1

I am working on having data taken from a form submit to a database, however, whenever I submit there are no errors yet my data never appears in my database. Can anyone help me with some information on what I might have done incorrectly? I am using phpMyAdmin to view my table. Thank You, Stephen

<?php

$user= $_POST["txtUser"];
$fName= $_POST["txtFname"];
$lName= $_POST["txtLname"];
$email= $_POST["txtEmail"];
$date= date("r"); 



$dbh=mysql_connect('webdb.uvm.edu','swakita','MYPASSWORD');

if (!$dbh)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("SWAKITA", $dbh);

if (isset($_POST['butSubmit'])) {
mysql_query("INSERT INTO tblWhere (pk_Username, fldFirstName, fldLastName, fldAdminLevel, fldTotalPosts, fldDateJoined, fldEmail) VALUES (" . $user . "," . $fName .     "," . $Lname . ", '4', '0', $date, $email)");
mysql_close();
print $user;
}
?>

EDIT This error is thrown: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Here is my code currently:

<?php

$user= $_POST["txtUser"];
$fName= $_POST["txtFname"];
$lName= $_POST["txtLname"];
$email= $_POST["txtEmail"];
$date= date("r"); 



$dbh=mysql_connect('webdb.uvm.edu','swakita','efaemaey');

if (!$dbh)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db('SWAKITA', $dbh);

if (isset($_POST['butSubmit'])) {
mysql_query("INSERT INTO tblWhere (pk_Username, fldFirstName, fldLastName, fldAdminLevel, fldTotalPosts, fldDateJoined, fldEmail) VALUES (' mysql_real_escape_string($user)', 'mysql_real_escape_string($fName)', 'mysql_real_escape_string($Lname)', '4', '0', 'mysql_real_escape_string($date)', 'mysql_real_escape_string($email)'");
if (mysql_errno()) {
echo $sql . "<br/>\n" . mysql_error();
}
mysql_close();
print $user;
}
?>

EDIT EDIT I was missing a parentheses after 'mysql_real_escape_string($email)' but now it is posting "mysql_real_escape_string(Example First Name)" instead of just the value. What did I do wrong with my parentheses now?

Improve this question
3
  • For a moment I was scared that you didn't hide your password... Commented Mar 7, 2012 at 2:39
  • Haha, nope, even though I'm half asleep I did manage to remember to do that. Commented Mar 7, 2012 at 2:39
  • Add or die(mysql_error() after each MySQL statement, so we can see what's happening. Commented Mar 7, 2012 at 2:47

2 Answers 2

Reset to default
3

If you use your fields coming from the POST request directly in the query, you're vulnerable of SQL injection, escape them first.

$user = mysql_real_escape_string($_POST["txtUser"]);
...

To see the problem, check the result of mysql_query

mysql_query(...);
if (mysql_errno()) {
    echo $sql . "<br/>\n" . mysql_error();
}

I think the problem is that you're not putting quotes around fields like user.

VALUES (" . $user . "," . $fName . ", ...

should be:

VALUES ('" . $user . "', '" . $fName . "', ...

or simpler:

VALUES('$user', '$fName', ...

If you quote your string with double quotes ", you can use $variable inside the string and they will get evaluated, while if you use a string delimited with single quotes ', it will literally print $variable.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

thank you very much for your help, I'll be sure to escape from now on, I'm new to this
it's mysql_real_escape_string() in case you try this and it doesn't work.
still having an issue, trying your last suggestion with quotes, right now I have
did you add the error checking after the query, does it print any error?
I solved my initial problem, it is posting now but it posts as mysql_real_escape_string(example) as opposed to just "example'? Can you help me with this?
|
1 
mysql_query("INSERT INTO tblWhere (pk_Username, fldFirstName, fldLastName, fldAdminLevel, fldTotalPosts, fldDateJoined, fldEmail) VALUES ('" . mysql_real_escape_string($user) . "','" . mysql_real_escape_string($fName) .     "','" . mysql_real_escape_string($Lname) . "', '4', '0', '".mysql_real_escape_string($date)."', '".mysql_real_escape_string($email')."'");

You need to wrap strings with ' single quotes. and please escape properly or get hacked. mysql_real_escape_string() will help.

Improve this answer

1 Comment

thank you very much, i will start using escapes from now on, I'm new to php/mysql

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.