php form mysql error to database

Question

I have a form that does not seem to want to write its data to my database. I am somewhat new to php mysql. When I test the script the page reloads with only a "0" displayed. I am not sure what am I missing? Any help is appreciated.

form

<form action="new.php" method="POST">
      <table>
        <tr>
          <td>Season Number: </td>
          <td><input type="text" name="season_sum" size="50" value="<? echo "$season_num";?>"></td>
        </tr>
        <tr>
          <td>Episode Number: </td>
          <td><input type="text" name="eps_num" size="50" value="<? echo "$eps_num";?>"></td>
        </tr>
        <tr>
          <td>Temp Episode Number: </td>
          <td><input type="text" name="temp_eps_num" size="50"></td>
        </tr>
        <tr>
          <td>Title: </td>
          <td><input type="text" name="title" size="50"></td>
        </tr>
        <tr>
          <td>Description: </td>
          <td><textarea type="text" name="descrip" cols="50" rows="7"></textarea></td>
        </tr>
        <tr>
          <td colspan="2"><input type="hidden" name="id">
            <input type="Submit" value="New Item"></td>
        </tr>
      </table>
    </form>

new.php

<?php
require "db.php";

//Test for user input
if (!empty($_POST[season_sum])&&
    !empty($_POST[eps_num])&&
    !empty($_POST[temp_eps_num])&&
    !empty($_POST[title])&&
    !empty($_POST[descrip]))

if ( ! empty($_POST['ID']))
$id = (int)$_POST['ID'];
else $id = 'NULL';

//Insert new entry
$query = "INSERT INTO `season` (`ID`, `season_num`, `temp_eps_num`, `esp_num`, `title`, `descrip`) VALUES ({$id}, '{$season_sum}', '{$eps_num}', '{$temp_eps_num}', '{$title}', '{$descrip}')";

// Send user back to the list once the update is successfully finished
header("Location: form.html");
?>

score 3 · Accepted Answer · answered Mar 02 '12 at 23:50

3

Disable the following line in new.php in the event the PHP code is throwing an error:

//header("Location: form.html")

Then you will need to execute the $query using mysql_query.

$query = "INSERT INTO ... ";

mysql_query($query);

answered Mar 02 '12 at 23:50

Matt Beckman

5,022
4
29
42

I have made your recommended changes but still got a "0" when submitted – webmaster alex l Mar 02 '12 at 23:57
once I got back to the list tho, the data was inputted correctly – webmaster alex l Mar 03 '12 at 00:00

score 1 · Answer 2 · answered Mar 03 '12 at 00:00

1

you are never actually sending the query, just defining the query string. To send it you netted to use mysql_query ($query).

See documentation for more details. http://php.net/manual/en/function.mysql-query.php

answered Mar 03 '12 at 00:00

apatrick

194
2
14

Kai Qing · Answer 3 · 2012-03-03T00:29:26.180

Not sure about the "0" but in general your code looks like you chopped things out for readability. If not...

    if (!empty($_POST[season_sum]) && !empty($_POST[eps_num]) && !empty($_POST[temp_eps_num]) && !empty($_POST[title]) && !empty($_POST[descrip]))
    {

        if ( !empty($_POST['ID']))
            $id = (int)$_POST['ID'];
        else 
            $id = 'NULL';

        // mysql_real_escape_string() example
        $descrip = mysql_real_escape_string($_POST['descrip']);

        //Insert new entry
        $query = mysql_query("INSERT INTO `season` (`ID`, `season_num`, `temp_eps_num`, `esp_num`, `title`, `descrip`) VALUES ({$id}, '{$season_sum}', '{$eps_num}', '{$temp_eps_num}', '{$title}', '$descrip')") or die(mysql_error());

        // Send user back to the list once the update is successfully finished
        header("Location: http://www.yoursite.com/form.html");
        exit;
    }

I didn't put in the escaping since it is easier just to suggest you wrap your db insert strings with mysql_real_escape_string(). Aside that you never actually run a query, and you do not wrap your if statement with curly braces. I don't even know what the page would think to do in this condition.

Try applying these changes and let us know if the error persists.

note - I added exit after your header location. Also, I put a full url path in as somewhere or another I heard this was better practice. I have no backing for that claim though. Just a thing I heard somewhere.

mysql_real_escape_string() explanation: to use it you must have a connection open. This is usually handled in your db class so if you discover it doing nothing, look into mysql_connect(); To use, just call like so:

$sql = mysql_query("SELECT * FROM `table` WHERE `id` = '".mysql_real_escape_string($string_to_escape)."'");

It will not add the single quote wrapper. All it does is help sanitize the string to prevent common sql injection attacks.

looks like I do need to add mysql_real_escape_string() in because some descriptions have quotes in them — webmaster alex l, Mar 03 '12 at 00:12
could you provide a code sample on how I would add the escape string to let my `$descript` contain quotes. — webmaster alex l, Mar 03 '12 at 00:22
do you mean something like the following? `mysql_real_escape_string($query);` — webmaster alex l, Mar 03 '12 at 00:26
updated. By the way you dont appear to be assigning your post variables to their simple form as called in your queries. Look at what I did to $descrip for example. — Kai Qing, Mar 03 '12 at 00:30
I can now add quotes to the `$descrip` string so that solves my problem. Should I add one of these lines to each variable or is there an over arching way to sanitize my entire `$query` string — webmaster alex l, Mar 03 '12 at 00:48
It is best to add this to any variables you include in a query to your database - every time. If you apply it to the entire query string you may end up escaping things you do not want to. The general standard is to escape each variable or use something like PDO to handle it for you . look here: http://stackoverflow.com/questions/1742066/why-is-pdo-better-for-escaping-mysql-queries-querystrings-than-mysql-real-escape for a better explanation on PDO — Kai Qing, Mar 03 '12 at 01:03

php form mysql error to database

3 Answers3