0

This is my code.

I want the form included to send data to a table called 'contacts' in a MySQL database I have created.

There are four fields in the table; Title, Name, Email, Enquiry.

This is code that I have copied and edited to suit my website. I am new to .PHP! 

     <?php
     if(isset($_POST['add'])) {
        $dbhost = 'localhost';
        $dbuser = 'root';
        $dbpass = '';
        $conn = mysql_connect($dbhost, $dbuser, $dbpass);

        if(! $conn ) {
           die('Could not connect: ' . mysql_error());
        }

        if(! get_magic_quotes_gpc() ) {
           $p_title = addslashes ($_POST['p_title']);
           $p_name = addslashes ($_POST['p_name']);
           $p_email = addslashes ($_POST['p_email']);
        }else {
           $p_name = $_POST['p_name'];
           $p_email = $_POST['p_email'];
        }

        $p_enquiry = $_POST['p_enquiry'];

        $sql = "INSERT INTO contacts ". "(p_name,p_email, p_enquiry, p_title 
           join_date) ". "VALUES('$p_name','$p_email',$p_enquiry,$p_title NOW())";

        mysql_select_db('test_db');
        $retval = mysql_query( $sql, $conn );

        if(! $retval ) {
           die('Could not enter data: ' . mysql_error());
        }

        echo "Entered data successfully\n";

        mysql_close($conn);
     }else {
        ?>

           <form method = "post" action = "<?php $_PHP_SELF ?>">
              <table width = "400" border = "0" cellspacing = "1" 
                 cellpadding = "2">

                 <tr>
                    <td width = "100"><p>Title:</p></td>
                    <td><input name = "p_title" type = "text" 
                       id = "p_title"></td>
                 </tr>

                 <tr>
                    <td width = "100"><p>Name:</p></td>
                    <td><input name = "p_name" type = "text" 
                       id = "p_name"></td>
                 </tr>

                 <tr>
                    <td width = "100"><p>Email:</p></td>
                    <td><input name = "p_email" type = "text" 
                       id = "p_email"></td>
                 </tr>

                 <tr>
                    <td width = "100"><p>Enquiry:</p></td>
                    <td><input name = "p_enquiry" type = "text" 
                       id = "p_enquiry"></td>
                 </tr>


                 <tr>
                    <td width = "100"> </td>
                    <td> </td>
                 </tr>

                 <tr>
                    <td width = "100"> </td>
                    <td>
                       <input name = "add" type = "submit" id = "add" 
                          value = "Add Employee">
                    </td>
                 </tr>

              </table>
           </form>

        <?php
     }
  ?>
Jake Flaxman
  • 1
  • 1
  • Do NOT use `mysql_*` it has been removed and it will not work anymore, use `PDO` [link](http://php.net/manual/en/book.pdo.php) or `mysqli` [link](http://php.net/manual/en/book.mysqli.php) instead. – Tom Apr 13 '16 at 20:03
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 13 '16 at 20:03
  • 1
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 13 '16 at 20:04
  • Why are you concatenating your query? – Jay Blanchard Apr 13 '16 at 20:05
  • If there are only 4 fields in the table, why are you including `join_date` and its corresponding value `NOW()` to the query? – mferly Apr 13 '16 at 20:13
  • `$p_title NOW()` that'll surely fail for one thing. – Funk Forty Niner Apr 13 '16 at 20:53

2 Answers2

0

**EDIT for 4 columns/fields**

If OP only wants 4 columns (Title, Name, Email, Enquiry, aka. p_title, p_name, p_email, p_enquiry), the following would work due to removal of join_date and its corresponding value of NOW() from the query:

$sql = "INSERT INTO contacts (p_name, p_email, p_enquiry, p_title) VALUES ('$p_name', '$p_email', '$p_enquiry', '$p_title')";

**ORIGINAL**

Without knowing the exact error you're receiving, I do see that your query is malformed:

$sql = "INSERT INTO contacts ". "(p_name,p_email, p_enquiry, p_title 
       join_date) ". "VALUES('$p_name','$p_email',$p_enquiry,$p_title NOW())";

You are missing (and require) a comma between $p_title and NOW(), as well as their column identifiers, respectively, like so:

$sql = "INSERT INTO contacts (p_name, p_email, p_enquiry, p_title, 
       join_date) VALUES('$p_name', '$p_email', $p_enquiry, $p_title, NOW())";

I've also removed the concatenation as it wasn't required. And I'm curious that $p_enquiry and $p_title are strings (sounds like they might be), so I'd be tempted to wrap those values in single-quotes as well, like so (but only if applicable):

$sql = "INSERT INTO contacts (p_name, p_email, p_enquiry, p_title, 
       join_date) VALUES('$p_name', '$p_email', '$p_enquiry', '$p_title', NOW())";

This one will work without issue, syntax-wise. Are their values strings? Or are they numeric-based per their column definition?

mferly
  • 1,646
  • 1
  • 13
  • 19
0

First of all, as others have said, use PDO, it's very important and makes life easier. I think the problem you're running into has to do with p_title, which may or may not be set when insert statement executes. Also, it appears it would normally be a string, yet it's not enclosed in quotes. This will cause problems with the SQL statement.

Jason
  • 18
  • 3