Cannot enter record into DB 1

[raydona]

Hi, I’m new to PHP so please bear with me. I’m trying to send user input from a HTML form to a MySQL database. The database has one table with four fields (varchar(15), varchar(15), varchar(10), longtext). The HTML form looks like:

<html> <body>
<form name="index" action="Z.php" method="get">
Type your first name: 
<input type="text" name="1stname"><br><br>
Type your last name: 
<input type="text" name="2ndname"><br><br>

Select type of car:
<select name="kindofcar">
<option value="volvo">Volvo</option>
<option value="saab">Saab</option>
<option value="fiat">Fiat</option>
<option value="audi">Audi</option>
</select><br><br>
Write your comments here:
<TEXTAREA NAME="comments" COLS=40 ROWS=6></TEXTAREA><br><br>
<input type="submit" value="Submit">
</form> 
</body> </html>

Z.php forms looks like:

<html> <body>
<?php
  $con = mysql_connect("mydatabase","username","password");
  if(!$con)
  { die('Could not connect: ' . mysql_error());
  }
  mysql_select_db("nameofdb", $con);
  $sql="INSERT INTO NameofTable(FirstName, LastName,   TypeOfCar,
 Comments)
  VALUES('$_POST[1stname]','$_POST[2ndname]','$_POST[kindofcar]',
'$_POST[comments]')";
  if(!mysql_query($sql,$con))
  { die('Error: ' . mysql_error());
  }
  echo "1 record added";
  mysql_close($con);
  ?>
</body> </html>

Every time I run the above I get the following error:
Parse error: syntax error, unexpected T_STRING, expecting ']' in /…../…../…/…/…/…../html/Z.php on line 12
Nothing is added to the database. How can I rectify this? I would be very grateful for all help.

 

[feherke]

Hi

Start by doing it the right way : use [tt]mysql_real_escape_string()[/tt].

If still not works, come back.

Feherke.

http://rootshell.be/~feherke/

 

[raydona]

Hi Feherke,
Thanks very much for your reply. I followed your suggestion concerning using mysql_real_escape_string(). I got the following code off the internet and made use of it:
<html> <body>
<?php
function check_input($value)
{// Stripslashes
if(get_magic_quotes_gpc())
{ $value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{ $value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("mydatabase","username","password");
if(!$con)
{ die('Could not connect: ' . mysql_error());
}
mysql_select_db("nameofdb", $con);

$1stname = check_input($_POST['1stname']);
$2ndame = check_input($_POST['2ndame']);
$kindofcar = check_input($_POST['kindofcar']);
$comments = check_input($_POST['comments']);

$sql="INSERT INTO NameofTable(FirstName, LastName, TypeOfCar, Comments)
VALUES($1stname, $2ndame, $kindofcar, $comments)";
if(!mysql_query($sql,$con))
{ die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
</body> </html>

I do not know if I have used the above code correctly or there is a better way of doing things, but I am getting the following error:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator and inform them of the time the error occurred, and anything you might have done that may have caused the error.

I wonder if you could tell me where I am going wrong or point me in the right direction. I would be very grateful.

 

[feherke]

Hi

That PHP code seems correct.

I am afraid, nobody can help you for now. To find out the reason of the failure we must see the error messages provided by PHP. Ask it to display them by adding this at the beginning of your PHP script :

ini_set('display_errors','on');
error_reporting (E_ALL);

Feherke.

http://rootshell.be/~feherke/

 

[jpadie]

@OP
post your code within [ignore]

[/ignore] tags.

 

[tsuji]

Either client-side element's name or server-side php variable name cannot begin with numeric like 1st, 2nd. Client-side: browser will tolerate it until problem surfaces. Server-side: no. Rename those variables.

 

[tsuji]

... and then you have this:
>method="get"
change it to this.
[tt]method="[red]post[/red]"[/tt]

 

[ingresman]

It's a syntax error, I had a play with it and if you swap the single ' for a double and vice-versa.

  $sql='INSERT INTO NameofTable(FirstName, LastName,   TypeOfCar, Comments)
  VALUES("$_POST[1stname]","$_POST[2ndname]","$_POST[kindofcar]","$_POST[comments]")';

Try that but also take into account what other people have said about the code.

 

[jpadie]

@ingresman
your code will not work as variables are not expanded within single quotes. the net effect will be to insert, eg, the actual text $_POST[lstname] rather than the value of that array element.

 

[ingresman]

yep, should have tested it !, could try building up the string e.g.
$sql = "insert....values(" . $_POST[1stname] . "," . $_POST[2ndname] etc
With all the quites needed to satisfy SQL of course

 

[jpadie]

apart from the lack of escaping, the OP's method is fine.
if it were an escaping issue then an error would be returned by MySql (I believe)
the get -vs- post issue that tsuji spotted looks like a killer though.

 

[ingresman]

doh !!

 

[feherke]

Hi

Good catch on that [tt]method[/tt] mismatch, tsuji.

Feherke.

http://rootshell.be/~feherke/

 

[tsuji]

Thanks, feherke! But I must confess spotting $1st $2nd gave myself more cynical satisfaction.

 

[feherke]

Hi

Yep, that is good one too. Hopefully there will be someone to jump in with another sign of appreciation. Maybe the OP...

Feherke.

http://rootshell.be/~feherke/