Can't add record to MySQL Table using PHP

[jawinn]

Ok, here's my next problem.  I want to be able to add records to a MySQL table via a web form.

Here is my form code:

<form method="post" action="answer.php" />
First Name&nbsp;&nbsp;&nbsp;Last Name<br>
<input type="text" name="fname" /><input type="text" name="lname" /><br/><br>
City&nbsp;&nbsp;&nbsp;State<br>
<input type="text" name="city" /><select name="state" />
<option>Alabama</option>
<option>Wyoming</option>
</select><br/><br>
E-mail Address<br>
<input type="text" name="email" /><br/><br>
Answer: <input type="radio" name="answer" value="A" /> A<input type="radio" name="answer" value="B" /> B<input type="radio" name="answer" value="C" /> C<input type="radio" name="answer" value="D" /> D<br/>
<input type="checkbox" name="remember" value="1" />Remember Me<br/><br/>
<input type="submit" name="submit" value="Submit" />
</form>

Here is my processor code:
<?php

  include('conn.php');

    $error = false;

if(isset($_POST['submit'])) {

$form = array();
$form['fname'] = $_POST['fname'];
$form['lname'] = $_POST['lname'];
$form['email'] = $_POST['email'];
$form['city'] = $_POST['city'];
$form['state'] = $_POST['state'];
$answer = $_POST['answer'];

if(!ini_get('magic_quotes_gpc')) {
// Build safe query values string
foreach($form as $key => $value) {
$form[$key] = mysql_escape_string($value);
}
}

$query = "INSERT INTO centries (fname,lname,email,city,state,answer) VALUES ('{$form['fname']}', '{$form['lname']}', '{$form['email']}', '{$form['city']}','{$form['state']}', '{$form['answer']}',)";

$result = $database->query($query);

?>

Every time I submit the form I get this error:

Parse error: parse error, unexpected $ in /xxx/xxx/xxx/xxx/answer.php on line 29

Any help is much appreciated.

Thanks in advance,
Jawinn

[printf]

missing a closing * } * (2) if(s), (1) foreach(), you only have (2) * } * put another one after the (2) you already have! Also please validate your inputs, you will have many undefined errors if you don't!

Also don't trust addslashes() for db inserts, always use mysql_real_escape_string()

[code]if( isset ( $_POST['submit'] ) )
{
// addslashes is never safe for inserts

if ( ini_get ( 'magic_quotes_gpc' ) )
{
$_POST = array_map ( 'stripslashes', $_POST );
}

// I don't understand why you assign the $_POST
// array to another array $form, a wasted resource

$form = array();
$form['fname'] = $_POST['fname'];
$form['lname'] = $_POST['lname'];
$form['email'] = $_POST['email'];
$form['city']  = $_POST['city'];
$form['state'] = $_POST['state'];
$answer        = $_POST['answer'];

// the foreach can be replaced with

$form = array_map ( 'mysql_real_escape_string', $form );
}[/code]


me!

[jawinn]

Thanks printf.  Sorry but I am just beginning with PHP and MySQL.  Should I just insert the code above into my script?  Are there any elements I should keep from my original script?

thanks in advance

[fenway]

Pardon my ignorance, but could you clarify the difference between addslashes()  and mysql_real_escape_string()? If I had to guess, I'd use the latter... ;-)

[printf]

I think you you like being argumentative, I do to, hehe, addslashes does not protect against all unicode character sets, so sql injection is possible which can allow sub queries to be easily crafted and executed. I was going to write a long winded answer with some examples, but script kiddies are always around, so I will just point you to a simple article that explains (1) of the many methods that are available if you know MySQL and unicodes dirty little secrets.

[url=http://shiflett.org/archive/184]http://shiflett.org/archive/184[/url]

me!

[fenway]

Not argumentative per se (at least not in this case) -- I don't use PHP, so I've never had to use either... I was just curious.