Jump to content


Photo

Can't add record to MySQL Table using PHP


  • Please log in to reply
5 replies to this topic

#1 jawinn

jawinn
  • New Members
  • Pip
  • Newbie
  • 9 posts

Posted 02 October 2006 - 06:43 PM

Ok, here's my next problem.  I want to be able to add records to a MySQL table via a web form.

Here is my form code:

<form method="post" action="answer.php" />
First Name&nbsp;&nbsp;&nbsp;Last Name<br>
<input type="text" name="fname" /><input type="text" name="lname" /><br/><br>
City&nbsp;&nbsp;&nbsp;State<br>
<input type="text" name="city" /><select name="state" />
<option>Alabama</option>
<option>Wyoming</option>
</select><br/><br>
E-mail Address<br>
<input type="text" name="email" /><br/><br>
Answer: <input type="radio" name="answer" value="A" /> A<input type="radio" name="answer" value="B" /> B<input type="radio" name="answer" value="C" /> C<input type="radio" name="answer" value="D" /> D<br/>
<input type="checkbox" name="remember" value="1" />Remember Me<br/><br/>
<input type="submit" name="submit" value="Submit" />
</form>

Here is my processor code:
<?php

  include('conn.php');

    $error = false;

if(isset($_POST['submit'])) {

$form = array();
$form['fname'] = $_POST['fname'];
$form['lname'] = $_POST['lname'];
$form['email'] = $_POST['email'];
$form['city'] = $_POST['city'];
$form['state'] = $_POST['state'];
$answer = $_POST['answer'];

if(!ini_get('magic_quotes_gpc')) {
// Build safe query values string
foreach($form as $key => $value) {
$form[$key] = mysql_escape_string($value);
}
}

$query = "INSERT INTO centries (fname,lname,email,city,state,answer) VALUES ('{$form['fname']}', '{$form['lname']}', '{$form['email']}', '{$form['city']}','{$form['state']}', '{$form['answer']}',)";

$result = $database->query($query);

?>

Every time I submit the form I get this error:

Parse error: parse error, unexpected $ in /xxx/xxx/xxx/xxx/answer.php on line 29

Any help is much appreciated.

Thanks in advance,
Jawinn

#2 printf

printf
  • Staff Alumni
  • Advanced Member
  • 889 posts

Posted 02 October 2006 - 07:49 PM

missing a closing * } * (2) if(s), (1) foreach(), you only have (2) * } * put another one after the (2) you already have! Also please validate your inputs, you will have many undefined errors if you don't!

Also don't trust addslashes() for db inserts, always use mysql_real_escape_string()

if( isset ( $_POST['submit'] ) )
{
	// addslashes is never safe for inserts

	if ( ini_get ( 'magic_quotes_gpc' ) )
	{
		$_POST = array_map ( 'stripslashes', $_POST );
	}

	// I don't understand why you assign the $_POST
	// array to another array $form, a wasted resource

	$form = array();
	$form['fname'] = $_POST['fname'];
	$form['lname'] = $_POST['lname'];
	$form['email'] = $_POST['email'];
	$form['city']  = $_POST['city'];
	$form['state'] = $_POST['state'];
	$answer        = $_POST['answer'];

	// the foreach can be replaced with

	$form = array_map ( 'mysql_real_escape_string', $form );
}


me!

#3 jawinn

jawinn
  • New Members
  • Pip
  • Newbie
  • 9 posts

Posted 02 October 2006 - 08:48 PM

Thanks printf.  Sorry but I am just beginning with PHP and MySQL.  Should I just insert the code above into my script?  Are there any elements I should keep from my original script?

thanks in advance

#4 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 03 October 2006 - 12:02 AM

Pardon my ignorance, but could you clarify the difference between addslashes()  and mysql_real_escape_string()? If I had to guess, I'd use the latter... ;-)
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#5 printf

printf
  • Staff Alumni
  • Advanced Member
  • 889 posts

Posted 03 October 2006 - 12:54 AM

I think you you like being argumentative, I do to, hehe, addslashes does not protect against all unicode character sets, so sql injection is possible which can allow sub queries to be easily crafted and executed. I was going to write a long winded answer with some examples, but script kiddies are always around, so I will just point you to a simple article that explains (1) of the many methods that are available if you know MySQL and unicodes dirty little secrets.

http://shiflett.org/archive/184

me!



#6 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 03 October 2006 - 02:43 PM

Not argumentative per se (at least not in this case) -- I don't use PHP, so I've never had to use either... I was just curious.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users