0

I have the code below: 

    <html><body>
<?php
$con = mysql_connect("localhost","will","blahblah");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("blahblah", $con);

$sql="INSERT INTO links (link, notes, username)
VALUES
('$_POST[link]','$_POST[notes]','$_POST[username]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 link added";

mysql_close($con)
?>
</body></html>

It should insert a link and notes and a username into my database but it doesn't. I am clueless as to why and would appreciate some help with it! It is getting these values from the form below:

   <div id="stylized" class="myform">
<form id="form" name="form" method="post" action="user.php">
<label>Username
<span class="small">Enter Your Username</span>
</label>
<input type="text" name="name" id="username" />

<label>Link
<span class="small">Paste Your Link</span>
</label>
<input type="text" name="email" id="link" />

<label>Notes
<span class="small">Add Some Notes</span>
</label>
<input type="text" name="password" id="notes" />

<button type="submit"></button>
<div class="spacer"></div>

</form>
</div>

Thanks!

Improve this question
3
  • What error are you getting? (btw, the username input is "name" instead of "username") Commented Mar 12, 2011 at 15:19
  • what does the error say? Commented Mar 12, 2011 at 15:19
  • There is no error it just doesn't insert it... Commented Mar 12, 2011 at 15:20

5 Answers 5

Reset to default
2

I see at least three problems, with your code :

First, when injecting strings into an SQL query, you must escape it, using mysql_real_escape_string() :

$link = mysql_real_escape_string($_POST['link']);
$notes = mysql_real_escape_string($_POST['notes']);
$username = mysql_real_escape_string($_POST['username']);

$sql="INSERT INTO links (link, notes, username)
VALUES ('$link','$notes','$username')";


Third, in your PHP code, you must use the name attribute of your input fields -- and not their id attributes.

Considering your HTML code looks like this :

<input type="text" name="name" id="username" />
<input type="text" name="email" id="link" />
<input type="text" name="password" id="notes" />

You should work with :

  • $_POST['name'], and not $_POST['username']
  • $_POST['email'], and not $_POST['link']
  • $_POST['password'], and not $_POST['notes']

Note : using a name and an id that are that different leads to troubles ;-)


So, to summarize, your code should look a bit more like this :

$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);
$name = mysql_real_escape_string($_POST['name']);

$sql="INSERT INTO links (link, notes, username)
VALUES ('$email','$password','$name')";

Note : you should use the same names for the input fields, and the fields in the table -- it would make your code easier to understand.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

first is not a problem. fair use
1

Replace it :

$sql="INSERT INTO links (link, notes, username)
VALUES
('$_POST[link]','$_POST[notes]','$_POST[username]')";

with:

$sql="INSERT INTO links (link, notes, username)
VALUES
('". mysql_escape_string($_POST['name']) ."','".
     mysql_escape_string($_POST['email']) ."','". 
     mysql_escape_string($_POST['password']) ."')";

Note that POST variables you're trying to use in Your query are completely different from those on your form

Improve this answer

Comments

0

The indexes of POST variables must match the names of the form items.

So either write:

<input type="text" name="link" id="link" /> or use $_POST[email]

Adapt for the other variables.

Improve this answer

Comments

0

id attributes are meaningless when submitting the form. You probably want to swap the name and id attributes.

Currently, $_POST['name'], $_POST['email'] and $_POST['password'] are being submitted instead of $_POST['username'], $_POST['link'] and $_POST['notes'].

Your code is also vulnerable to SQL injection.

Improve this answer

Comments

0

The items in $_POST are indexed by name attribute, not by id.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.