Posting to Database with PHP

Question

I'm trying to all users to add data to a database. However, it's not working and I'm not getting an error. This is purely for practice, but it's still frustrating. Thoughts?

<form name="Add" id="Add" method="post" action="programadd.php">
     <p>Content Name: 
        <input name="program" type="text" id="program" style="width: 500px; height: 20px;" />
    </p>
      <p>Content Air Date
       <input name="airdate" type="date" id="airdate" />
    </p>
      <p>Description 
        <input name="description" type="text" id="description" style="width: 500px; height: 20px;"  />
    </p>
    <p>Production
        <input name="production" type="text" id="production" value="nothing" style="width: 500px; height: 20px;" />
    </p>
    <p>Promotions
        <input name="promotion" type="text" id="promotion" value="nothing" style="width: 500px; height: 20px;" />
    </p>
    <p>Community
        <input name="community" type="text" id="community" value="nothing" style="width: 500px; height: 20px;" />
    </p>
    <p>Web
        <input name="web" type="text" id="web" value="nothing" style="width: 500px; height: 20px;" />
    </p>
      <p>
        <input type="submit" name="Submit" value="Submit" />
    </p>
    </form>

Here's the programadd page. Thanks!

<?php 
 include('connect-db.php');
$program = $_POST['program'];
$airdate = $_POST['airdate'];
$description =  $_POST['description'];
$production = $_POST['production'];
$promotion = $_POST['promotion'];
$community = $_POST['community'];
$web = $_POST['web'];


if (mysql_query ("INSERT INTO calendar(program, airdate, description, production, promotion, community, web) VALUES 
    ('$program', '$airdate', '$description','$production', '$promotion', '$community', '$web')"))
{ echo "Content successfully added to the database. <br /> 
 }
else {
    die(mysql_error());
}
    require_once("db_connx_close.php");
?>

That code is vulnerable to SQL injection http://bobby-tables.com — smistry, Apr 21 '14 at 18:26
**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Apr 21 '14 at 18:26

score 0 · Answer 1 · answered Apr 21 '14 at 18:30

{ echo "Content successfully added to the database. <br /> 
                                                          ^---missing " here

If you're NOT getting a syntax error from this, then you're probably running with display_errors and error_reporting turned off. NEVER have them disabled when you're developing. It's the coding equivalent of stuffing your fingers in your ears and going "lalalala can't hear you don't care what you have to tell me lalala".

score 0 · Answer 2 · answered Apr 21 '14 at 18:30

This may be an error in your question's markdown, but just incase it isn't I will mention what I am seeing.

You are not closing the string on the echo after your query:

echo "Content successfully added to the database. <br />

Should be:

echo "Content successfully added to the database. <br />";

Also, just for the sake of clarity, you are using $_POST data directly in a SQL Query without sanitizing or validating the data. I realize this is for practice but it should be mentioned that this methodology is highly vulnerable to SQL Injection and will make your database easily accessible. You could, instead, use PHP's PDO Library for your connections or at the very least sanitize your inputs.

score 0 · Answer 3 · answered Apr 21 '14 at 18:32

0

However your code is vulnereble to sql-injection although for your help put this change in your query syntax like this--

if (mysql_query ("INSERT INTO calendar(program, airdate, description, production, promotion, community, web) VALUES ('".$program."', '".$airdate."', '".$description."','".$production."','".$promotion."', '".$community."', '".$web."')"))
{ 
echo "Content successfully added to the database. <br />";
 }

answered Apr 21 '14 at 18:32

shashank

566
3
10
31

1

Since the string is using double quotes `"` you don't actually need to concatenate each value to the string. Double quotes allow you to use variables directly in the string without the need to concatenate. Another method could be the `printf()` or `sprintf()` functions that use typecasting. – Matthew R. Apr 21 '14 at 18:35

Posting to Database with PHP

3 Answers3