-3

I am not entirely sure but it looks like the values being posted by my forms e.g. Text1 for my first text box, are not being recognized by PHP.

Been wrestling with it all night, hopefully someone can help? Thanx.

<?php
$dbhost = 'localhost';
$dbuser = 'xeuser';
$dbpass = 'xepass';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);

if(! $conn )
{
 die('Could not connect: ' . mysql_error());
}

$sql = 'INSERT INTO `amis_q1`.`crop1_8_9` (
`IDENTIFICATION` , `ADD` , `MARKET` , `DISTRICT` , `ENUMERATOR` , `Seller` , `Name_of_Unit` , `Number_of_Sellers` , `Average_Weight` , `Estimated_Weights` , `Type_of_Seller` , `Tramsport` , `Source` , `Remarks` , `CHECKED` , `BY` , `SUPERVISOR` , `OFFICE` , `DATE` , `INITIALS`
)
VALUES 
(   $_POST['Text1'],'$_POST[Text2]','$_POST[Text3]','$_POST[Text4]','$_POST[Text5]','$_POST[Text6]','$_POST[Text7]','$_POST[Text8]','$_POST[Text9]','$_POST[Text10]','$_POST[Text11]','$_POST[Text12]','$_POST[Text13]','$_POST[Text14]','$_POST[Text15]','$_POST[Text16]','$_POST[Text17]','$_POST[Text18]','$_POST[Text19]','$_POST[Text20]'
)';

mysql_select_db('amis_q1');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
 die('Could not enter data: ' . mysql_error());
}
print 'Inputted';
mysql_close($conn);
?>
Marc Audet
  • 46,011
  • 11
  • 63
  • 83
Xak1987
  • 3
  • 1
  • 2
    Please stop what you're doing and read a PHP tutorial. Even if your code worked (it's a very basic syntax error, caused by unescaped `'`), it would be **terribly** vulnerable to SQL injection. – user229044 Aug 22 '13 at 21:06
  • What are `Text1`, `Text2` .. ? – Sahil Mittal Aug 22 '13 at 21:06
  • Post the HTML, we can't tell whats wrong just looking at the server side code – tomaroo Aug 22 '13 at 21:06
  • And where is your `HTML Form`? – Hashem Qolami Aug 22 '13 at 21:06
  • @All The problem is pretty obvious if you read the question, stop asking for HTML, it's completely unrelated. He has glaring syntax errors in his PHP. – user229044 Aug 22 '13 at 21:07
  • 1
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Aug 22 '13 at 21:27

1 Answers1

1

Overarching problems: don't use mysql functions, and read about SQL injection, as your code (and the correct code below) are both extremely flawed from a security perspective.

Other than that, the problem lies in your use of single quotes in $sql. Here's the correct way to do the last half of the variable:

$sql = ') VALUES (' . $_POST['Text1'] . ', ' . $_POST['Text2'] . ')';

...this is the correct way to concatenate strings in PHP.

jterry
  • 6,209
  • 2
  • 30
  • 36
  • It's worth noting that you **absolutely must not do this**, even though it fixes the syntax issues, it leaves the *gaping* security vulnerabilities. – user229044 Aug 22 '13 at 21:10
  • Totally agreed, which is why I started with the first sentence, which will inevitably be skipped completely by the OP anyway. – jterry Aug 22 '13 at 21:11
  • You haven't fixed anything with the string changes. `$foo = "abc $def[hij] jkl";` is functionally identical to `$foo = "abc " . $def['hij'] . " jkl";` I'd -1, but the sql injection warning would be a plus anyways, so... +0 – Marc B Aug 22 '13 at 21:14
  • Single and double quotes are very different, and your example isn't the same as the OP's anyway. – jterry Aug 22 '13 at 21:16
  • Wow, that's alot of information to take in. Thanks, I knew about the injection issues, was just trying to get a basic form working. I'm very new to this, which must be very obvious by now. Thanks. – Xak1987 Aug 22 '13 at 21:31