php form issue with mysql

Question

I am trying to write a little project management webapps as a newby - I do appologise for this but I could not find any near...

So I have x type of project which can be select and load through AJAX.

Every type has at least 2-3 steps to complete them so I need more php pages.

I have spent lots of time to figure it out but it is time to ask someone who knows the answer.

Question: When User presses the Submit button I need to check if all the input box are correct and then save to a SQL table and then move to the next page if any of these would fail I have to stop.

code:

<form id="pdf" method="post">
New project name:<input type="text" name="pr-name" placeholder="new project name..."><br/>
New project end date:<input type="text" name="pr-end" placeholder="date..."><br/>

<textarea class="ckeditor" name="pagecontent"  id="pagecontent"></textarea>

<?php
    include_once "ckeditor/ckeditor.php";
    $CKEditor = new CKEditor();
    $CKEditor->basePath = 'ckeditor/';

   // Set global configuration (will be used by all instances of CKEditor).
   $CKEditor->config['width'] = 600;   
    // Change default textarea attributes
   $CKEditor->textareaAttributes = array(“cols” => 80, “rows” => 10);

   $CKEditor->replace("pagecontent");


$sbmt_caption = "continue ->";
if ($_POST["submit_name"]==$sbmt_caption)
{ 
  $prname = mysql_real_escape_string ($_POST["pr-name"]);
  $prend = mysql_real_escape_string ($_POST["pr-end"]);
  $prmenu = "pdf";
  $prcontent = mysql_real_escape_string ($_POST["pagecontent"]);
  $sql = "INSERT INTO projects (pr-name,enddate, sel, content) VALUES('$prname','$prend', '$prmenu', '$prcontent')";

  $result = mysql_query($sql);
  if (!$result){
  echo mysql_error();
  }
}
?>

"/>

this code with the mysql_query bit even doesn't work for me some reason.

Could anyone give me some hint?

Use `mysql_error()` to get an error message from mySQL. Possibly helpful: [Reference: What is a perfect code sample using the mysql extension?](http://stackoverflow.com/q/6198104) — Pekka, Aug 24 '11 at 07:58
You should not use "-" for field names because the "-" sign has a mathematical function. — pdu, Aug 24 '11 at 08:00

score 1 · Accepted Answer · answered Aug 24 '11 at 08:05

1

Four tips:

Check if your query success and ouput errors if any with

$result = mysql_query($sql);
if (!$result){
     echo mysql_error();
}

Use prepared statements instead of direct embedding parameters into a query string

$stmt = $pdo->prepare("INSERT INTO projects (pr-name,enddate, sel, content) VALUES(?,?,?,?)");
$stmt->execute(array($prname,$prend, $prmenu, $prcontent))

Use $_POST instead of $_REQUEST. $_REQUEST array is build up from cookie,get,post and session according to variables_order php.ini directive, so you may just get your values overwritten.

your submit button is not posted at all. So add name attribute to it and check it in your if statement. Also, don't use just plain string continue ->. Store it in the variable and use it.

$sbmt_caption = "continue ->";
if ($_POST["submit_name"]==$sbmt_caption){
    //your processing here
}

<input id="submitButton" name="submit_name" type="submit" value="<?php echo $sbmt_caption?>"/>

answered Aug 24 '11 at 08:05

J0HN

26,063
5
54
85

Thanks John, this is great. I am getting closer to the solution. I have changed and now I am having an SQL error message which is good! So all the data went into the right place however this is the message You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-name,enddate, sel, content) VALUES('etwtr','2011-09-30', 'pdf', ' \r\n dfhftd' at line 1 Can you have a look at it? – TryHarder Aug 24 '11 at 08:24
I have done 1, 3, 4 from your list. I don't understand No 2. but I am willing to learn:) – TryHarder Aug 24 '11 at 08:30
I think you have to escape `pr-name` column name with backticks: `INSERT INTO projects (\`pr-name\`,enddate, sel, content) VALUES(?,?,?,?)` – J0HN Aug 24 '11 at 08:44
As of number 2, [`PHP:PDO`](http://php.net/manual/en/book.pdo.php) is a PHP's database abstraction layer, that provides generalized access to almost every modern DB used with PHP, including MySQL. It supports object-oriented style. The prepared statements itself is a DB feature that allows executing multiple similar queries with single planning phase, thus increasing performance. Also, PHP DB drivers automatically performs any escaping/type-coersion, so it is considered more secure and robust. There are a lot of questions about prepared statements on SO, try searching for it. – J0HN Aug 24 '11 at 08:49
thanks John, I have changed in the TABLE as I will use it a lot.:) AND IT IS WORKING NOW!!!!!! Thanks again – TryHarder Aug 24 '11 at 08:53

score 0 · Answer 2 · answered Aug 24 '11 at 07:59

0

You need to give the submit-button a "name" and check the existency of that name in your second code on line 2, not the "value".

answered Aug 24 '11 at 07:59

rpasing

11
1

thanks for the comment, I have given a name but what shall I check here if($_REQUEST["submit"] == "continue ->") could you give me a hint please? – TryHarder Aug 24 '11 at 08:06
Use e.g. if(isset($_REQUEST['submit'])) {}. See also php.net/isset. Please also have a look at J0HN's answer ;-) – rpasing Aug 24 '11 at 08:09

score 0 · Answer 3 · answered Aug 24 '11 at 08:13

0

First u should have a client side validation code in javascript to validate the inputs entered by the client is valid or not and u can stop him without sending a request to the server. This reduces the waiting time of the user.

answered Aug 24 '11 at 08:13

AmGates

2,127
16
29

I try to do some and be back with the result. Thanks for the hint. – TryHarder Aug 24 '11 at 08:31

php form issue with mysql

3 Answers3