crazytigger Posted April 26, 2007 Share Posted April 26, 2007 Sirs, I am having great difficulty getting my script to work and i know not where to turn. I work on behalf of a charity and am looking to implement this as a labour saving device. I have a database (MySQL)called contacts and one table in there called contact. Using the "post" method on a php web form it seems i have managed to capture the data therein but i fail to export it to the database. i managed to ascertain this from previous error messages. (the data i put on the form ended up as an error on the input.php script output). the script looks like this: <?php include( 'config.php' ); //contains the user, pass, db and db location $db = @mysql_connect("$dbhost", "$dbuser", "$dbpasswd") or die( 'Could not connect to database: '.mysql_error() ); @mysql_select_db($dbname) or die( 'Could not select database: '.mysql_error() ); $sql = "INSERT INTO contact (id, firstname, lastname, email, phone, location, message). VALUES ('NULL','$_POST[comment_firstname()]','$_POST[comment_lastname()]','$_POST[comment_email()]','$_POST[comment_phone()]','$_POST[comment_location()]','$POST[comment_message()]')"; mysql_close ?> I get the following; Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting ']' in /var/www/input.php on line 12 when i set the set values like this; VALUES "('one','two','three','four',five','six','seven')"; i get no error message but there's nothing in the database. We would surely appreciate your generosity in this matter. Kind regards CT Quote Link to comment Share on other sites More sharing options...
suttercain Posted April 26, 2007 Share Posted April 26, 2007 Is your form input like this? <input type='text' name='comment_firstname()'> or is it like this? <input type='text' name='comment_firstname'> Quote Link to comment Share on other sites More sharing options...
crazytigger Posted April 26, 2007 Author Share Posted April 26, 2007 Thank you for your reply stuttercain It was written in dreamweaver by another member of our group and i am reluctant to reinvent it as it fits nicely with the CSS that she produced. each field looks like this <td class="event_data2"><div align="left"> First Name : </div></td> <td class="event_data2"><div align="left"><span class="body"><img src="images/1x1.gif" width="17" height="12" /></span></div></td> <td class="event_data2"><div align="left"> <input name="comment_firstname" type="text" id="comment_firstname" maxlength="25"> </div></td> i see what you are getting at however i have tried removing () on the end of each variable and it doesnt seem to have any effect. I will go now and make sure. Quote Link to comment Share on other sites More sharing options...
suttercain Posted April 26, 2007 Share Posted April 26, 2007 Because your name in the forms are <input name="comment_firstname" without the (), that is you you must enter them into mysql: <?php <?php include( 'config.php' ); //contains the user, pass, db and db location $db = @mysql_connect("$dbhost", "$dbuser", "$dbpasswd") or die( 'Could not connect to database: '.mysql_error() ); @mysql_select_db($dbname) or die( 'Could not select database: '.mysql_error() ); $sql = "INSERT INTO contact (id, firstname, lastname, email, phone, location, message) VALUES ('NULL','$_POST[comment_firstname]','$_POST[comment_lastname]','$_POST[comment_email]','$_POST[comment_phone]','$_POST[comment_location]','$POST[comment_message]')"; mysql_close ?> You also might want to convert each post into a variable... EXAMPLE: $lastname = $_POST[comment_lastname]; for each that you want to enter. You also had a period in the MySQL statement that shouldn' t be there. Quote Link to comment Share on other sites More sharing options...
sw0o0sh Posted April 26, 2007 Share Posted April 26, 2007 Lol guy, you didnt put mysql_query() around $sql. Put this below or attempt to put mysql_query ( && ) around it. $sql = mysql_query($sql); and you may not want to write <?PHP twice <?php include( 'config.php' ); //contains the user, pass, db and db location $db = @mysql_connect("$dbhost", "$dbuser", "$dbpasswd") or die( 'Could not connect to database: '.mysql_error() ); @mysql_select_db($dbname) or die( 'Could not select database: '.mysql_error() ); $sql = "INSERT INTO contact (id, firstname, lastname, email, phone, location, message) VALUES ('NULL','$_POST[comment_firstname]','$_POST[comment_lastname]','$_POST[comment_email]','$_POST[comment_phone]','$_POST[comment_location]','$POST[comment_message]')"; $sql = mysql_query($sql); mysql_close ?> Quote Link to comment Share on other sites More sharing options...
crazytigger Posted April 26, 2007 Author Share Posted April 26, 2007 Sir, Thank you! removing the () from each variable does make a difference. I now get no error message, however no data is sent to the database. I noticed this before when i set the values manually. We must be getting close. Is there anything else i can provide to make diagnosis easier? Edit: i did not see the recent posts.. i will investigate . many thanks Quote Link to comment Share on other sites More sharing options...
