POST['Subject'];
$message = $_POST['Message'];



mysql_select_db("xxxxxxxxxx", $con);
		  $sql="INSERT INTO gogreencontact (YourName, YourEMail, Subject, Message) values ('$yourname', '$youremail', '$subject', '$message')";

header( "Location: http://www.gogreencomputerservices.com/PandAs.html" );

 mysql_query($sql, $con) or die ("<br>Query string: $sql<br>Produced error: " . mysql_error() . '<br>');

?>

TWO IMAGES OF THE RESULTS IN PHPMYADMIN:
[ATTACH]4853[/ATTACH][ATTACH]4855[/ATTACH]

gogreencontact phpmyadmin browse.jpg gogreencontact phpmyadmin structure.jpg

bradgrafelman

First and foremost: Stop Using the MySQL Extension!.

Your PHP script is referencing POST'ed elements named 'YourName', 'YourEMail', 'Subject', and 'Message', but none of those are the names of any elements in the HTML form you've shown us. (You do, however, have elements named 'yourname', 'youremail', ... etc.).

Additionally, you should never place user-supplied data directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize your data. See the following man page for an introduction to the topic: [man]security.database.sql-injection[/man].

carlgordonjr

Thanks for the super prompt reply. I will be implementing the two suggestions (protecting my script from sql injection and stop using the MySQL extension) just as soon as I get this bit straight and to the other site I'm working on.
So am I to understand that I need to change some portion of my HTML to match the PHP? and If so where? I am really new to this so please be patient with me. It's getting clearer but I'm still a little confused.

Weedpacket

carlgordonjr wrote:
So am I to understand that I need to change some portion of my HTML to match the PHP?

Or the other way around. Either way, the names of the elements in [font=monospace]$_POST[/font] have to match the names of the form elements.

carlgordonjr

Weedpacket;11024261 wrote:
Or the other way around. Either way, the names of the elements in [font=monospace]$_POST[/font] have to match the names of the form elements.

I'm lost. I switched the entries in $POST because it seemed like the easier fix but now I get no action in myphpadmin. Please see below: AFTER

$YourName = $_POST['yourname'];
$YourEMail = $_POST['youremail'];
$Subject = $_POST['subject'];
$Message = $_POST['message'];
mysql_select_db("xxxxxxxxx", $con);
		  $sql="INSERT INTO gogreencontact (YourName, YourEMail, Subject, Message) values ('$yourname', '$youremail', '$subject', '$message')";

      BEFORE

$yourname = $_POST['YourName'];
$youremail = $_POST['YourEMail'];
$subject = $_POST['Subject'];
$message = $_POST['Message'];
mysql_select_db("XXXXXXXXX", $con);
		  $sql="INSERT INTO gogreencontact (YourName, YourEMail, Subject, Message) values ('$yourname', '$youremail', '$subject', '$message')";

Do I need to include the capital letters, spaces and hyphens? Is that the issue? I was under the impression that php didn't recognize the hyphens or spaces in script. I thought this was the diagram:
1. first form element is the Your Name field
2. data is entered into the Your Name field (eg Carl Gordon), then submit
3. The entry, Carl Gordon, is passed to php as $carlgordon
4. php passes or POST'(s) $carlgordon to the Your Name field in the table gogreencontact

Thanks Again.

phpSimon

You've got conflicting cases in your variable names.

The HTML form has a field called: yourname (that's taken from the name="yourname" part)

At the top of your PHP script (the 'after' one from your most recent post), you have this line:

$YourName = $_POST['yourname'];

You now have a variable called $YourName that will contain the contents of the "yourname" POST from the form.

However, in your insert query you've called the variable '$yourname' - which doesn't exist.

The case matters; for simplicity, keep them all the same. All you need to do is change:

$YourName = $_POST['yourname'];

$yourname = $_POST['yourname'];

You can also use the POST values directly in the query:

$sql="INSERT INTO gogreencontact (YourName, YourEMail, Subject, Message)
        Values ('$_POST[yourname]', '$_POST[youremail]', '$_POST[subject]', '$_POST[message]')";

Don't forget to sanitise data first, as mentioned by bradgrafelman.