PHP/MySQL form issues.

[elb98rm]

Hi.

I'm a semi-pro web designer and seeing as I have now got a rather good grasp of HTML and so forth, I'm basically trying to get good at PHP to manipulate a MySQL database.

Now - I'm trying to implement a simple "join our mailing list" for my band...

It's on a server side include that is called on every page.

There is a simple form to gather the details as follows: -

<form name="mailinglist" action="[URL unfurl="true"]http://cgi.headup.plus.com/fourteenten/php/submit.php"[/URL] method="post">

<p><input class="textbox" type="text" name="email" size="12">
<input class="button" type="submit" name="submit" value="Join!">
<input type="hidden" name="id" value="null"></p>
</form>

Now - that's fine (I think).

So - I've got the php to log on and select the correct data base: -

<?php

$db_host = "somewhere";
$username = "blah blah";
$password = "bl4h bl4h";
$DB_name = "the rite db";
$table = "mailinglist";
/* Sets up variables */

echo "<p>Thanks for subscribing!</p>";
/*Some HTML for the return page */

$chan = mysql_connect ($db_host, $username, $password) or die("Unable to log on at all");
@mysql_select_db ($DB_name, $chan) or die("Unable to select to database $DB_name");
/* Connects to Database */

Now I've tried every damn thing under the sun but whatever I do to the next piece of code, I just can't get it to actually pull the email from the form - I just get a blank field in my database, or as below - the couldnt get info report: -

$email = $_POST["email"] or die("couldnt get info");

print $email;

$query = "INSERT INTO $table (email,id) VALUES ('$email','')";
mysql_query($query) or die('Error, insert query failed');
/* Inserts the new email address */

?>

Can anyone help? I just have no clue whatsoever.. I'm sure it's something silly, but at the mo - i'm stumped.

Cheers
Rick

 

[jpadie]

a few thoughts:

unlikely really to be the problem (with an email address) but try cleaning the string (escaping) before submission. use mysql_real_escape_string().

instead of killing the script at the variable assignment stage, do some debugging. add

print_r($_POST)

before the var assignment to check that the incoming variables are ok.

also don't kill the script like you have anyway: i'd advise that you test whether the variable is empty or set before killing (use something like the following:

if(isset($_POST['email'] && !empty($_POST['email']){
  $email = $_POST['email'];
}else{
  die("problem with incoming variable");}

 

[thedaver]

And always santitize your incoming values to prevent CSS and SQL injections... removing "-" ";" characters or encoding them...


Internet Directory

http://dir.surfinbox.com/dir.php/Top

 

[likelylad]

What happens if you change the query to:

$query = "INSERT INTO $table (email,id) VALUES ('$_POST','')";

Also, what version of MySQL are you using.

 

[elb98rm]

Rite.

Thanks for your help everyone. In a random moment of unbelievable weirdness.. I sat down this evening to carry on work and it just suddenly started working.

Now all I have to do is valiate and then protect the thing from any comedy HaX0rez

test whether the variable is empty or set before killing

And always santitize your incoming values to prevent CSS and SQL injections... removing "-" ";" characters or encoding them...

I shall do indeed. Cheers for advice everyone.

 

[elb98rm]

Not feeling being unable to modify posts )

Forgive the lack of quotation skiilz.