On Mon, 15 Nov 2004 10:26:43 -0800, Max Krone <scoobylee@xxxxxxxxx> wrote:
> When I try to submit, I get no error messages, but no data goes into
> the MySQL table. I have verified that my MySQL User and Password are
> correct and I believe I am actually connecting to the database.
>
> Please look at what I have created and tell me what I am doing wrong,
> what I can do better, why I am an idiot, et .al.
>
> <?php
> if ($_POST[FirstName] == "") {
> $display_block = "<h1>Add an Entry</h1>
> <form method=\"post\" action=\"$_SERVER[PHP_SELF]\">
> <P><strong>First/Last Names:</strong><br>
> <input type=\"text\" name=\"FirstName\" size=30 maxlength=75
> <input type=\"text\" name=\"LastName\" size=30 maxlength=75
It's trivial for a malicious attacker to bypass your maxlength, just
an FYI. You should check with strlen() after the post, or possibly
look into javascript form validation.
> <P><strong>Address:</strong><br>
> <input type=\"text\" name=\"Address\" size=30>
>
> <P><strong>City/State/Zip</strong><br>
> <input type=\"text\" name=\"City\" size=30 maxlength=50>
> <input type=\"text\" name=\"State\" size=5 maxlength=2>
> <input type=\"text\" name=\"Zip\" size=10 maxlength=10>
>
> <P><strong>Telephone Number:</strong><br>
> <input type=\"text\" name=\"phone\" size=30 maxlength=25>
>
> <P><strong>Email Address:</strong><br>
> <input type=\"text\" name=\"email\" size=30 maxlength=150>
>
> <P><input type=\"submit\" name=\"submit\" value=\"Add Entry\"></p>
> </FORM>";
>
> } else if ($_POST[FirstName] != "") {
> //time to add to tables, so check for required fields
> if (($_POST[FirstName] == "") || ($_POST[LastName] == "") ||
> ($_POST[city] == "") ||
> ($_POST[State] == "") || ($_POST[Zip] == "") || ($_POST[phone] == "") ||
> ($_POST[email] == "")) {
> header("Location: addentry.php");
> exit;
> }
>
> //connect to database
> $conn = mysql_connect("localhost", "user", "password")
> or die("Failure to attach to database");
> mysql_select_db("database", $conn) or die("Failure to attach to database");
>
> //add to first and last name
> $add_table = "INSERT into table values (NULL, '$_POST[FirstName]',
> '$_POST[LastName], '$_POST[Address], '$_POST[City], '$_POST[State],
> '$_POST[Zip], '$_POST[phone],'$_POST[email])";
You're missing the closing single quote on most all the $_POST variables.
> mysql_query($add_table) or die(mysql_error());
How about:
or die(mysql_error() . ' query was: ' . $add_table)
so you can see your query as it goes to the database.
>
> }
> ?>
> <HTML>
> <HEAD>
> <TITLE>Add an Entry</TITLE>
> </HEAD>
> <BODY>
> <?php echo $display_block; ?>
> </BODY>
> </HTML>
Also, your code is subject to SQL injection. You might want to
investigate PHP's addslashes() function. And maybe read this too:
http://shiflett.org/php-security.pdf
--
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
