php post name & age to MySql database

Report · Jan 06, 2012

Back to the basics.

I have a simple form to post in my database.

Can anybody suggest how I make a variable to catch the list selection and text field?

<form action="action.php" method="post">
 <p>Your name: <span id="sprytextfield1">
 <input type="text" name="name" />
 <span class="textfieldRequiredMsg">A value is required.</span></span></p>
 <p>Your age: <select name="age">
   <option value="22">22</option>
   <option>23</option>
   <option>24</option>
   <option>25</option>
 </select></p>
 <p><input type="submit" /></p>
</form>

then below is the action.php file that posts to the page first, and to the db.

It works except I don`t get the input values passed into the db.

I get name & age (no numbers and only the default `name`)

Hi <?php echo htmlspecialchars($_POST['name']); ?>.<br>
You are <?php echo (int)$_POST['age']; ?> years old.
<br><?php mysql_query("INSERT INTO example 
(name, age) VALUES('name', 'age' ) ") 
or die(mysql_error());  
echo "Data Inserted!";?>
<form name="form1" method="get" action="form1.html">
  <input type="submit" name="button" id="button" value="Done">
</form>

Thank you for any help!

Report · Jan 06, 2012

It works except I don`t get the input values passed into the db.
I get name & age (no numbers and only the default `name`)

Well let's see what you have so far and go from there. Once you post the code you have, then we can help you out. Hard to say why it's not getting passed without the code.

Report · Jan 06, 2012

I was not aware the post html code hides the code....

Here it is:

<span class="textfieldRequiredMsg">A value is required.</span></span></p>

</select></p>

</form>

then the action.php:

<?php echo htmlspecialchars($_POST['name']); ?>.<br>

You are <?php echo (int)$_POST['age']; ?> years old.

<br><?php mysql_query("INSERT INTO example

(name, age) VALUES('name', 'age' ) ")

or die(mysql_error());

echo "Data Inserted!";?>

Report · Jan 06, 2012

The problem with your query is that you are putting the literal values 'name' and 'age' into the database. The VALUES should be your variable whcih in this case is still the $_POST name and age. So use the $_POST['name'], etc. in that area and you should be good to go. However, if you want to store the htmlspecialchars you will need to assign the $_POST variable to a variable of your choosing or just redefine it. For example:

$name = htmlspecialchars($_POST['name'])

Report · Jan 07, 2012

I declared the variables in the php file, and it works now thank you.

<?php $name=$_POST['name'];$age=$_POST['age'];?>

<?php mysql_query("INSERT INTO example

(name, age) VALUES('$name', '$age' ) ")

or die(mysql_error());

echo "Data Inserted!";?>

I have 2 questions about this;

1.) Is this the proper format or does the var declaration go inside the other php code?

2.) how would I add the function to the above code to stop SQL injection?

Here is what I found, just not sure where to put it:

//NOTE: you must be connected to the database to use this function!

// connect to MySQL

$name_bad = "' OR 1'";

$name_bad = mysql_real_escape_string($name_bad);

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";

echo "Escaped Bad Injection: <br />" . $query_bad . "<br />";

$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

$name_evil = mysql_real_escape_string($name_evil);

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

echo "Escaped Evil Injection: <br />" . $query_evil;

php post name & age to MySql database

Photos