0

I need help with Php forms. I am trying to insert at least 2 & a Max of 3 team players data to MySQL for registration purposes.

By using a loop to get the 3 form values and iterate until data is stored in the tables

First Table is Players table: columns names are as follows.

playerid, playerfirstname, playerlastname, playerdob, playernationalranking, playerphonenumber, playeremailaddress, playerpassportnumber,playerplayinghistory, playeraddress, playercountry

Second Table is Participants table: columns names are as follows.

playerid, participtionid, championshipid, countryid, created_at, status (is deleted or not) , room_booking_status

Third Table is Photo links

Time, FileLocation, IP, idUsers, playerid

on top of that, another i need to insert to a 4th table and its teamplayers table: column names are as follows.

Teamid, participtionid, countryid, idplayer1, idplayer2, idplayer3, TimeStamp

PHP code starts as follows:

if (!isset($_SESSION)) {
  session_start();
}
$editFormAction = $_SERVER['PHP_SELF'];
    if (isset($_SERVER['QUERY_STRING'])) {
      $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
    }
$colname_numRows = "-1";
    if (isset($_SESSION['MM_UserGroup'])) {
      $colname_numRows = $_SESSION['MM_UserGroup'];
    }
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {


        for($i=1;$i<4;$i++) {

        // combining date of birth
        $playerDob = $_POST['year'.$i]."-".$_POST['month'.$i]."-".$_POST['day'.$i];
        $playerDob = mysql_real_escape_string($playerDob);
          // first query
          $insertPlayerInfo = sprintf("INSERT INTO players (playerid, playerfirstname, playerlastname, playerdob, playernationalranking, playerphonenumber, playeremailaddress, playerpassportnumber, playerplayinghistory, playeraddress, playercountry) VALUES ('', %s, %s, '$playerDob', %s, %s, %s, %s, %s, %s, %s)",
        GetSQLValueString(str_replace('\' ', '\'', ucwords(str_replace('\'', '\' ', strtolower($_POST['playerFirstName'.$i])))), "text"),
        GetSQLValueString(str_replace('\' ', '\'', ucwords(str_replace('\'', '\' ', strtolower($_POST['playerLastName'.$i])))), "text"),
        GetSQLValueString($_POST['playerNationalRanking'.$i], "int"),
        GetSQLValueString($_POST['playerPhoneNumber'.$i], "text"),
        GetSQLValueString($_POST['playerEmailAddress'.$i], "text"),
        GetSQLValueString($_POST['playerPassportNumber'.$i], "text"),
        GetSQLValueString($_POST['playerPlayingHistory'.$i], "text"),
        GetSQLValueString($_POST['playerAddress'.$i], "text"),
        GetSQLValueString($_POST['playerCountryID'.$i], "int"));

        mysql_select_db($db, $EntrySystem);

        if($myPlayerInfoResult = mysql_query($insertPlayerInfo, $EntrySystem))
        {

            $_SESSION['playerid'.$i] = mysql_insert_id($EntrySystem) or die(mysql_error());

        // second query 
            $insertSQL = sprintf("INSERT INTO participants (playerid, participationid, championshipid, countryid, created_at, status, room_booking_status) VALUES ('".$_SESSION['playerid'.$i]."','', %s, %s, %s, '1', '0')",
                           GetSQLValueString($_POST['championshipid'], "int"),
                           GetSQLValueString($_POST['countryid'], "int"),
                           GetSQLValueString($_POST['created_at'], "date"));

            mysql_select_db($db, $EntrySystem);

            if($myInsertSQL = mysql_query($insertSQL, $EntrySystem)) 
            { // if successfully submitted, proceed to next page
            $participationid = mysql_insert_id($EntrySystem)or die(mysql_error());
            $_SESSION['participationid'.$i] = $participationid;
            }

    if(!is_dir("upload/".$_SESSION['MM_Username'])) {

    mkdir("upload/".$_SESSION['MM_Username']);

                }

                        function savedata(){
                            global $_FILES, $_POST, $putItAt;
                            $sql = "INSERT INTO `db`.`photos` 
                                ( 
                                `Time`, 
                                `FileLocation`, 
                                `IP`, 
                                `countryid`,
                                `participationid`) 
                        VALUES (NOW(),'".mysql_real_escape_string($putItAt)."', '". $_SERVER['REMOTE_ADDR']."', '". $_SESSION['MM_UserGroup']."'
                        ,'" .$_SESSION['participationid'.$i]."');";
                        mysql_query($sql) or die(mysql_error());
                        }

                        $putItAt = "upload/".$_SESSION['MM_Username']."/" .sha1(rand())."-" .basename($_FILES['uploadedfile'.$i]['name']);

