Inspiring

Question

php post name & age to MySql database

Forum|Forum|14 years ago
January 6, 2012
2 replies
1302 views

Back to the basics.

I have a simple form to post in my database.

Can anybody suggest how I make a variable to catch the list selection and text field?

<form action="action.php" method="post">
 <p>Your name: <span id="sprytextfield1">
 <input type="text" name="name" />
 <span class="textfieldRequiredMsg">A value is required.</span></span></p>
 <p>Your age: <select name="age">
   <option value="22">22</option>
   <option>23</option>
   <option>24</option>
   <option>25</option>
 </select></p>
 <p><input type="submit" /></p>
</form>

then below is the action.php file that posts to the page first, and to the db.

It works except I don`t get the input values passed into the db.

I get name & age (no numbers and only the default `name`)

Hi <?php echo htmlspecialchars($_POST['name']); ?>.<br>
You are <?php echo (int)$_POST['age']; ?> years old.
<br><?php mysql_query("INSERT INTO example 
(name, age) VALUES('name', 'age' ) ") 
or die(mysql_error());  
echo "Data Inserted!";?>
<form name="form1" method="get" action="form1.html">
  <input type="submit" name="button" id="button" value="Done">
</form>

Thank you for any help!

Server side applications

This topic has been closed for replies.

W_BellAuthor

Inspiring

I was not aware the post html code hides the code....

Here it is:

<span class="textfieldRequiredMsg">A value is required.</span></span></p>

</select></p>

</form>

then the action.php:

<?php echo htmlspecialchars($_POST['name']); ?>.<br>

You are <?php echo (int)$_POST['age']; ?> years old.

<br><?php mysql_query("INSERT INTO example

(name, age) VALUES('name', 'age' ) ")

or die(mysql_error());

echo "Data Inserted!";?>

B

Ben M

Community Expert

The problem with your query is that you are putting the literal values 'name' and 'age' into the database. The VALUES should be your variable whcih in this case is still the $_POST name and age. So use the $_POST['name'], etc. in that area and you should be good to go. However, if you want to store the htmlspecialchars you will need to assign the $_POST variable to a variable of your choosing or just redefine it. For example:

$name = htmlspecialchars($_POST['name'])

W_BellAuthor

Inspiring

I declared the variables in the php file, and it works now thank you.

<?php $name=$_POST['name'];$age=$_POST['age'];?>

<?php mysql_query("INSERT INTO example

(name, age) VALUES('$name', '$age' ) ")

or die(mysql_error());

echo "Data Inserted!";?>

I have 2 questions about this;

1.) Is this the proper format or does the var declaration go inside the other php code?

2.) how would I add the function to the above code to stop SQL injection?

Here is what I found, just not sure where to put it:

//NOTE: you must be connected to the database to use this function!

// connect to MySQL

$name_bad = "' OR 1'";

$name_bad = mysql_real_escape_string($name_bad);

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";

echo "Escaped Bad Injection: <br />" . $query_bad . "<br />";

$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

$name_evil = mysql_real_escape_string($name_evil);

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

echo "Escaped Evil Injection: <br />" . $query_evil;

B

Ben M

Community Expert

It works except I don`t get the input values passed into the db.
I get name & age (no numbers and only the default `name`)

Well let's see what you have so far and go from there. Once you post the code you have, then we can help you out. Hard to say why it's not getting passed without the code.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded