Jump to content

Archived

This topic is now archived and is closed to further replies.

jawinn

Can't add record to MySQL Table using PHP

Recommended Posts

Ok, here's my next problem.  I want to be able to add records to a MySQL table via a web form.

Here is my form code:

<form method="post" action="answer.php" />
First Name&nbsp;&nbsp;&nbsp;Last Name<br>
<input type="text" name="fname" /><input type="text" name="lname" /><br/><br>
City&nbsp;&nbsp;&nbsp;State<br>
<input type="text" name="city" /><select name="state" />
<option>Alabama</option>
<option>Wyoming</option>
</select><br/><br>
E-mail Address<br>
<input type="text" name="email" /><br/><br>
Answer: <input type="radio" name="answer" value="A" /> A<input type="radio" name="answer" value="B" /> B<input type="radio" name="answer" value="C" /> C<input type="radio" name="answer" value="D" /> D<br/>
<input type="checkbox" name="remember" value="1" />Remember Me<br/><br/>
<input type="submit" name="submit" value="Submit" />
</form>

Here is my processor code:
<?php

  include('conn.php');

    $error = false;

if(isset($_POST['submit'])) {

$form = array();
$form['fname'] = $_POST['fname'];
$form['lname'] = $_POST['lname'];
$form['email'] = $_POST['email'];
$form['city'] = $_POST['city'];
$form['state'] = $_POST['state'];
$answer = $_POST['answer'];

if(!ini_get('magic_quotes_gpc')) {
// Build safe query values string
foreach($form as $key => $value) {
$form[$key] = mysql_escape_string($value);
}
}

$query = "INSERT INTO centries (fname,lname,email,city,state,answer) VALUES ('{$form['fname']}', '{$form['lname']}', '{$form['email']}', '{$form['city']}','{$form['state']}', '{$form['answer']}',)";

$result = $database->query($query);

?>

Every time I submit the form I get this error:

Parse error: parse error, unexpected $ in /xxx/xxx/xxx/xxx/answer.php on line 29

Any help is much appreciated.

Thanks in advance,
Jawinn

Share this post


Link to post
Share on other sites
missing a closing * } * (2) if(s), (1) foreach(), you only have (2) * } * put another one after the (2) you already have! Also please validate your inputs, you will have many undefined errors if you don't!

Also don't trust addslashes() for db inserts, always use mysql_real_escape_string()

[code]if( isset ( $_POST['submit'] ) )
{
// addslashes is never safe for inserts

if ( ini_get ( 'magic_quotes_gpc' ) )
{
$_POST = array_map ( 'stripslashes', $_POST );
}

// I don't understand why you assign the $_POST
// array to another array $form, a wasted resource

$form = array();
$form['fname'] = $_POST['fname'];
$form['lname'] = $_POST['lname'];
$form['email'] = $_POST['email'];
$form['city']  = $_POST['city'];
$form['state'] = $_POST['state'];
$answer        = $_POST['answer'];

// the foreach can be replaced with

$form = array_map ( 'mysql_real_escape_string', $form );
}[/code]


me!

Share this post


Link to post
Share on other sites
Thanks printf.  Sorry but I am just beginning with PHP and MySQL.  Should I just insert the code above into my script?  Are there any elements I should keep from my original script?

thanks in advance

Share this post


Link to post
Share on other sites
Pardon my ignorance, but could you clarify the difference between addslashes()  and mysql_real_escape_string()? If I had to guess, I'd use the latter... ;-)

Share this post


Link to post
Share on other sites
I think you you like being argumentative, I do to, hehe, addslashes does not protect against all unicode character sets, so sql injection is possible which can allow sub queries to be easily crafted and executed. I was going to write a long winded answer with some examples, but script kiddies are always around, so I will just point you to a simple article that explains (1) of the many methods that are available if you know MySQL and unicodes dirty little secrets.

[url=http://shiflett.org/archive/184]http://shiflett.org/archive/184[/url]

me!

Share this post


Link to post
Share on other sites
Not argumentative per se (at least not in this case) -- I don't use PHP, so I've never had to use either... I was just curious.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.