Sylsky Posted July 17, 2011 Share Posted July 17, 2011 Hello. It's my first day coding in PHP/SQL and it's so hard for me to find my mistake in this code: Page insertion.php: <?php //connexion à la bdd include("connexionbdd.php"); //fin de connexion à la bdd if (isset($_REQUEST['pseudo'])) { mysql_select_db("apprentissage", $con); mysql_query("INSERT INTO membres (id,pseudo,mdp,email) VALUES ('','$_POST[pseudo]','$_POST[mdp]','$_POST')"); } else { echo "Un champ n'a pas été rempli..."; } //on ferme la connexion à la bdd mysql_close($con); ?> Page formulaireinsc.php: <form action="insertion.php" method="post"> Pseudo: <input type="text" name="pseudo" /><br /> Mot de passe: <input type="text" name="mdp" /><br /> Mail: <input type="text" name="email" /><br /> <input type="submit" value="Envoyer!" /> </form> As you can see in my insertion.php, I use isset to see if the field has been filled. But it continues inserting in my tables, even if I don't fill anything in the field "pseudo". Well I typed all those codes after reading w3c, didn't read any tutorial because I wanna try to create a member area by myself. But it's hard for a newbie xD Help please !! Thanks in advance. Quote Link to comment Share on other sites More sharing options...
teynon Posted July 17, 2011 Share Posted July 17, 2011 try if (!empty($_REQUEST['pseudo'])) It's always going to be set, it'll just be empty. Am I the only one who doesn't like $_REQUEST? Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 17, 2011 Share Posted July 17, 2011 Am I the only one who doesn't like $_REQUEST? I prefer to know where the data comes so I've never been a fan of $_REQUEST. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 17, 2011 Author Share Posted July 17, 2011 Changed REQUEST by POST. And changed isset by empty... still doesn't work :S EDIT: oh w/e i put empty not !empty, i'll try later. Now I brb 15 mins. Second question, for a first day of PHP/SQL, am I starting good? Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 17, 2011 Share Posted July 17, 2011 You could try: $_POST['pseudo'] = trim($_POST['pseudo']); if(isset($_POST['pseudo']) && $_POST['pseudo'] != '') { Note that the trim() function prevents spaces from being a valid value. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 17, 2011 Author Share Posted July 17, 2011 Alright, it worked perfectly with !empty, i'll try to improve this code now but i'll take in note your message, cyberRobot x) Am I starting well? Ya I need compliments after doing 8 hours in a row on those new languages (but omg, i'm so addicted to it o.O) Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 $used="claude"; In case of "claude", can I ask for Select all from database? But what is the code to ask: "is "$pseudo" used in database?" elseif ($_POST['pseudo']) == "$used") Isn't working... i got an error message when I let it in my php file... <?php //connexion à la bdd include("connexionbdd.php"); //fin de connexion à la bdd $used="claude"; if (empty ($_POST['pseudo'])) { echo "Certains champs n'ont pas été remplis!<br>Veuillez <a href='formulaireinsc.php'>réessayer</a>."; } elseif (($_POST['pseudo']) == "$used") { echo "Pseudo déjà utilisé!"; } elseif (empty($_POST['mdp'])) { echo "Certains champs n'ont pas été remplis!<br>Veuillez <a href='formulaireinsc.php'>réessayer</a>."; } elseif (empty($_POST['email'])) { echo "Certains champs n'ont pas été remplis!<br>Veuillez <a href='formulaireinsc.php'>réessayer</a>."; } else { mysql_select_db("apprentissage", $con); mysql_query("INSERT INTO membres (id,pseudo,mdp,email) VALUES ('','$_POST[pseudo]','$_POST[mdp]','$_POST')"); echo "Vous êtes bien inscrit!"; } //on ferme la connexion à la bdd mysql_close($con); ?