PHP script and form to send data to db

Discussion in 'Programming' started by ForensicCashew, May 21, 2012.

to remove all ads.
  1. ForensicCashew

    ForensicCashew New Member

    Messages:
    2
    Hello all,

    I am trying to build a PHP form that includes a script to post the input information into a database.

    PHP script:

    Code:
    <?php
    
    //Connect To Database
    
    $hostname="[censored].hostedresource.com";
    $username="[censored]";
    $password="[censored]";
    $dbname="[censored";
    $usertable="[censored";
    
    mysql_connect($hostname,$username, $password) OR DIE ('Unable to connect to database! Please try again later.');
    mysql_select_db($dbname);
    
    
    
    $sql="INSERT INTO registrants (Fname, Lname, Business, Address, Ptnumber, Quantity, Duedate)
    VALUES
    ('$_POST[Fname]','$_POST[Lname]','$_POST[Business]','$_POST[Address]','$_POST[Ptnumber]','$_POST[Quantity]','$POST_[Duedate)'))";
    
    
    if($result)
    {
    while($row = mysql_fetch_array($result))
    {
    $name = $row["$yourfield"];
    echo "Name: ".$name."<br>";
    }
    }
    ?> 
    
    and the form:
    Code:
    <form action="http://www.bktoolco.com/phpform.php" method="post">
      <table width="300" border="1">
        <tr>
          <td>First Name:</td>
          <td><input name="Fname" type="text" id="Fname" size="40" /></td>
        </tr>
        <tr>
          <td>Last Name:</td>
          <td><input name="Lname" type="text" id="Lname" size="40" /></td>
        </tr>
        <tr>
          <td>Business:</td>
          <td><input name="Business" type="text" id="Business" size="40" /></td>
        </tr>
        <tr>
          <td>Address:</td>
          <td><label>
            <input name="Address" type="text" id="Address" size="40">
          </label></td>
        </tr>
        <tr>
          <td>Part Number:</td>
          <td><label>
            <input name="Ptnumber" type="text" id="Ptnumber" size="40">
          </label></td>
        </tr>
        <tr>
        	<td>Quantity:</td>
            <td><label>
            	<input name="Quantity" type="text" id="Quantity" size="40">
            </label></td>
        <tr>
        	<td>Due Date</td>
            <td><label>
            	<input name="Duedate" type="text" id="Duedate" size="40">
            </label></td>
        </tr>
        <tr>
          <td colspan="2">&nbsp;</td>
        </tr>
        <tr>
          <td>&nbsp;</td>
          <td><input type="submit" /></td>
        </tr>
      </table>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
      <p>&nbsp;</p>
    </form>
    
    Can someone please tell me what I am doing wrong? I can't seem to find my mistake. I'm a PHP noob but i'm trying very hard to learn.
     
  2. chrishirst

    chrishirst Well-Known Member Staff Member

    Messages:
    2,675
    And what is it doing? Or not doing as the case maybe?
     
  3. chrishirst

    chrishirst Well-Known Member Staff Member

    Messages:
    2,675
    Oh and by the way, NEVER, EVER put "unsanitised data" from a POST or a GET into the database, that will leave your script wide open to SQL injection attacks.
     
  4. ForensicCashew

    ForensicCashew New Member

    Messages:
    2
    Chris,

    The form works fine, and I get the confirmation that the information was properly updated into the database.The problem is when I go to check the database, none of the information is there.
     
  5. chrishirst

    chrishirst Well-Known Member Staff Member

    Messages:
    2,675
    Any error messages?

    Have you "echoed" the concatenated SQL query to screen so you can see if it is being formed correctly?

    And I'm sure the form is working perfectly but that doesn't stop hackers and hijackers sending SQL code in your form input fields in a bid to "break" the database.

    Sending $_GET['input'] or $_POST['input'] data directly to your SQL queries is a problem waiting to happen.

    http://php.net/manual/en/security.database.sql-injection.php
     
  6. shazam

    shazam New Member

    Messages:
    1
    Try changing the $result variables to $sql
     

Share This Page