0

I am new to PHP. I've been working on a simple form that submits data into a MySQL database and have hit a snag. I'm just not sure where the error in the code is, any help would be appreciated.

<?php

$host      = 'localhost'; // hostname
$username  = 'root'; // MySQL Username
$password  = 'root'; // MySQL Password
$db_name   = 'idp'; // Database name
$tbl_name  = 'data'; // Table name

// Attempt MySQL Connection
mysql_connect("$host", "$username", "$password")or die("Cannot connect.");
// Attempt database connection
mysql_select_db("$db_name")or die("Cannot select DB.");

$name      = $_POST['name'];
$mbr_name   = $_POST['mbr_name'];
$mbr_tel   = $_POST['mbr_tel'];
$date      = $_POST['date'];

$sql     = "INSERT INTO $tbl_name(name, mbr_name, mbr_tel, date)VALUES('$name',       '$mbr_name', '$mbr_tel', '$date')";
$result  = mysql_query($sql);

if($result) {
echo "Entry Successful";
echo "<br>";
echo "<a href='form.php'>Return to Form</a>";
} else {
echo "<strong>Error</strong>";
}

mysql_close();
?>
Improve this question
10
  • is the data not being inserted into the table? Commented Oct 14, 2013 at 17:42
  • This might not be the problem, but try putting actual values within the mysql_connect and mysql_select_db functions instead of variables: mysql_connect("$host", "$username", "$password")or die("Cannot connect."); mysql_select_db("$db_name")or die("Cannot select DB."); Commented Oct 14, 2013 at 17:42
  • 3
    you could do a $result = mysql_query($sql) or die(mysql_error()); but really, don't use the mysql_* functions anymore for new code, they're deprecated. Commented Oct 14, 2013 at 17:43
  • Ahh I forgot to include that. It returns 'Error' so it appears that it connects to the database fine, but won't input the data into the table. Commented Oct 14, 2013 at 17:44
  • And, if you must use mysql, at least use mysql_real_escape_string(), Commented Oct 14, 2013 at 17:45

4 Answers 4

Reset to default
1

My guess is, one of the input parameters you are getting has unescaped ' or " character(s) in it. Thus, your query breaks due to the unintended quote characters. To verify if this is the case, introduce another print statement for the sql just after you have created your sql statement and run it in manually in your query browser and see if it works.

Further, the if($result) { block in your code prints out a success or failure message irrespective of why the failure occured, so the output information is not particularly useful either.

You should have a look at the [addslashes][1] method to escape those quote characters.

Your query will then become somthing like

$sql = "INSERT INTO $tbl_name(name, date)VALUES('".addslashes($name)."', '".$date."')";

Also, I would suggest having a look at pdo for your sql queries instead of mysql_* functions.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try you query like that :

$sql     = "INSERT INTO $tbl_name(name, mbr_name, mbr_tel, date)VALUES('".$name."',       '".$mbr_name."', '".$mbr_tel."', '".$date."')";
Improve this answer

2 Comments

This results in the same query. If there's sql injection code, this would not stop it. It would not fix the OP's issue.
this line of code is only to show (one of many ways) to escape variable inside a query string, protection against XSS attack, encoding issues, new lines, .... should be done before this step, and there is a lot of classes (Zend_DB_* classes) that could be implemented.
0

Remove the "" on your mysql_connect($host,$username,$password); mysql_select_db($db_name); Its a good habit 

$sql = "INSERT INTO $tbl_name(name, mbr_name, mbr_tel, date)VALUES('{$name}','{$mbr_name}','{$mbr_tel}', '{$date}')";

Also check your data type for date. If the date you are posting is current , you can use sql function instead of the POST for date for example:

$sql = "INSERT INTO $tbl_name(name, mbr_name, mbr_tel, date)VALUES('{$name}','{$mbr_name}','{$mbr_tel}',NOW())";
Improve this answer

Comments

0

your code is deprecated, please refer to Zend classes loader, with the Zend_db_* classes.

[http://framework.zend.com/manual/1.12/fr/zend.db.statement.html][1]

PS : Zend is a Framework, you could use any popular framework like Yii, CakePhp and others.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.