Issues with my form

Question

I seem to be missing something here. Every single post I find on the Google or StackOverflow, based on what I can see, shows that my code is correct. HOWEVER, every time I hit submit it just clears the page and brings me back to the top. I've tried bring it down to just the basic fields (without the functions) but that didn't change anything.

Here is my form:

<form acction="/php/newcarcode.php" method="post">

                    <table style="width:575px">
                            <tr>
                                <th>Currently Own</th>
                                <td><input type="checkbox" name="own"></td>
                                <td></td>
                            </tr>
                        <tr>
                            <th style="width:175px">Year</th>
                            <td style="width:375px"><input type="text" name="year" style="width:340px"></td>
                            <td style="width:25px"></td>
                        </tr>
                        <tr>
                            <th>Make</th>
                            <td><select name="dropdown" style="width:344px"><?php make() ?></select></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Model</th>
                            <td><select name="dropdown" style="width:344px"><?php model() ?></select></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Trim</th>
                            <td><input type="text" name="trim" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Purchased</th>
                            <td><input type="date" name="purchased" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Engine</th>
                            <td><select name="engine" style="width:344px"><?php engine() ?></select></td>
                            <td><a href="newengine.php"><img src="/images/addnew.png" width="33px" height="25px"></a></td>
                        </tr>
                        <tr>
                            <th>Drivetrain</th>
                            <td><select name="drivetrain" style="width:344px"><?php drivetrain() ?></select></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Transmission</th>
                            <td><select name="trans" style="width:344px"><?php trans() ?></select></td>
                            <td><a href="newengine.php"><img src="/images/addnew.png" width="33px" height="25px"></a></td>
                        </tr>
                        <tr>
                            <th>Driver</th>
                            <td><select name="driver" style="width:344px"><?php driver() ?></select></td>
                            <td><a href="newengine.php"><img src="/images/addnew.png" width="33px" height="25px"></a></td>
                        </tr>
                        <tr>
                            <th>Type</th>
                            <td><select name="dropdown" style="width:344px"><?php type() ?></select></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Doors</th>
                            <td><input type="number" name="doors" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Color</th>
                            <td><input type="text" name="color" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Cost</th>
                            <td><input type="number" name="cost" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Sale Price</th>
                            <td><input type="number" name="sale" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Profit</th>
                            <td><input type="number" name="profit" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Profile Pic</th>
                            <td><input type="text" name="profile" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Photo Album</th>
                            <td><input type="text" name="album" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th>Thumbnail Pic</th>
                            <td><input type="text" name="thumbnail" style="width:340px"></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th style="height: 75px">Notes</th>
                            <td><textarea type="text" name="notes" style="width:340px" rows="4"></textarea></td>
                            <td></td>
                        </tr>
                        <tr>
                            <th style="height: 75px">Mods</th>
                            <td><textarea type="message" name="mods" style="width:340px" rows="4"></textarea></td>
                            <td></td>
                        </tr>

                    </table>

                    <br>

                    <input type="submit" value="Submit">

                </form>

And then here is the php page that it's calling:

<?php

$con = mysql_connect("server", "mycaradmin", "SuperSecretPassword") or die(mysql_error());
mysql_select_db("mycars") or die(mysql_error());

$year       =   $_POST[year];
$make       =   $_POST[make];
$model      =   $_POST[model];
$trim       =   $_POST[trim];
$engine     =   $_POST[engine];
$trans      =   $_POST[trans];
$doors      =   $_POST[doors];
$type       =   $_POST[type];
$color      =   $_POST[color];
$drivetrain =   $_POST[drivetrain];
$driver     =   $_POST[driver];
$own        =   $_POST[own];
$purchase   =   $_POST[purchase];
$sale       =   $_POST[sale];
$profit     =   $_POST[profit];
$profile    =   $_POST[profile];
$notes      =   $_POST[notes];
$mods       =   $_POST[mods];
$album      =   $_POST[album];

$sql = "    INSERT  INTO    mycars.vehicles (
                    VYear, 
                    VMakeID, 
                    VModelID, 
                    VTrim,
                    VEngineID,
                    VTransID,
                    VNumDoors,
                    VTypeID,
                    VColor,
                    VDrivetrainID,
                    PeopleID,
                    VCurrentlyOwn,
                    VPurchasePrice,
                    VSalePrice,
                    VProfit,
                    VAttachments,
                    VNotes,
                    VModifications,
                    VAlbum,
                    VDateOfPurchase 
                )

            VALUES (
                        '$year',
                        '$make',
                        '$model;',
                        '$trim',
                        '$engine',
                        '$trans',
                        '$doors',
                        '$type',
                        '$color',
                        '$drivetrain',
                        '$driver',
                        '$own',
                        '$purchase',
                        '$sale',
                        '$profit',
                        '$profile',
                        '$notes',
                        '$mods',
                        '$album',
                    )"
            ;

if (!mysql_query($con,$sql))
    {
        die('Error: ' . mysql_error($con));
    }
    echo "1 record added";

mysql_close($con);

?>

Does not seem to matter what I change, I get the same results. I'm perplexed.

