1

Im a bit confused on this subject, I have seen variances in answers I have found and looking for a bit more direction for my application. What I am trying to do is use a PDO method to take data from a form with multiple entries and insert the data into my table I created.

I think I have an understanding of the overall concept but what I would like to do or rather not do is have to create a variable ( $player1 = $_POST['player1'] or similar...) for every input field I have.

Is there a way in my sql statement I can use something like $_POST['player1'] to use the input from the form? I tried doing it as such below, but Im getting this error:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) on line 19

line 19 being the values line of the sql statment...

html

        <form method='post' action='phpfiles/Sqldata2.php'>
            Enter data in for team 1. <br>
            Enter Id: <input type='text' name='id1' maxlength='6'><br>
            Enter Teamname: <input type='text' name='team1' maxlength='30'><br>
            Enter city: <input type='text' name='city1' maxlength='30'><br>
            Enter Bestplayer: <input type='text' name='best1' maxlength='30'><br>
            Enter Year formed: <input type='number' name='year1' maxlength='4'><br>
            Enter website: <input type='text' name='website1' maxlength='40'><br>
            <br><br><br>

            <input type='submit' name='SQLdata' value='Submit Data'>                
        </form>

php

    <?php
     // server and database information
    $servername = " n/a  ";
    $username = "   n/a  ";
    $password = "   n/a  ";
    $dbname = "     n/a  ";

    if ($_SERVER["REQUEST_METHOD"] == "POST"){

        try {
            $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
            // set the PDO error mode to exception
            $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

            // begin the transaction
            $conn->beginTransaction();
            // our SQL statememtns
            $conn->exec("INSERT INTO teams (id, teamname, city, bestplayer, yearformed, website)
            VALUES ($_POST['id1'], $_POST['teamname1'], $_POST['city1'], $_POST['bestplayer1'], $_POST['yearformed1'], $_POST['website1'])");

            // commit the transaction
            $conn->commit();
            echo "New records created successfully";
            }
        catch(PDOException $e)
            {
            // roll back the transaction if something failed
            $conn->rollback();
            echo "Error: " . $e->getMessage();
            }

        $conn = null;
    }    
    ?>

The error im getting I believe is a syntax error such as that I need some more "" because my sql statment isnt a string? a little lost here and not sure if what Im trying to do is correct...

cookiemonster64
  • 23
  • 4
  • 2
    Use a prepared statement with parameter binding – Phil Nov 12 '15 at 00:16
  • You should definetly look in to the danger so SQL injection and use prepared statements and all that good stuff. But this is your immediate problem: http://www.hackingwithphp.com/5/10/0/arrays-in-strings – Dan Nov 12 '15 at 00:21

1 Answers1

1

You had some typos that had to do with quoting. Alos try to use prepared statements to avoid SQL injection. Finally check the html name attributes of your form with your $_POST names you use (team1 or $_POST['teamname1']).

e.g.

$sql = "INSERT INTO teams (id, teamname, city, bestplayer, yearformed, website) VALUES (:id1, :teamname1, :city1, :bestplayer1, :yearformed1, :website1)";
$stmt = $conn->prepare($sql);
//Execute the query
$stmt->execute(array(':id1'=>$_POST['id1'], ':teamname1'=>$_POST['teamname1'], ':city1'=>$_POST['city1'], ':bestplayer1'=>$_POST['bestplayer1'], ':yearformed1'=>$_POST['yearformed1'], ':website1'=>$_POST['website1']));
Kostas Mitsarakis
  • 4,772
  • 3
  • 23
  • 37