1

I have to code below - updated

php code 

    if(empty($_POST['formEmail'])) 
    {
        $errorMessage .= "<li>You forgot to enter your email</li>";
    }

    $varEmail = $_POST['formEmail'];

    if(empty($errorMessage)) 
    {

        $db = mysql_connect("servername","username","password");
        if(!$db) die("Error connecting to MySQL database.");
        mysql_select_db("tableName" ,$db);



    $sql = "INSERT INTO emails(email) VALUES ('$varEmail')";

    mysql_query($sql);


echo "Details added";
$_SESSION['status'] = 'success';
 }

exit();


    }

function PrepSQL($value)
{
    // Stripslashes
    if(get_magic_quotes_gpc()) 
    {
        $value = stripslashes($value);
    }

    // Quote
    $value = "'" . mysql_real_escape_string($value) . "'";

    return($value);
}
?>

form code

    <?php
if(!empty($errorMessage)) 
{
echo("<p>There was an error with your form:</p>\n");
echo("<ul>" . $errorMessage . "</ul>\n");
    }
    ?>

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
<p>
<label for='formEmail'>Sign up to be notified when we go live!</label><br/>
<input type="text" name="formEmail" maxlength="50" value="<?=$varEmail;?>" />
</p>
<input type="submit" name="formSubmit" value="Submit" />
</form>

I'm not getting any errors and as far as I can tell the syntax looks fine but its not putting the email information into the database. Anyone have an idea of whats going on? As a side note I am a newb to all php.

Improve this question
3
  • never ever inject $_* super globals in a query, use mysql_real_escape_string() to escape all $vars whether they come from you or the user. Also get_magic_quotes_gpc() is broken and should never be used. Commented Oct 10, 2011 at 18:40
  • @Johan, I dont know much about sql databases so what you said might as well be in latin. would you please elaborate? Commented Oct 10, 2011 at 19:07
  • 1
    Sure, read this question: stackoverflow.com/questions/332365/… and here on why magic quotes are broken: php.net/manual/en/security.magicquotes.disabling.php Commented Oct 10, 2011 at 19:10

2 Answers 2

Reset to default
6

You've forgotten to run the query! Put

mysql_query($sql);

straight after

$sql = "INSERT INTO emails(email) VALUES ('$varEmail')";

Make sure you run the $_POST variable through mysql_real_escape_string as well:

$varEmail = mysql_real_escape_string($_POST['formEmail']);

This will help protect you from SQL Injection attacks.

EDIT

One more tiny thing, I guess you want to set the session variable success when the form has submitted successfully. to do that you'll need to move

echo "Details added";
$_SESSION['status'] = 'success';

within the same if structure as the SQL query is run, otherwise it will never be set

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

now I'm getting the error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to local MySQL server through socket why would adding the mysql_real_escape be causing any problems?
@bjstone15, You need to connect to the database before using mysql_real_escape_string() otherwise it will give you that error.
2

Try:

    $db = mysql_connect("servername","username","password");
    if(!$db) die("Error connecting to MySQL database.");
    mysql_select_db("tableName" ,$db);


    $sql = sprintf("INSERT INTO emails(email) VALUES ('%s')",mysql_real_escape_string($varEmail));
    $results = mysql_query($sql);
Improve this answer

5 Comments

-1, a db called tablename is just weird and not addressing the SQL-injection hole is dangerous.
First of all, it is copied directly from his code. Second of all, he just needs to see that it is working before he addresses security. This is no reason to mark an answer down. I edited my response with a much better approach to dealing with security.
the name 'tableName' is not the name of the table but just something I was using for an example.
@bjstone15, I understood what you were doing. I'm not sure why people get so specific about these things that they mark down people who ask legitimate questions and those who give legitimate, next-step, answers. Feel free to mark me up if you find my answer helpful.
%s is a replace string. You can include them in your sprintf statement, but define them after the string. Check out php.net/manual/en/function.sprintf.php for more info...but it is just a string-print-format (sprintf) which allows you to define a format and parameters to be formatted.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.