Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PHP script

Status
Not open for further replies.

Skippie1

Technical User
May 7, 2012
29
ZA
Good day,

I am trying to insert a form into a table(A) in my database which is working OK but I would also want to add the name of the person and the contact number from another table(B) into the same table. I want to use the session username as reference to get other information from my table called users and add it to another table. Here is the script I am using:

Code:
?
session_start();
?>
<?php 

mysql_connect("localhost", "username", "password") or die(mysql_error()) ; 
 mysql_select_db("table_name") or die(mysql_error()) ; 
 
 $email=$_POST[$_SESSION['MM_Username']];
 $email=mysql_real_escape_string($email);
 
 if($email<>""){
 $check_user_data = mysql_query("SELECT * FROM Users WHERE Username = '$email'") or die(mysql_error());
 if(mysql_num_rows($check_user_data) == 0){
 $row = mysql_fetch_array($check_user_data);$email=$row['Username'];

 $name=$row['Name'];
 $contact=$row['Contact'];
}}
 
 $target = "uploads/"; 
 $target = $target . basename( $_FILES['prodImg']['name']); 
 
 //This gets all the other information from the form 
 $afdeling=$_POST['afdeling']; 
 $kies=$_POST['kies'];  
 $prys=$_POST['prys'];
 $beskrywing=$_POST['beskrywing'];
 $pic=($_FILES['prodImg']['name']); 
 
 
 mysql_connect("localhost", "greytrad_skip", "Divisca123") or die(mysql_error()) ; 
 mysql_select_db("greytrad_oplaai") or die(mysql_error()) ; 
 
 
 //Writes the information to the database 
 mysql_query("INSERT INTO `$afdeling` (`kies`, `prys`, `beskrywing`, `file`, `name`, `contact`) VALUES ('$kies', '$prys', '$beskrywing','$pic','$name', '$contact')") ; 
  
 if(move_uploaded_file($_FILES['prodImg']['tmp_name'], $target)) 
 { 
 
 echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory"; 
 } 
 else { 
 
 echo "Sorry, there was a problem uploading your file."; 
 }
 ?>
 
And what is not working with that script?

Nb you must escape all the post data (and any other data you are adding to the database) before enquoting it and running the insert query. At the moment you do not which leaves you open to failed queries at best and SQL injection attacks at worst.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top