sw0o0sh Posted April 26, 2007 Share Posted April 26, 2007 Yeah, change what I told you to write to this.. so we can see the physical error.. $sql = mysql_query($sql) or die(mysql_error()); ^^ This reports an error. Quote Link to comment Share on other sites More sharing options...
suttercain Posted April 26, 2007 Share Posted April 26, 2007 Swoosh is right, I missed it. <?php include( 'config.php' ); //contains the user, pass, db and db location $db = @mysql_connect("$dbhost", "$dbuser", "$dbpasswd") or die( 'Could not connect to database: '.mysql_error() ); @mysql_select_db($dbname) or die( 'Could not select database: '.mysql_error() ); $sql = mysql_query("INSERT INTO contact (id, firstname, lastname, email, phone, location, message) VALUES ('NULL','$_POST[comment_firstname]','$_POST[comment_lastname]','$_POST[comment_email]','$_POST[comment_phone]','$_POST[comment_location]','$POST[comment_message]'") or die(mysql_error()); mysql_close ?> Quote Link to comment Share on other sites More sharing options...
crazytigger Posted April 26, 2007 Author Share Posted April 26, 2007 wow.. I cant thank you enough for your time and effort in this matter. The final version of the code you posted seems to work flawlessly. I feel at risk in turning into a time sink regarding this so i have but one final question. All fields update correctly except the "message" part. The code on the form looks like this: <td class="event_data2"> </td> <td valign="top" class="event_data2"><label> <div align="left"> <textarea name="comment_message" rows="10" id="comment_message"></textarea> </div> </label></td> I notice the "textarea" bit present as opposed to "input name, type, id" as before so i assume this is where the problem lies. Would there be around this so i dont have to modify the original form (not that it is a problem to do so) Once again our members and I will be ever grateful for your support. Thank you so much. kindest of regards CT Quote Link to comment Share on other sites More sharing options...
crazytigger Posted April 26, 2007 Author Share Posted April 26, 2007 hum... modifying the form code from textarea name to input name doesn't make any difference.. i would appreciate any thoughts. The most important and honestly the last question i have is: We have a forum using up our one and only SQL database on the server. If i were to add this "contacts" table with its primary key and everything will it remain separate from the rest of the tables? I have requested a second SQLDB however the supplier whilst sympathetic to our cause may not wish to grant us this privilege. Thanks again CT Quote Link to comment Share on other sites More sharing options...
sw0o0sh Posted April 26, 2007 Share Posted April 26, 2007 Ummm... Your query is very very vulnerable to mysql injections and such (these are bad if you haven't heard about em), and not even if the user has a bad intent your stuff there could break, simply by them adding a apostraphe. Here's a more refined code, however I note still not even that great. Just hopefully it fixes your textarea issues. <?php include( 'config.php' ); //contains the user, pass, db and db location $db = @mysql_connect("$dbhost", "$dbuser", "$dbpasswd") or die( 'Could not connect to database: '.mysql_error() ); @mysql_select_db($dbname) or die( 'Could not select database: '.mysql_error() ); $sql = mysql_query("INSERT INTO contact (id, firstname, lastname, email, phone, location, message) VALUES (NULL,\"".$_POST[comment_firstname]."\",\"".$_POST[comment_lastname]."\",\"".$_POST[comment_email]."\",\"".$_POST[comment_phone]."\",\"".$_POST[comment_location]."\",\"".$POST[comment_message]."\"") or die(mysql_error()); mysql_close ?> And to answer your "final" question... If its already in your SQL why would you need to make a duplicate? Quote Link to comment Share on other sites More sharing options...
crazytigger Posted April 26, 2007 Author Share Posted April 26, 2007 Hello again Sir. unfortunately the table is not in the SQLDB already, id like to add it as an additional feature to be kept separate from the forum. I was hoping to use the existing SQLDB to hold a new table (contact) to hold this information. I am beginning to understand SQL injections and i appreciate you taking time to help me out. I have been reading about sanitize functions to add once its up and running. when you say "break" who will be affected? because if its just the user it really doesn't matter at this point. Your code however gives me an SQL syntax error in line 2 (the part i thought id done correctly) it calls config.php to get the location, user, password dbname, and hostname so i cannot confirm it fixes the textarea problem. I feel very close to giving our committee good news.. If you have any immediate thoughts please let me know otherwise i will thank you for your trouble and check back in a few days after carrying out some more research. Best wishes CT Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.