What's wrong with this PHP?

Butters · 19 Dec 2007 at 23:01

I've done quite a few of these now but for some reason this one refuses to work.

Its based on a Win2K3 box running IIS6, PHP and MySQL5

Table (called contacts)

and here is the code. In order to break this down I'm trying to insert one thing into one field

Code:

<?php
session_start();
if(!$_SESSION['username']) {
       //not logged in. redirect to login page
       header("Location: index.php");
       exit;
}

include("connect.php"); 

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

</head>

<body>
<h1>Client Entry Form</h1>
<?php
if (!isset($_POST['submit'])) {
?>
<form action="" method="post">
<p><label>Title:</label><input type="text" name="title" maxlength="60" /></p>
<p><input type="submit" name="submit" value="Client Details Submit" /></p>
<p><input type="reset" value="Reset Form" name="reset" /></p>
</form>

<?php
} else {

$title = $_POST['title'];

mysql_query("INSERT INTO 'contacts' (title) VALUES ('$title')");
echo "<h2>Thank you</h2>";
}

mysql_close();

?>
</body>
</html>

Help!

RobH · 20 Dec 2007 at 00:06

Tried it without the quotes on the table name? INSERT INTO contacts rather than INSERT INTO 'contacts' I'm not a SQL expert but just suggestion, dunno i it makes any difference.

Clarkey · 20 Dec 2007 at 00:35

<form action="" method="post">

your problem lies there

robmiller · 20 Dec 2007 at 02:13

Clarkey said:
<form action="" method="post">

your problem lies there

No it doesn't "

", an empty action submits the form to the current URI.

bad mr frosty · 20 Dec 2007 at 06:59

Try this:

mysql_query("INSERT INTO contacts (title) VALUES ('".$title."')");

Nate · 20 Dec 2007 at 09:27

as Robh suggested you don't need quotes round the table name, also I would suggest that you do:

Code:

mysql_query("INSERT INTO contacts (title) VALUES ('$title')") or die(mysql_error());

Even though mysql error messages are sometimes a bit vague it will help you debug your statement

Butters · 20 Dec 2007 at 12:13

Thanks guys. got it working. It was moaning about one of the fields having no default value.

Dfhaii · 20 Dec 2007 at 12:40

I'm amazed you haven't had the usual hoarde jumping in with ESCAPE YOUR INPUT!!!!!!!LOLOLO!!!!!O!1111

furnace · 20 Dec 2007 at 13:33

Well surely it's pretty silly not to escape your input... telling him to escape it would only be good advice!

Sic · 20 Dec 2007 at 14:05

escape your input

Clarkey · 20 Dec 2007 at 14:40

robmiller said:
No it doesn't "", an empty action submits the form to the current URI.

oh well, learn something new every day. Still seems like bad practice to me though.

Sic · 20 Dec 2007 at 14:46

Clarkey said:
oh well, learn something new every day. Still seems like bad practice to me though.

I don't see why - certainly makes life easier for me

Butters · 20 Dec 2007 at 16:58

Sic said:
escape your input

With the mysql real escape string?

Dj_Jestar · 20 Dec 2007 at 18:06

Clarkey said:
oh well, learn something new every day. Still seems like bad practice to me though.

It's anything but bad practice.

Butters, fyi, it's backticks,not single quotes for table/field/db names. i.e. `contacts` not 'contacts'

Sic · 20 Dec 2007 at 22:33

Butters said:
With the mysql real escape string?

yeah