having an issue--*cough*newbie*cough*--the html and php code here supposedly creates a new record into my database. problem is, the successfully connects to sql and creates the record, but the contents of the $_POST variables do not make it into their respective fields. I have an id field (AUTO_INCREMENT) that is created successfully, but no text in the mailto, firstname, and lastname fields.

any comments would be most appreciated....

<html>
<head>
    <title>Bee In The Buzz</title>
</head>

<body>

<p>Are you a:

<form method="post" action="form2sql.php">
    <LABEL for="firstname">First name: </LABEL>
              <INPUT type="text" name="firstname"><BR>
    <LABEL for="lastname">Last name: </LABEL>
              <INPUT type="text" name="lastname"><BR>
    <LABEL for="mailto">email: </LABEL>
              <INPUT type="text" name="mailto"><BR>

  <input type="submit" name="Submit"/>
</form>


</body>
</html>

form2sql.php:

<?php

$hostname="***";
$username="***";
$password="***";
$dbname="testdog";
$usertable="emails";

  
$con = mysql_connect($hostname,$username, $password);
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("testdog", $con);

$sql="use emails";
$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST[mailto]','$_POST[firstname]','$_POST[lastname]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>

You're using $_POST wrong.

This:

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST[mailto]','$_POST[firstname]','$_POST[lastname]')";

Should be:

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$_POST['mailto']','$_POST['firstname']','$_POST['lastname']')";

I haven't tried this, but I think it works. I don't normally do INSERT queries like this, as I need to escape the data. Doing it all on one line of code makes for a mess.

You need to escape the data too, unless you want to allow for SQL injection attacks... (With some educated guesses a hacker could figure out what to do to end your SQL statement and add some of his own.)

$mailto = $_POST['mailto'];
$mailto = mysql_real_escape_string($mailto)

* repeat for each variable *

$sql="INSERT INTO emails (mailto, firstname, lastname)
VALUES
('$mailto', '$firstname', '$lastname')";

thanks now i'm learning about escape strings.

p.s. should be new thread but while i'm at being a noob may i ask if it is ok to create a $password variable with my real password as the string? it seems like mysql_real_escape_string() won't work because this function only works after the connection is made, but i've also read that php code is not actually viewable by a user...

You hit upon one of my PHP rules: Assume the user can see your code.

Rather than mysql_real_escape_string you can use addslashes. When you use it, you'll need to use strip slashes to edit the data, though.

Here's a string.

Here\'s a string after add slashes.

Here\\\'s a string after add slashes again.

For unrelated (or barely related) questions, go ahead and start a new thread. You can also mark the thread solved if you get the right answer. This will help people later on when searching.