Hi Guys,

I have created a form that allows you to add a user to my database. This is working fine but there are a couple of things I want to add that I just can't seem to get working.

1. I am looking to protect from SQL injection and was advised when using post or get to use strip_tags(mysql_real_escape_string(post/get here))

No matter how I try to add this it stops the page from working. Either via variables or directly into the query.

Could someone please advise how I would get this into a variable? it also appears that just making a variable of $_POST['form field name'] causes this to. I would love to get his in a variable as I would like to out put it when the script finishes.

2. I was trying to add code to catch the submit as suggested in another post but again no matter where I added this in it always returned the else. Now i might just not be understanding it correctly.

Basically I had:

if(isset($_POST['submit']) && ($_POST['submit'] == "submit"))
{
Bulk of my code here
exit;
}
else {
echo "error message";
}

Now either I am understanding it wrong and the else is when submit has been pressed or im not placing it correctly in my code.

Any help much appreciated.

Bala


Add Script

<?php
$con = mysql_connect("localhost","Pass","Pass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("DBNAME", $con);


$out = '<u>Log:</u>';

$sql = "INSERT INTO Sky_Points (Username, Points, PointsSinceLastPayOut, DateofLastRun) VALUES ('$_POST[Username]','$_POST[Points]','$_POST[PointsSinceLastPayOut])','$_POST[DateofLastRun]')";


if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}

$out = '<br />Player added.';

echo $out;
echo '<br /><br /><a href="http://URL" style="font-size: large">Back to Admin main page</a>';
echo '<br /><a href="http://URL.php" style="font-size: large">Back to SKY Add Player page</a>';
?>

Form

<?php

$con = mysql_connect("localhost","Pass","Pass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("DBNAME", $con);

$formtable = '<form action="skyaddplayer.php" method="post" onKeyPress="return event.keyCode!=13"><table id="form" cellspacing="2" align="center">
<tr>
<th style="text-align: center;">Player Name</th>
<td style="text-align: center;"><input type="text" name="Username" /></td>
</tr>';

$formtable .= "\n" . '<tr>
<th style="text-align: center;">Points</th>
<td style="text-align: center;"><input type="text" name="Points" /></td>
</tr>';

$formtable .= "\n" . '<tr>
<th style="text-align: center;">Points since last pay out</th>
<td style="text-align: center;"><input type="text" name="PointsSinceLastPayOut" /></td>
</tr>';

$formtable .= "\n" . '<tr>
<th style="text-align: center;">Date of last run</th>
<td style="text-align: center;"><input type="text" name="DateofLastRun" /></td>
</tr>';

$formtable .= "\n" . '<tr>
<td style="text-align: center;"><input name="submit"" type="submit" value="Add Player!"> </td>
<td style="text-align: center;"><input name="Reset" type="reset" value="Reset Changes"></td>
</tr>';
$formtable .= "\n" . '</table>';
echo $formtable;

?>