Entering data from form into database using php

Question

I am trying to enter data into the database but I keep getting an error. I have no idea where the problem is. Here is the code:

<?php 
  $sql = "INSERT INTO $db_table (title,group,overlapok,userid,name,phone,email,description,managers,location,notify,notifyman,
remind,remindman,appmsg,viewaccess,viewulist,viewclist,makeaccess,makeulist,makeclist,showappinfo) 
VALUES ('".mysql_real_escape_string(stripslashes($_REQUEST['txtTitle'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkGroupCal'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkAllowOverlap'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtUserID'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtOwner'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtPhone'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtEmail'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtDesc'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtManagers'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtLocation'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkNotifyMe'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkNotifyMgrs'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkRemind'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkRemindMan'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtAppText'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['selViewBlockRestr'])).
     "','".mysql_real_escape_string(stripslashes($_REQUEST['txtViewBlocksUserID']))
   "','".mysql_real_escape_string(stripslashes($_REQUEST['txtViewBlocksCourseID']))."','".mysql_real_escape_string(stripslashes($_REQUEST['selMakeApptRestr']))."','".mysql_real_escape_string(stripslashes($_REQUEST['txtMakeApptUserID']))."','".mysql_real_escape_string(stripslashes($_REQUEST['txtMakeApptDptID']))."','".mysql_real_escape_string(stripslashes($_REQUEST['chkShowAppInfo']))."')"; 

if($result = mysql_query($sql,$db)) 
   {
    echo '<h1>Thank you</h1> Your information has been entered into our database<br><br>
        <p> <a href="viewcalendar.page.php"> View Calendar </a> </p>
        <img src="eDiary.jpg"';

    } 
   else 
   {
    echo "ERROR: ";
   }  ?>

The form includes sections where there are check boxes that can be left blank.

I followed your advice and used PDO. Kept returning the following error:Warning: PDO::__construct() [pdo.--construct]: [2002] Invalid argument (trying to connect via unix://) in /opt/lampp/htdocs/Scheduler/pages/enterCal.page.php on line 72 Connection Failed: SQLSTATE[HY000] [2002] Invalid argument Fatal error: Call to a member function exec() on a non-object in /opt/lampp/htdocs/Scheduler/pages/enterCal.page.php on line 80.

I figured $db is not an object and that the connection is not being executed. How do I take care of that? I've tried Google but can't seem to come up with anything that works.

    <?php

$dsn = 'mysql:host=localhost;dbname=eDiary';
$user = 'root';
$password = '';

try 
{
        $db = new PDO($dsn,$user,$password);
        $db -> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);}                
catch (PDOException $e) {
  echo 'Connection Failed: ' . $e->getMessage();
    }

$result = $db->exec("INSERT INTO wassCalendar(title, group, overlapok, userid, name, phone, email, description, managers, location, notify, notifyman, remind, 
remindman, appmsg, viewaccess, viewulist, viewclist, makeaccess, makeulist, makeclist, showappinfo) 
VALUES($txtTitle, $chkGroupCal, $chkAllowOverlap, $txtUserID, $txtOwner,  $txtPhone, $txtEmail, $txtDesc, $txtManagers, 
$txtLocation, $chkNotifyMe, $chkNofityMgrs, $chkRemind, $chkRemindMan, $txtAppText, $selViewBlockRestr, 
$txtViewBlocksUserID, $txtViewBlocksCourseID, $selMakeApptRestr, $txtMakeApptUserID, $txtMakeApptDptID, 
$chkShowAppInfo)"; 

$insert_id = mysql_insert_id();

?>

Well, what is the error? http://php.net/manual/en/function.mysql-error.php Also, use of mysql_ functions is discouraged, "use PDO or MySQLi instead". — Terry Seidler, Oct 15 '12 at 07:41
Your code starts with a backtick. That's wrong. Also, what is the error you get? — Bart Friederichs, Oct 15 '12 at 07:41
Try with a much smaller query first. Also actually check the syntax of the code you've posted (also it looks like you are probably having difficulties with the editing tools of this website, make yourself a little bit more comfortable with them). And the exact error message is missing, add it to your question so it is clear into which error you actually run. — hakre, Oct 15 '12 at 07:41
Please, [don't use `mysql_*` functions to write new code](http://stackoverflow.com/q/12859942/19068). They are no longer maintained and the community has begun [deprecation process](http://goo.gl/KJveJ). See the *[red box](http://goo.gl/GPmFd)*? Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://goo.gl/3gqF9) will help you. If you pick PDO, [here is good tutorial](http://goo.gl/vFWnC). — Quentin, Oct 15 '12 at 08:28
echoing our query is very helpful some time. I suggest you to echo your $sql variable before running query. more over printing mysql errors can help you finding the problem. — CoreCoder, Oct 15 '12 at 08:30
I decided to use PDO, now I am getting a fatal error:Call to a member function exec() on a non-object on my page. — Joanna Irungu, Oct 16 '12 at 05:07

score 0 · Answer 1 · edited May 23 '17 at 10:24

0

When in a situation that requires using user input in a query, you will want to parameterize the query.

Here is another topic where I cover the same issue.

Relying on sanitizing the input is incredibly bad practice, and will eventually bite you.

edited May 23 '17 at 10:24

Community

1
1

answered Oct 15 '12 at 07:46

Johnathon Malizia

136
1
4

Entering data from form into database using php

1 Answers1