                        $putItAt = str_replace("php", "txt" , $putItAt);

                        if(move_uploaded_file($_FILES['uploadedfile'.$i]['tmp_name'],$putItAt)) {

                            savedata();

                        } else {

                            if(copy($_FILES['uploadedfile'.$i]['tmp_name'],$putItAt)) {

                                savedata();


                            } else {

                                echo 'Image upload has not been successful. go back and try again.';
                            }

                        }

                        // Ids 
            mysql_select_db($db, $EntrySystem);
            $insertTeamInfo = sprintf("INSERT INTO teamPlayers (Teamid, participationid, countryid, idplayer1, idplayer2, idplayer3, TimeStamp) 
                                        VALUES('','".$_SESSION['participationid']."', %s,'".$_SESSION['playerID1']."', '".$_SESSION['playerID2']."', '".$_SESSION['playerID3']."','')",
                                        GetSQLValueString($_POST['countryid'], "int"));

            mysql_query($insertTeamInfo) or die(mysql_error());

            $insertGoTo = "myentries.php";
      if (isset($_SERVER['QUERY_STRING'])) {
        $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
        $insertGoTo .= $_SERVER['QUERY_STRING'];
      } 
      header(sprintf("Location: %s", $insertGoTo));

                    }

                } 

        }

the HTML form is at the same page of the above php code

<form enctype="multipart/form-data" method="post" name="form1" action="<?php echo $editFormAction; ?>">


        <table width="100%">
        <tr>
        <td align="center">
    <label>
                <p>Select Championship</p>
    </label>

          <select name="championshipid">
            <option>Select championship..</option>
            <?php 
    do {  
    ?>
            <option value="<?php echo $row_availableChampionships['championshipid']?>" ><?php echo $row_availableChampionships['championshipname']?></option>
            <?php
    } while ($row_availableChampionships = mysql_fetch_assoc($availableChampionships));
    ?>
          </select>
          </td>
      </td>
        </tr>
        </table>
    // First table for selecting Championship

    <!-- Form one starts here -->

      Player 1

    <label><p>First Name </p></label>
    <input type="text" name="playerFirstName1" value="" />
    <input type="hidden" name="MAX_FILE_SIZE" value="5000000" />
    Choose a photo to upload: <input name="uploadedfile1" type="file" />
    <input name="countryid" type="hidden" value="<?php echo $_SESSION['MM_UserGroup']; ?>" />
    <input name="participationid" type="hidden" value="<?php echo $_SESSION['idparticipants']; ?>" />

<label>Last Name</label>
<input type="text" name="playerLastName1" value="" />
<label>Date of Birth</label>
          <select name="day1">
            <option>Day</option>
            <?php 
    for ($day = 1; $day <= 31; $day++) {
    echo "<option value=\"$day\">$day</option>\n";
    }

    ?>
          </select>
          <span class="selectRequiredMsg">Please select an item.</span></span><span id="spryMonthSelect">
            <select name="month1">
              <option>Month</option>
              <option value="01" >01-January</option>
              <option value="02" >02-February</option>
              <option value="03" >03-March</option>
              <option value="04" >04-April</option>
              <option value="05" >05-May</option>
              <option value="06" >06-June</option>
              <option value="07" >07-July</option>
              <option value="08" >08-August</option>
              <option value="09" >09-September</option>
              <option value="10" >10-October</option>
              <option value="11" >11-November</option>
              <option value="12" >12-December</option>
            </select>
              <select name="year1">
                <option>Year</option>
                <?php
     for ($year = 1950; $year <= 2005; $year++) {
    echo "<option value=\"$year\">$year</option>\n";
    }
      ?>
              </select>
              <label>National Ranking</label>
          <input type="text" name="playerNationalRanking1" value="" >
          <label>Phone Number</label>
          <input type="text" name="playerPhoneNumber1" value="" >
          <label>
          Email Address</label>
          <input type="text" name="playerEmailAddress1" value="">
          <label>
        Passport Number
      </label><input type="text" name="playerPassportNumber1" value="">
       <label>Playing History</label>
        <textarea name="playerPlayingHistory1" value="">
2
Contributors
1
Reply
19
Views
2 Years
Discussion Span
Last Post by diafol
0

This code looks 10 years old. Where did you get it?

It's using deprecated mysql_* functions, global variables, getsqlvaluestring with sprintf . This is all a nightmare, basically designed to avoid SQL injection. If you use mysqli or PDO, all this nonsense can be avoided.

ALso don't run a query on each iteration of the for loop, rather build up the query and run ONE query after exit of loop.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.