PHP form and sql buddy issues

acarder488 · Dec 18, 2012

I am attempting to connect my php form to sql buddy on zymic.com but am having issues please help if you can....

<?php
echo displayform();

function displayForm() {

$r = '';
//build it
$r .='<form action="registration2.php" method="post">';

//table
$r .=displayNiceFormBegin();
$r .=displayRow('First Name:', '<input type="text" name="fname"/>');
$r .=displayRow('Last Name:', '<input type="text" name="lname"/>');
$r .=displayRow('Address:', '<input type="text" name="address"/>');
$r .=displayRow('Phone Number:', '<input type="text" name="phone"/>');
$r .=displayRow('Deparment:', '<input type="text" name="department"/>');

$r .=displayRow('', '<input type="submit" value="Submit Registration"/>');

$r .=displayNiceFormEnd();

$r .='</form>';

return $r;

}

function displayRow($left, $right) {

$r .= '';

//build it
$r .='<tr>';
$r .= '<td>' . $left . '</td>';
$r .= '<td>' . $right . '</td>';
$r .='</tr>';

return $r;

}

function displayNiceFormBegin(){

$r .='';

//build it
$r .= '<table style="background-color: beige; border: 1px dashed #999"><tr><td>';

$r .='<table style="margin:10px">';

return $r;

}

function displayNiceFormENd() {

$r .='';

//build it
$r .='</table>';
$r .='</td></tr><table>';

return $r;

}

?>

<?php
$con = mysql_connect("localhost","*******","********");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("ottawaglandorfems_zzl_ogems.*", $con);

$sql="INSERT INTO * (FirstName, LastName, Address, Phone Number, Department)
VALUES
('$_POST[fname]','$_POST[lname]','$_POST[address]','$_POST[phone]','$_POST[department]')";

$result = mysql_query($sql) or die(mysql_error());

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";

mysql_close($con);
?>

the error i get when i run it is ......
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '* (FirstName, LastName, Address, Phone Number, Department) VALUES ('a','a','a'' at line 1

also having issues with setting up my database on sql buddy if any one has any ideas. Thanks!!!

Kate · Dec 18, 2012

INSERT INTO should be followed by a table name, why do you have * ?

PHP:

$sql="INSERT INTO * (FirstName, LastName, Address, Phone Number, Department)
 VALUES
 ('$_POST[fname]','$_POST[lname]','$_POST[address]','$_POST[phone]','$_POST[department]')";

Also, if you insert POST data without any sanitization, you are vulnerable to SQL injection and hacking. This code doesn't look secure at all.

4pm · Dec 23, 2012

in addition to table name issue sdsinc mentioned

Code:

$result = mysql_query($sql) or die(mysql_error());


if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";

will produce double insert

should be

Code:

$result = mysql_query($sql);


if (!$result)
{
die('Error: ' . mysql_error());
}
echo "1 record added";

imho

CodyDeegan · Apr 18, 2013

Introduce the database's username and password to the code connection and specify what database is going to be accessed.

DU · Apr 18, 2013

One word: Yikes!

---------- Post added at 12:04 AM ---------- Previous post was at 12:04 AM ----------

sdsinc said:
Also, if you insert POST data without any sanitization, you are vulnerable to SQL injection and hacking. This code doesn't look secure at all.

Start here.... not with the insert.

PHP form and sql buddy issues

More options

acarder488

New Member

Kate

Domainosaurus RexTop Member

4pm

userTop Member

CodyDeegan

Established Member

DU

Secret SantaTop Member

Similar threads

We're social

New posts

Auction activity

What non .com extensions have you sold in 2024?

Polls of interest

Popular this week

Community favorite

Popular this month

Blog favorites

Pinned

Appreciation

Agreement