Also, you should really use MySQLi, the old MySQL API is deprecated as of PHP 5.5.0, and will be removed in the future. — OllyBarca, Feb 27 '14 at 17:10
Once you'll have fixed the typo, it should work better. Your code is however prone to attacks : you should ALWAYS sanitize user input AND use prepared statements. — Laurent S., Feb 27 '14 at 17:10
and be carful for [sql](http://en.wikipedia.org/wiki/SQL_injection) [injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496) — giorgio, Feb 27 '14 at 17:11
Ok, So, I made the corrections to spelling and added in quotes but now when I hit submit it just goes to a blank page. Something, somewhere, still isn't working. Also - how do I go about "sanitizing" my code?? — JeremyThePHPNoob, Feb 27 '14 at 17:20

score 5 · Answer 1 · answered Feb 27 '14 at 17:08

5

Typo -

<form acction="/php
        ^

answered Feb 27 '14 at 17:08

Kamehameha

5,423
1
23
28

1

Some days I don't know about myself ... Thanks! – JeremyThePHPNoob Feb 27 '14 at 17:18

score 2 · Answer 2 · answered Feb 27 '14 at 17:08

2

You have no quotes on your $_POST variables:

$_POST[year]; should be $_POST['year'];

answered Feb 27 '14 at 17:08

Leroy

544
3
14

Does it need single or double quotes? I always forget which to use where. – JeremyThePHPNoob Feb 27 '14 at 17:19
It doesn't matter, just needs quotes. – Leroy Feb 27 '14 at 17:24

score 1 · Answer 3 · answered Feb 27 '14 at 17:11

1

also you have an extra comma after the last '$album' in your SQL statement

answered Feb 27 '14 at 17:11

ATechGuy

1,240
8
13

akm · Answer 4 · 2014-02-27T17:19:28.397

1

There are few issues in this code:

You have specified the name property of Make and Model as 'dropdown', which is never used.
Your code is open to SQL injection and other security problems.
You need to enclose the keys in case of associative arrays in php in either single or double quotes like this:

$year = $_POST["year"];
You form action is also not correct, most probably its a typo.

edited Feb 27 '14 at 17:19

answered Feb 27 '14 at 17:13

akm

830
6
20

J. A. Streich · Answer 5 · 2014-02-27T19:11:52.640

I know this is extra topical and will likely get scored down... Never use mysql library, but instead use mysqli or PDO. You are also doing no validation of input to precent SQL, JavaScript or HTML injection.

You also have a stray extra semicolon and comma in your insert statement.

Consider changing your lines that look like:

$year       =   $_POST[year];

To lines that look something like:

$year = filter_var($_POST['year'], FILTER_SANITIZE_INT);

That will ensure that the year is an integer. You could/should also check that it a valid year in the range of the first car released to present day. filter_var can also filter using regex, or for other types of data with known format, using other filters than FILTER_SANITIZE_INT.

And your data base stuff:

$db = new mysqli(server", "mycaradmin", "SuperSecretPassword") or die();
$stmnt = $db->prepare('INSERT INTO mycars.vehicles (
                VYear, 
                VMakeID, 
                VModelID, 
                VTrim,
                VEngineID,
                VTransID,
                VNumDoors,
                VTypeID,
                VColor,
                VDrivetrainID,
                PeopleID,
                VCurrentlyOwn,
                VPurchasePrice,
                VSalePrice,
                VProfit,
                VAttachments,
                VNotes,
                VModifications,
                VAlbum,
                VDateOfPurchase 
            )

        VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)');
$stmnt->bindparam('ssssssssssssssssssss',              '$year',
                    $make,
                    $model,
                    $trim,
                    $engine,
                    $trans,
                    $doors,
                    $type,
                    $color,
                    $drivetrain,
                    $driver,
                    $own,
                    $purchase,
                    $sale,
                    $profit,
                    $profile,
                    $notes,
                    $mods,
                    $album) or die($stmnt->error);

$stmnt->execute()or die($stmnt->error);
$stmnt->close();
$db->close();

This will protect your database from SQL injection, by preparing and compiling the statement before it's use. You should treat any and all input from the user as potentially harmful and dangerous, so if it comes from the user, sanitize it before using it and never pass it unprocessed into a database query.

What do those statements do? – JeremyThePHPNoob Feb 27 '14 at 17:41 — JeremyThePHPNoob, Feb 27 '14 at 17:41
Edits in bold to briefly explain the functions. – J. A. Streich Feb 27 '14 at 19:12 — J. A. Streich, Feb 27 '14 at 19:12

score 0 · Answer 6 · answered Feb 27 '14 at 17:43

0

Parameterize your queries. That will prevent SQL Injection.

answered Feb 27 '14 at 17:43

CodeFreak

31
5

Issues with my form

6 Answers6