0

The form below is not adding points to the fourth field in the MySQL table "contest."

I can't find anything wrong with the code. Am I missing something obvious?

echo '<form action="http://www.website.com/folder/file.php" method="post"> 
    <input type="hidden" value="'.$u.'" name="u"> 
    <input type="hidden" value="'.$profile.'" name="profile"> 
    <input type="hidden" value="'.$profileid.'" name="profileid"> 




    <div class="friend2title"><label for="url">Add points:</label></div> 
    <div class="friend2field"><input name="state" type="text" id="state" maxlength="150"></div>




    <div class="addresssubmit"><input name="submit" type="submit" value="Add"></div> 
</form>
';

Then, on http://www.website.com/folder/file.php:

$u = $_POST['u'];
$profile = $_POST['profile'];
$profileid = $_POST['profileid'];

$state = $_POST['state'];





$state = mysql_real_escape_string($state);



mysql_query("INSERT INTO contest VALUES (NULL, 'critic', '$profileid',  '$state', NULL')");
Improve this question
4
  • Your code is vulnerable to SQL injection. You really should be using prepared statements, into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of Bobby Tables. Commented Jul 2, 2012 at 23:42
  • Also, as stated in the PHP manual for the mysql_query() function: Use of this extension is discouraged. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Commented Jul 2, 2012 at 23:42
  • Consider including the table fields in the query like this - INSERT INTO contest (field1, field2, ...) VALUES (NULL, 'critic', ...) Commented Jul 2, 2012 at 23:45
  • Maybe a note for German speaking people. The note "Use of this function is discouraged" is available in all languages (like English, French, Spanish), but it's missing in German. So stick to the English or any other version of the page. :) Commented Jul 3, 2012 at 0:03

1 Answer 1

Reset to default
1

You have to declare the value attribute with the default value in your state input

<input name="state" type="text" id="state" value="' . $state . '" maxlength="150">

Additionaly, your code is vulnerable to SQL Injection, never trust in fields that came from users, it is very dangerous for your database.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

And also, should avoid using mysql_* functions as they are about to be deprecated and should use PDO or mysqli instead.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.