1

I have to code below - updated

php code 

    if(empty($_POST['formEmail'])) 
    {
        $errorMessage .= "<li>You forgot to enter your email</li>";
    }

    $varEmail = $_POST['formEmail'];

    if(empty($errorMessage)) 
    {

        $db = mysql_connect("servername","username","password");
        if(!$db) die("Error connecting to MySQL database.");
        mysql_select_db("tableName" ,$db);



    $sql = "INSERT INTO emails(email) VALUES ('$varEmail')";

    mysql_query($sql);


echo "Details added";
$_SESSION['status'] = 'success';
 }

exit();


    }

function PrepSQL($value)
{
    // Stripslashes
    if(get_magic_quotes_gpc()) 
    {
        $value = stripslashes($value);
    }

    // Quote
    $value = "'" . mysql_real_escape_string($value) . "'";

    return($value);
}
?>

form code

    <?php
if(!empty($errorMessage)) 
{
echo("<p>There was an error with your form:</p>\n");
echo("<ul>" . $errorMessage . "</ul>\n");
    }
    ?>

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
<p>
<label for='formEmail'>Sign up to be notified when we go live!</label><br/>
<input type="text" name="formEmail" maxlength="50" value="<?=$varEmail;?>" />
</p>
<input type="submit" name="formSubmit" value="Submit" />
</form>

I'm not getting any errors and as far as I can tell the syntax looks fine but its not putting the email information into the database. Anyone have an idea of whats going on? As a side note I am a newb to all php.

hakre
  • 193,403
  • 52
  • 435
  • 836
bjstone15
  • 83
  • 8
  • never ever inject `$_*` super globals in a query, use `mysql_real_escape_string()` to escape all $vars whether they come from you or the user. Also `get_magic_quotes_gpc()` is broken and should never be used. – Johan Oct 10 '11 at 18:40
  • @Johan, I dont know much about sql databases so what you said might as well be in latin. would you please elaborate? – bjstone15 Oct 10 '11 at 19:07
  • 1
    Sure, read this question: http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain and here on why magic quotes are broken: http://php.net/manual/en/security.magicquotes.disabling.php – Johan Oct 10 '11 at 19:10

2 Answers2

6

You've forgotten to run the query! Put

mysql_query($sql);

straight after

$sql = "INSERT INTO emails(email) VALUES ('$varEmail')";

Make sure you run the $_POST variable through mysql_real_escape_string as well:

$varEmail = mysql_real_escape_string($_POST['formEmail']);

This will help protect you from SQL Injection attacks.

EDIT

One more tiny thing, I guess you want to set the session variable success when the form has submitted successfully. to do that you'll need to move

echo "Details added";
$_SESSION['status'] = 'success';

within the same if structure as the SQL query is run, otherwise it will never be set

Clive
  • 36,918
  • 8
  • 87
  • 113
  • now I'm getting the error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to local MySQL server through socket why would adding the mysql_real_escape be causing any problems? – bjstone15 Oct 10 '11 at 19:03
  • @bjstone15, You need to **connect** to the database before using `mysql_real_escape_string()` otherwise it will give you that error. – Johan Oct 10 '11 at 19:11
2

Try:

    $db = mysql_connect("servername","username","password");
    if(!$db) die("Error connecting to MySQL database.");
    mysql_select_db("tableName" ,$db);


    $sql = sprintf("INSERT INTO emails(email) VALUES ('%s')",mysql_real_escape_string($varEmail));
    $results = mysql_query($sql);
Watermark Studios
  • 1,173
  • 1
  • 10
  • 24
  • -1, a db called tablename is just weird and not addressing the SQL-injection hole is dangerous. – Johan Oct 10 '11 at 18:41
  • First of all, it is copied directly from his code. Second of all, he just needs to see that it is working before he addresses security. This is no reason to mark an answer down. I edited my response with a much better approach to dealing with security. – Watermark Studios Oct 10 '11 at 18:44
  • the name 'tableName' is not the name of the table but just something I was using for an example. – bjstone15 Oct 10 '11 at 18:58
  • @bjstone15, I understood what you were doing. I'm not sure why people get so specific about these things that they mark down people who ask legitimate questions and those who give legitimate, next-step, answers. Feel free to mark me up if you find my answer helpful. – Watermark Studios Oct 10 '11 at 19:05
  • %s is a replace string. You can include them in your sprintf statement, but define them after the string. Check out http://php.net/manual/en/function.sprintf.php for more info...but it is just a string-print-format (sprintf) which allows you to define a format and parameters to be formatted. – Watermark Studios Oct 10 '11 at 19:19