Database blues - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Database blues

Gilead

5:07 pm on Oct 28, 2011 (gmt 0)

10+ Year Member

Guys, I need help!
I'm about to pull out my hair by the roots!
I'm attempting to create a 'add new user' page.
I have one page with the form, which sends the data to the php page for processing. After finally getting somewhere, all I get in the database is _ for every field except for the field emailoptout, which actually has the value of 0.

WHAT AM I DOING WRONG?
<?php
$db_name ="dbname";
$table_name ="users";

//connect to the server and select the database
$server = "localhost";
$dbusername = "dbuser";
$dbpassword = "password";

$connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
$db = @mysql_select_db($db_name,$connection)or die(mysql_error());
echo 'connection established';
//make query to database
$sql ="SELECT * FROM $table_name WHERE member_login= '$_POST[login]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());

//get the number of rows in the result set
$num = mysql_num_rows($result);

//or add it to the database
$sql_add = "INSERT INTO $table_name (account_number, contactid, organization_title,
account_name, organizationDBA, network_representative, network, member_login, member_password,
title, salutation, firstname, lastname, communication_method, phone, mobile, otherphone,
fax, email_opt_out, email) VALUES ('_$POST[accountnumber]', '_$POST[contactid]', '_$POST[organization]',
'_$POST[accountname]', '_$POST[dba]', '_$POST[rep]', '_$POST[network]', '_$POST[login]', '_$POST[password]',
'_$POST[title]', '_$POST[salutation]', '$POST[firstname]', '_$POST[lastname]', '_$POST[commethod]',
'_$POST[phone]', '_$POST[mobile]', '_$POST[other]', '_$POST[fax]', '_$POST[emailopt]', '_$POST[email]');";

$result = @mysql_query($sql_add,$connection) or die(mysql_error());

?>

httpwebwitch

5:17 pm on Oct 28, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

step one - and please do this NOW before touching another SQL query, is read this:

[en.wikipedia.org...]

step two:

read this:

[php.net...]

step three:

watch how you're spelling $_POST

it's not _$POST or $POST. it's $_POST.

If you skip steps one and two, we will come to your home and repossess your keyboard :)

Demaestro

5:19 pm on Oct 28, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I could be way to to lunch here but you have this -> _$POST[accountnumber]... shouldn't it be this -> $_POST[accountnumber]?

(I moved the underscore to after the $)

Gilead

6:06 pm on Oct 28, 2011 (gmt 0)

10+ Year Member

Is that why attempting to generate code from phpmyadmin had \'variable\',...

I switched the _$POST variable to $_POST.
Upon filling out the form again, I get a completely blank entry in the db. The only field that did go through, again was the emailoptout.

I set the form to GET, to make sure the data was transferring, which it is; so I don't understand why the values aren't being entered, however I can really see the need to sanitize the data prior to entering.

Do I need to set each $_POST[x] variable to a normal variable?
y=$_POST[x];?

Gilead

6:38 pm on Oct 28, 2011 (gmt 0)

10+ Year Member

After switching from GET to POST in the form, that did the trick! Any ideas how to best implement the sanitation procedure?

httpwebwitch

8:34 pm on Oct 28, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

in each place where you're putting a post variable into the query, escape it first using mysql_real_escape_string().

before:

$sql_add = " ... '$_POST[mobile]' ... ";

after:

$sql_add = " ... '" . mysql_real_escape_string($_POST[mobile]) . "' ... ";

to check your work, fill out your form and put this in every field:

"';/q\\n~'''"

(with the quotes intact)

then submit the form.

then look in your database and make sure that what's in there is exactly what you entered in the form.

Gilead

2:25 pm on Oct 31, 2011 (gmt 0)

10+ Year Member

Thanks! One further question, does the 'mysql_real_escape_string('$var')' need to be in quotes also?
When I tested it, it came out mysql_real_escape_string("';/q\\n~'''" ).

londrum

2:40 pm on Oct 31, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

just as an error check, put

echo $sql_add; exit;

just before the final

$result

line.

that will make it easier for you to see where any stray quotes and apostrophes are

Gilead

2:42 pm on Oct 31, 2011 (gmt 0)

10+ Year Member

I tried it the other way too 'mysql_...('$_POST[$var']) and got an error.
PHP is very sticky about quotes.
'mysql_,,,($POST[$var]) works, but it includes the function in the echo check. How should the quote fall, I must have missed something!
Thanks guys for all the help!

Gilead

3:18 pm on Oct 31, 2011 (gmt 0)

10+ Year Member

Should I use stripslashes as well?

Gilead

3:33 pm on Oct 31, 2011 (gmt 0)

10+ Year Member

Converted the $_post into variables with the escape string to make it easier. When I did so, the values were not entered. Do I need to eliminate the quotes?

VALUES ('\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ', '\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" ');

Gilead

4:22 pm on Oct 31, 2011 (gmt 0)

10+ Year Member

When I output the variables, this is what I get printed...
\\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\" \\\"\\\';/q\\\\\\\\n~\\\'\\\'\\\'\\\"
But nothing gets entered into the database. Would have thought something would gone in there- or am I just tired and completely missing the point?

londrum

7:48 pm on Oct 31, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

$_POST[$var'] doesnt look right.
if var is the name of the input field, then it should be something like $_POST['var']
you dont need the dollar sign.
and $_POST[mobile] should be $_POST['mobile']

Gilead

2:02 pm on Nov 1, 2011 (gmt 0)

10+ Year Member

Looks like it's working! Thanks for all your help!