php not writing info to database

Question

<?php
            $email = $_POST['email'];
            $first = $_POST['first'];
            $last = $_POST['last'];
            $business = $_POST['business'];
            $home = $_POST['home'];
            $cell = $_POST['cell'];
            $street = $_POST['street'];
            $city = $_POST['city'];
            $state = $_POST['state'];
            $zip = $_POST['zip'];
            $system = $_POST['system'];
            $cameras = $_POST['cameras'];
            $hdd = $_POST['hdd'];

            if(isset($_POST['submit']))
                {
                $connect = mysql_connect('localhost','rebeler_customer','callaway87');
                mysql_select_db("rebeler_customers");

                mysql_real_escape_string($first);
                $last = mysql_real_escape_string($last);
                $business = mysql_real_escape_string($business);
                $home = mysql_real_escape_string($home);
                $cell = mysql_real_escape_string($cell);
                $email = mysql_real_escape_string($email);
                $street = mysql_real_escape_string($street);
                $city = mysql_real_escape_string($city);
                $state = mysql_real_escape_string($state);
                $zip = mysql_real_escape_string($zip);
                $system = mysql_real_escape_string($system);
                $cameras = mysql_real_escape_string($cameras);
                $hdd = mysql_real_escape_string($hdd);

                $query = mysql_query("INSERT INTO `customers`(`email`,`firstname`,`lastname`, `businessname`,`homephone`, `cellphone`,`street`, `city`,`state`, `zip`,`system`, `cameras`, `hdd`) VALUES ('$email','$first','$last','$business','$home','$cell','$street','$city','$state','$zip','$system','$cameras','$hdd')");

}
?>

can I get some help seeing why my code is not posting the info to my db? it connects w/ db fine just doesn't write the info to it. let me know if you need anymore info, yall are always quick and helpful.

When you debug this, in what way does it fail? Is there anything useful in `mysql_error()`? In the PHP error logs? — David, Nov 18 '13 at 20:20
You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). — Quentin, Nov 18 '13 at 20:20
nothing in error logs, when I run it in xampp with e_all & Strict I get a whole bund of undefined variable notifications and this one...Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\new_submit.php on line 6 — Moses Bolton, Nov 18 '13 at 20:31
@MosesBolton - where are you calling `mysql_fetch_assoc()`? It's not in the code you've given above. — andrewsi, Nov 18 '13 at 20:39
You are not assigning `$first`. Also, I presume you use the parameters further down to repopulate the form? You'll need to run `htmlspecialchars()` over those values to be safe from XSS — Aurelia, Nov 18 '13 at 20:40
@andrewsi, I am using that when I pull info from the database, does it also need to be in this code as well? — Moses Bolton, Nov 18 '13 at 20:44
What did you get with a `var_dump($_POST);` before executing your query (especialy for the submit var) ? — Stv, Nov 18 '13 at 21:43

score 2 · Answer 1 · answered Nov 18 '13 at 20:36

try this, first echo your query and run this query to database

$query = "INSERT INTO `customers`(`email`,`firstname`,`lastname`, `businessname`,`homephone`, `cellphone`,`street`, `city`,`state`, `zip`,`system`, `cameras`, `hdd`) VALUES ('$email','$first','$last','$business','$home','$cell','$street','$city','$state','$zip','$system','$cameras','$hdd')";

echo $query;
//$result =mysql_query($query);

score 0 · Answer 2 · answered Nov 18 '13 at 20:48

Please do not use mysql_ to generate new code. The entire suite of functions is deprecated, and can lead to insecure code (note the giant red notice: http://php.net/manual/en/function.mysql-query.php)

Instead, use PDO. An example of your code follows, using PDO. You must supply the database username, password, and database name.

// note: untested code follows
if(isset($_POST['submit'])) {
    $pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $db_username, $db_password);
    $statement = $pdo->prepare('
        INSERT INTO `customers`(
            `email`,
            `firstname`,
            `lastname`,
            `businessname`,
            `homephone`,
            `cellphone`,
            `street`,
            `city`,
            `state`,
            `zip`,
            `system`,
            `cameras`,
            `hdd`
        ) VALUES (
            :email,
            :firstname,
            :lastname,
            :businessname,
            :homephone,
            :cellphone,
            :street,
            :city,
            :state,
            :zip,
            :system,
            :cameras,
            :hdd
        )
    ');
    $result->execute(array(
        'email'=>$_POST['email'],
        'firstname'=>$_POST['first'],
        'lastname'=>$_POST['last'],
        'businessname'=>$_POST['business'],
        'homephone'=>$_POST['home'],
        'cellphone'=>$_POST['cell'],
        'street'=>$_POST['street'],
        'city'=>$_POST['city'],
        'state'=>$_POST['state'],
        'zip'=>$_POST['zip'],
        'system'=>$_POST['system'],
        'cameras'=>$_POST['cameras'],
        'hdd'=>$_POST['hdd']
    ));
    $customer_id = $pdo->lastInsertId();
    if (!result || !$customer_id) {
        var_dump($pdo->errorInfo());
        die('something went wrong'); // do something better to handle errors!
    }
}

PDO - http://us1.php.net/manual/en/pdo.errorinfo.php
PDO::prepare - http://us1.php.net/manual/en/pdo.prepare.php
PDOStatement::execute - http://php.net/manual/en/pdostatement.execute.php
PDO::errorInfo - http://us1.php.net/manual/en/pdo.errorinfo.php
PDO::lastInsertId - http://php.net/manual/en/pdo.lastinsertid.php

@TrippyD Downvotes are not for expressing your disapproval of the approach. This is a technically accurate answer, and it DOES address the question, as the code works as written, given the details of the question. — Chris Baker, Nov 18 '13 at 21:28

score 0 · Answer 3 · answered Nov 18 '13 at 21:24

Try this code, in theory do the same thing and is easy to debug (PHP >= 5.3):

if (isset($_POST['submit'])) {
    try {
        $connect = mysql_connect('localhost','rebeler_customer','callaway87');
        mysql_select_db("rebeler_customers");

        $fields = "email,first,last,business,home,cell,street,city,state,zip,system,cameras,hdd";

        $sql_header = '';
        $sql_values = '';
        $glue = '';

        array_filter(
            explode(',', $fields),
            function ($field) use (& $sql_header, & $sql_values, & $glue) {
                $sql_header .= $glue . '`' . $field . '`';
                $sql_values .= $glue . "'" . mysql_real_escape_string($_POST[$field]) . "'";
                $glue = ',';
            }
        );
        $sql = "INSERT INTO `customers`($sql_header) VALUES ($sql_values)";
        $query = mysql_query($sql);
    } catch(Exception $e) {
        echo 'Error in line ' . $e->getLine() . ': ' . $e->getMessage();
    }
}

This is wide open for sql injection. Plus, you could do the same thing in fewer lines with `array_keys`, `array_values`, and `implode` — Chris Baker, Nov 18 '13 at 21:26

php not writing info to database

3 Answers3