Submission to SQL: The Basics

[tombulgius]

Hello everybody,

 

I'm working on a test site which houses, at the moment, only a text field and a submit button.

 

Its function is to submit material to a SQL row, "comment." I'm aware of the possibility of users misusing it, and the fact that the data isn't sanitized, so maybe I'd like to get part of that working after the base script is.

 

At this time, my script tells me that it is running with no errors, and the database information is correct. But is the placement and implementation correct? Here is the code:

 

<?php
$usr = "xxxxxxxxxx"; 
$pwd = "xxxxxxxx";
$db = "xxxxxxxxxxxxxxx";
$host = "xxxxxxx.000webhost.com";

$link = mysql_connect($host, $usr, $pwd);
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';

if (!mysql_select_db($db)) {
    die('Could not select database: ' . mysql_error());
}

?>
<html>

<head>
	<title>The Field Submission Testing Ground</title>
</head>

<body>

	<div id=submit1>
	<form>
	Enter comment:
               
                <form action="testing.php" method="POST">
                <input type="text" name="entrynum"/>
                <input type="submit" value="Submit"/>
	</form> 
	</div>

<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") 
    { 
$SUBMISSION = ($_POST["entrynum"]);
$sql  = " INSERT INTO testbase";
$sql .= " (comment) VALUES ";
$sql .= " ('$SUBMISSION') "; 

$result = mysql_query($sql, $link);

if (mysql_error()) { print "Database ERROR: " . mysql_error(); } 
}
?>

</body>
</html>

 

I'd like to know if I'm missing a vital script or part of syntax, or have put something out of order.

 

Secondly, POST is acting like GET on this page, and always has. That's strange and I honestly don't know why it won't listen to its submission method :S

 

Note: the database is "xxxxx_testbas", the table is "testbase," and it's rows are "comment" and "date." comment is, right now, a TEXT field.

[Catfish]

To sanitize data for insertion, you should use mysql_real_escape_string() on the data to prevent injections.

 

If you are after general advice on your code, I suggest trying the following format:

// put common pre-processing code here


if ($link = mysql_connect($host, $usr, $pwd))
{
   if (mysql_select_db($db))
   {
      // ^^ etc. until all your data is valid
      // perform processing code in here after all data is validated
      // return value/true if a function
   }
   else
   {
      print('Could not select database: '.mysql_error()'.<br/>'."\n");
      // return false if a function
   }
}
else
{
   print('Could not connect: '.mysql_error().'<br/>'."\n");
   // return false if a function
}

// put common post processing code here

instead of doing:

$link = mysql_connect($host, $usr, $pwd);
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';

if (!mysql_select_db($db)) {
    die('Could not select database: ' . mysql_error());
}
// etc.

 

This will improve readability and creates a more logical flow of your code which is better for maintenance/updating. Notice how You only proceed into the child code block if the condition returns successful, otherwise we fail and output an error message. You can change the error message code to anything you want to handle the failure.