0

The form below is not adding points to the fourth field in the MySQL table "contest."

I can't find anything wrong with the code. Am I missing something obvious?

echo '<form action="http://www.website.com/folder/file.php" method="post"> 
    <input type="hidden" value="'.$u.'" name="u"> 
    <input type="hidden" value="'.$profile.'" name="profile"> 
    <input type="hidden" value="'.$profileid.'" name="profileid"> 




    <div class="friend2title"><label for="url">Add points:</label></div> 
    <div class="friend2field"><input name="state" type="text" id="state" maxlength="150"></div>




    <div class="addresssubmit"><input name="submit" type="submit" value="Add"></div> 
</form>
';

Then, on http://www.website.com/folder/file.php:

$u = $_POST['u'];
$profile = $_POST['profile'];
$profileid = $_POST['profileid'];

$state = $_POST['state'];





$state = mysql_real_escape_string($state);



mysql_query("INSERT INTO contest VALUES (NULL, 'critic', '$profileid',  '$state', NULL')");
John
  • 4,820
  • 21
  • 62
  • 92
  • **Your code is vulnerable to SQL injection.** You *really* should be using [prepared statements](http://stackoverflow.com/a/60496/623041), into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain). – eggyal Jul 02 '12 at 23:42
  • Also, as stated in the PHP manual for the [`mysql_query()`](http://php.net/manual/en/function.mysql-query.php) function: *Use of this extension is discouraged. Instead, the [MySQLi](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. See also [MySQL: choosing an API](http://www.php.net/manual/en/mysqlinfo.api.choosing.php) guide and [related FAQ](http://www.php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated) for more information.* – eggyal Jul 02 '12 at 23:42
  • Consider including the table fields in the query like this - INSERT INTO contest (field1, field2, ...) VALUES (NULL, 'critic', ...) – Chibuzo Jul 02 '12 at 23:45
  • Maybe a note for German speaking people. The note "Use of this function is discouraged" is available in all languages (like English, French, Spanish), but it's missing in German. So stick to the English or any other version of the page. :) – insertusernamehere Jul 03 '12 at 00:03

1 Answers1

1

You have to declare the value attribute with the default value in your state input

<input name="state" type="text" id="state" value="' . $state . '" maxlength="150">

Additionaly, your code is vulnerable to SQL Injection, never trust in fields that came from users, it is very dangerous for your database.

Marcio Mazzucato
  • 8,841
  • 9
  • 64
  • 79
  • And also, should avoid using `mysql_*` functions as they are about to be deprecated and should use PDO or `mysqli` instead. – Lion Jul 02 '12 at 23:47