> What I have to do? :/ Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted July 18, 2011 Share Posted July 18, 2011 This elseif ($_POST['pseudo']) == "$used") Should be just elseif ($_POST['pseudo']) == $used) Don't think its great logic to leave the insert query in the ELSE block. Would be more logical to check the valid parameters and do insert if ALL is good. You have also SQL-injection possibilities in your code. You should use mysql_real_escape_string around the values that you are gonna be inserting to the database. See: http://fi2.php.net/manual/en/function.mysql-real-escape-string.php . Also it helps if you tell us what error you are getting instead of just "my stuff does not work, i have error maybe". For some basic debugging I suggest you look up var_dump() and mysql_error() from the php.net's manual. Also using echoes helps. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 Ok, thanks. I tried to apply the mysql_real_escape_string, like this: mysql_query("INSERT INTO membres (id,pseudo,mdp,email) VALUES ('','$_POST[pseudo]','$_POST[mdp]','$_POST')", mysql_real_escape_string($_POST['pseudo'])); But I got an error: Warning: mysql_query() expects parameter 2 to be resource, string given in C:\Users\Sylvain\Desktop\apprentissagePHP\insertion.php on line 26 Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted July 18, 2011 Share Posted July 18, 2011 1. You have to escape the data BEFORE running query. 2. Use single quotes around string array indexes, or they will be treated as constants. 3. If your id field is auto_increment you dont need to define it in the query at all. $pseudo = mysql_real_escape_string($_POST['pseudo']); $mdp = mysql_real_escape_string($_POST['mdp']); $email = mysql_real_escape_string($_POST['email']); mysql_query("INSERT INTO membres (pseudo,mdp,email) VALUES ($pseudo, $mdp, $email)"); Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 18, 2011 Share Posted July 18, 2011 For what it's worth, I prefer using SET over VALUES when using insert: $pseudo = mysql_real_escape_string($_POST['pseudo']); $mdp = mysql_real_escape_string($_POST['mdp']); $email = mysql_real_escape_string($_POST['email']); mysql_query("INSERT INTO membres SET pseudo='$pseudo', mdp='$mdp', email='$email'"); SET makes it easier to see the direct connection between the column name and it's value. Of course when you only 3 columns, it's not too difficult to see the connection. Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted July 18, 2011 Share Posted July 18, 2011 That's a personal reference mostly. But however using VALUES is standard SQL. Using SET is only MySQL's way to do it. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 Alright, now my code looks like this: <?php //connexion à la bdd include("connexionbdd.php"); //fin de connexion à la bdd if (empty ($_POST['pseudo'])) { echo "Certains champs n'ont pas été remplis!<br>Veuillez <a href='formulaireinsc.php'>réessayer</a>."; } elseif (empty($_POST['mdp'])) { echo "Certains champs n'ont pas été remplis!<br>Veuillez <a href='formulaireinsc.php'>réessayer</a>."; } elseif (empty($_POST['email'])) { echo "Certains champs n'ont pas été remplis!<br>Veuillez <a href='formulaireinsc.php'>réessayer</a>."; } else { mysql_select_db("apprentissage", $con); $pseudo = mysql_real_escape_string($_POST['pseudo']); $mdp = mysql_real_escape_string($_POST['mdp']); $email = mysql_real_escape_string($_POST['email']); mysql_query("INSERT INTO membres (pseudo,mdp,email) VALUES ($pseudo, $mdp, $email)"); echo "Vous êtes bien inscrit!"; } //on ferme la connexion à la bdd mysql_close($con); ?> I let the query in the else bloc because for me (maybe my brain isn't really built normaly xD) it's more logical like this :< The mysql_real_escape_string isn't making any error message anymore. BUT nothing is inserted in my tables, now And... I'd like to avoid the users to put only spaces to make their accounts, I heard about the function str_replace, do I have to use this or there is another one? Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 18, 2011 Share Posted July 18, 2011 I'd like to avoid the users to put only spaces to make their accounts, I heard about the function str_replace, do I have to use this or there is another one? You could take a look at the trim() function: http://php.net/manual/en/function.trim.php It gets rid of leading/trailing spaces. It also prevents the value from only containing spaces. