having an issue--*cough*newbie*cough*--the html and php code here supposedly creates a new record into my database. problem is, the successfully connects to sql and creates the record, but the contents of the $_POST variables do not make it into their respective fields. I have an id field (AUTO_INCREMENT) that is created successfully, but no text in the mailto, firstname, and lastname fields.

any comments would be most appreciated....

<html>
<head>
    <title>Bee In The Buzz</title>
</head>

<body>

<p>Are you a:

<form method="post" action="form2sql.php">
    <LABEL for="firstname">First name: </LABEL>
              <INPUT type="text" name="firstname"><BR>
    <LABEL for="lastname">Last name: </LABEL>
              <INPUT type="text" name="lastname"><BR>
    <LABEL for="mailto">email: </LABEL>
              <INPUT type="text" name="mailto"><BR>

  <input type="submit" name="Submit"/>
</form>


</body>
</html>

form2sql.php:

<?php

$hostname="***";
$username="***";
$password="***";
$dbname="testdog";
$usertable="emails";

  
$con = mysql_connect($hostname,$username, $password);
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("testdog", $con);

$sql="use emails";
$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST[mailto]','$_POST[firstname]','$_POST[lastname]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>

You're using $_POST wrong.

This:

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST[mailto]','$_POST[firstname]','$_POST[lastname]')";

Should be:

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST['mailto']','$_POST['firstname']','$_POST['lastname']')";

I haven't tried this, but I think it works. I don't normally do INSERT queries like this, as I need to escape the data. Doing it all on one line of code makes for a mess.

You need to escape the data too, unless you want to allow for SQL injection attacks... (With some educated guesses a hacker could figure out what to do to end your SQL statement and add some of his own.)

$mailto = $_POST['mailto'];
$mailto = mysql_real_escape_string($mailto)

* repeat for each variable *

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$mailto', '$firstname', '$lastname')";

thanks now i'm learning about escape strings.

p.s. should be new thread but while i'm at being a noob may i ask if it is ok to create a $password variable with my real password as the string? it seems like mysql_real_escape_string() won't work because this function only works after the connection is made, but i've also read that php code is not actually viewable by a user...

You hit upon one of my PHP rules: Assume the user can see your code.

Rather than mysql_real_escape_string you can use addslashes. When you use it, you'll need to use strip slashes to edit the data, though.

Here's a string.

Here\'s a string after add slashes.

Here\\\'s a string after add slashes again.

For unrelated (or barely related) questions, go ahead and start a new thread. You can also mark the thread solved if you get the right answer. This will help people later on when searching.

This article has been dead for over six months. Start a new discussion instead.