PHP script and form to send data to db

F

ForensicCashew

New Member
Hello all,

I am trying to build a PHP form that includes a script to post the input information into a database.

PHP script:

Code: 
<?php

//Connect To Database

$hostname="[censored].hostedresource.com";
$username="[censored]";
$password="[censored]";
$dbname="[censored";
$usertable="[censored";

mysql_connect($hostname,$username, $password) OR DIE ('Unable to connect to database! Please try again later.');
mysql_select_db($dbname);



$sql="INSERT INTO registrants (Fname, Lname, Business, Address, Ptnumber, Quantity, Duedate)
VALUES
('$_POST[Fname]','$_POST[Lname]','$_POST[Business]','$_POST[Address]','$_POST[Ptnumber]','$_POST[Quantity]','$POST_[Duedate)'))";


if($result)
{
while($row = mysql_fetch_array($result))
{
$name = $row["$yourfield"];
echo "Name: ".$name."<br>";
}
}
?>

and the form:
Code: 
<form action="http://www.bktoolco.com/phpform.php" method="post">
  <table width="300" border="1">
    <tr>
      <td>First Name:</td>
      <td><input name="Fname" type="text" id="Fname" size="40" /></td>
    </tr>
    <tr>
      <td>Last Name:</td>
      <td><input name="Lname" type="text" id="Lname" size="40" /></td>
    </tr>
    <tr>
      <td>Business:</td>
      <td><input name="Business" type="text" id="Business" size="40" /></td>
    </tr>
    <tr>
      <td>Address:</td>
      <td><label>
        <input name="Address" type="text" id="Address" size="40">
      </label></td>
    </tr>
    <tr>
      <td>Part Number:</td>
      <td><label>
        <input name="Ptnumber" type="text" id="Ptnumber" size="40">
      </label></td>
    </tr>
    <tr>
    	<td>Quantity:</td>
        <td><label>
        	<input name="Quantity" type="text" id="Quantity" size="40">
        </label></td>
    <tr>
    	<td>Due Date</td>
        <td><label>
        	<input name="Duedate" type="text" id="Duedate" size="40">
        </label></td>
    </tr>
    <tr>
      <td colspan="2">&nbsp;</td>
    </tr>
    <tr>
      <td>&nbsp;</td>
      <td><input type="submit" /></td>
    </tr>
  </table>
  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>&nbsp;</p>
</form>
Can someone please tell me what I am doing wrong? I can't seem to find my mistake. I'm a PHP noob but i'm trying very hard to learn.
 
chrishirst

chrishirst

Well-Known Member
Staff member
Oh and by the way, NEVER, EVER put "unsanitised data" from a POST or a GET into the database, that will leave your script wide open to SQL injection attacks.
 
F

ForensicCashew

New Member
Chris,

The form works fine, and I get the confirmation that the information was properly updated into the database.The problem is when I go to check the database, none of the information is there.
 
chrishirst

chrishirst

Well-Known Member
Staff member
Any error messages?

Have you "echoed" the concatenated SQL query to screen so you can see if it is being formed correctly?

And I'm sure the form is working perfectly but that doesn't stop hackers and hijackers sending SQL code in your form input fields in a bid to "break" the database.

Sending $_GET['input'] or $_POST['input'] data directly to your SQL queries is a problem waiting to happen.

http://php.net/manual/en/security.database.sql-injection.php
 
You must log in or register to reply here.
Top