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 I just noticed that with that new code... nothing is inserted in my tables anymore, whatever the text I put, but it still display: echo "Vous êtes bien inscrit!"; Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 Even took my old code, without mysql_real_escape_string to apply that trim(): mysql_select_db("apprentissage", $con); $trimmedpseudo = trim($_POST['pseudo']); $trimmedmdp = trim($_POST['mdp']); $trimmedemail = trim($_POST['email']); mysql_query("INSERT INTO membres (pseudo,mdp,email) VALUES ($trimmedpseudo,$trimmedmdp,$trimmedemail)"); echo "Vous êtes bien inscrit!"; I get this "Vous êtes bien inscrit!" but nothing is registered in the database Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 18, 2011 Share Posted July 18, 2011 Does it insert a blank row? If so, what happens if you do a var_dump() for the variables? http://php.net/manual/en/function.var-dump.php $pseudo = mysql_real_escape_string($_POST['pseudo']); $mdp = mysql_real_escape_string($_POST['mdp']); $email = mysql_real_escape_string($_POST['email']); var_dump($pseudo); var_dump($mdp); var_dump($email); If it you don't even get an empty row, you could see if there was a database error using mysql_error() http://php.net/manual/en/function.mysql-error.php Of course, that's assuming that you're using MySQL. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 It doesn't even make a new row, it does nothing in the SQL. And I added this: echo mysql_errno($con) .mysql_error($con). "\n"; in my else bloc, but now, it added a 0 before my "Vous êtes bien inscrit!" Like this: 0 Vous êtes bien inscrit!" Does it means "0" problems? But there is, nothing is added to the database anymore since I added those new variables :S Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 18, 2011 Share Posted July 18, 2011 According to the manual, mysql_errno() returns 0 when there is no MySQL error. http://php.net/manual/en/function.mysql-errno.php What do you get if you display the SQL query? You'll need to modify the code a bit: $sql = "INSERT INTO membres (pseudo,mdp,email) VALUES ($trimmedpseudo,$trimmedmdp,$trimmedemail)"; echo $sql; mysql_query($sql); Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 It displays nothing :/ For info, i'm using EasyPHP, dunno, maybe it's linked. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 18, 2011 Share Posted July 18, 2011 It doesn't even display the "INSERT INTO membres " part? I haven't used EasyPHP before, so I'm not sure if there is a connection. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 Oh my bad I let the mysql_query at his place before. Now it displays this: INSERT INTO membres (pseudo,mdp,email) VALUES (htyhhjk,rtret,rtyrtyhjkhj) Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 18, 2011 Share Posted July 18, 2011 Try adding quotes around the values: $sql = "INSERT INTO membres (pseudo,mdp,email) VALUES ('$trimmedpseudo','$trimmedmdp','$trimmedemail')"; Since you're assigning a string as the value, I'm pretty sure you need quotes. Of course, that should be an SQL error. Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 Nice! It's adding now ! But I can still put fields with only spaces, it's still added to database -.-' Quote Link to comment Share on other sites More sharing options...
Sylsky Posted July 18, 2011 Author Share Posted July 18, 2011 So my code is this one now: mysql_select_db("apprentissage", $con); $pseudo = mysql_real_escape_string($_POST['pseudo']); $mdp = mysql_real_escape_string($_POST['mdp']); $email = mysql_real_escape_string($_POST['email']); var_dump($pseudo); var_dump($mdp); var_dump($email); mysql_query("INSERT INTO membres (pseudo,mdp,email) VALUES ('$pseudo', '$mdp', '$email')"); echo "<br>Vous êtes bien inscrit!"; And the page displays: string ' ' (length=6) string ' ' (length=5) string ' ' (length=3) Vous êtes bien inscrit! You can see I tried to register only with spaces. And the "fantom" account has been added to the database. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.