0

My php code doesn't seem to be working. Was functioning yesterday but I must have changed something and now it isn't. As far as I can tell it's the if($word) that's causing the problem. The else part functions and it's connecting with the mysql db but that one if statement does nothing.

Here's the php:

<?php
  require('connect.php');
  $word=$_POST['word'];
  $submit=$_POST['submit'];

  if($submit){
      if($word){
         mysql_query("INSERT INTO words (word) VALUES ($word)");
      }
      else{
         echo "Enter a word.";
      }
  }
?>

and this is the html form:

<form name="form" id="form" method="post" action="index.php">
    <p><label>Label</label></p>
    <p><input type="text" name="word" id="word" maxlength="16"/></p>
    <p><input type="submit" name="submit" id="submit" value="Save"/></p>
</form>
Saju
  • 3,201
  • 2
  • 23
  • 28
Razzildinho
  • 2,564
  • 1
  • 19
  • 32
  • 2
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. – Kermit Feb 21 '13 at 18:45
  • 'As far as I can tell it's the if($word) that's causing the problem'- can you provide some reason why you think that's causing the problem? And what problem is it causing? – user3871 Feb 21 '13 at 18:45
  • Your query have sql injection, see here http://stackoverflow.com/a/60195/813069 how to process the input – Winston Feb 21 '13 at 18:47
  • If I change the mysql_query to a simple echo it still doesn't work. However if the field id left blank the "enter a word" echo does function. – Razzildinho Feb 21 '13 at 18:48

2 Answers2

4

You should immediately stop using this code. It is vulnerable to SQL injection. You need to learn how to bind parameters to prevent this as well as use a non-deprecated API. I would also recommend that you check REQUEST_METHOD rather than if $_POST['word'] is set as it can be empty.

Since you don't have any type of error catch functions, it is difficult to tell what could be the problem. If I had to guess, it's probably because you're missing single quotes around your posted variable:

...INSERT INTO words (word) VALUES ('$word')...

Using parameters:

<?php

if( $_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST['submit']) ) {

    $link = mysqli_connect('localhost', 'my_user', 'my_password', 'world');

    /* check connection */
    if (!$link) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }

    $stmt = mysqli_prepare($link, "INSERT INTO words (word) VALUES (?)");
    mysqli_stmt_bind_param($stmt, 's', $_POST['word']);

    /* execute prepared statement */
    mysqli_stmt_execute($stmt);

    printf("%d Row inserted.\n", mysqli_stmt_affected_rows($stmt));

    /* close statement and connection */
    mysqli_stmt_close($stmt);

    /* close connection */
    mysqli_close($link);
}
?>

The documentation is a good place to start.

Kermit
  • 33,827
  • 13
  • 85
  • 121
  • While this is probably the best answer for the OP, you should probably point him towards OOP PHP, as he seems very new to this. better to start with OOP than learn procedural only to scratch your head later. – Amelia Feb 21 '13 at 19:00
  • @Hiroto I don't see why I should point him to OOP, nor why it's better. Programming style is for the OP to decide. My comment under the answer should suffice. – Kermit Feb 21 '13 at 19:02
1

You most likely need to quote your $word value...

INSERT INTO words (word) VALUES ('$word')

As mentioned in the comments...

Why shouldn't I use mysql_* functions in PHP?

And don't forget about input sanitization.

How can I prevent SQL injection in PHP?

xkcd.com

Community
  • 1
  • 1
jondavidjohn
  • 61,812
  • 21
  • 118
  • 158