CODEWITHSUNDEEP
phphtmlmysqlformspost
Arringar1
Arringar1

Reputation: 415

Form and PHP function to save form data to mysql in same file

I have been trying to sort this out but so far I haven't been able to get it to work. No errors are thrown, the page refreshes on submit. I am at a loss, but I am not exactly an expert, fairly new to this.

Here is the code (simplified for posting):

<?php if (!isset($_POST['submit'])) {
echo              "<!-- Form starts here -->
                  <form id=\"billing\" action=\"\" method=\"post\">
                  <!-- Name -->
                  <div class=\"control-group\">
                  <label class=\"control-label\"><b>Name</b></label>
                  <div class=\"controls\">
                  <input type=\"text\" id=\"name\" name=\"name\" placeholder=\"your name\" class=\"input-large\">
                  </div>
                  </div>
                  <!-- Zip -->
                  <div class=\"control-group\">
                  <label class=\"control-label\"><b>Zip Code</b></label>
                  <div class=\"controls\">
                  <input type=\"text\" id=\"billingzip\" name=\"billingzip\" placeholder=\"5 digit zip\" class=\"input-large\">
                  </div>
                  </div>
                  <!-- Submit -->
                  <div class=\"control-group\">
                  <div class=\"controls\">
                  <button class=\"button save small_green_button\" type=\"submit\">
                  &nbsp;Save&nbsp;
                  </button>
                  </div>
                  </div>
                  </form>";
}
else
{
 $host="localhost";
 $user_name="user";
 $pwd="password";
 $database_name="database";
 $db=mysql_connect($host, $user_name, $pwd) or die(mysql_error());
 $dbsel=mysql_select_db($database_name, $db);

 if (mysql_error() > "") print mysql_error() . "<br>";
               if (mysql_error() > "") print mysql_error() . "<br>";

                   $account_id = users::getAttr('Account', 'account_id'); 
                   $zip = mysql_real_escape_string($_POST['billingzip']);
                   $name = mysql_real_escape_string($_POST['name']);

                           $sql = "INSERT INTO `billing`
                                   SET `account_id` = '{$account_id}',
                                       `zip` = '{$billingzip}',
                                       `name` = '{$name}',
                                       `updated_at` = NOW()";

                           $result = mysql_query($sql, $dbsel) 
                                or  die(mysql_error().$sql);

                 mysql_close($db);


   }
  ?>

Upvotes: 0

Views: 893

Answers (2)

Gerald Schneider
Gerald Schneider

Reputation: 17797

To summarize my comments:

Your form does not have any form element with name="submit", so (!isset($_POST['submit'])) will always be true and your else block will never execute. You can check this by adding var_dump($_POST); to the beginning of your script (before the if clause). var_dump() is one of the best debugging tools you have with PHP. Use it.

$dbsel=mysql_select_db($database_name, $db);

will return either true or false, so $dbsel will always be one of these two values. You don't need to store it, you can just add your or die("cannot select database");.

$account_id = users::getAttr('Account', 'account_id');

You have no information what this returns. It matters later if $account_id contains a numerical id or a string. If it is a string it is okay, if it is a numerical value you should change this:

`account_id` = {$account_id}

Next:

`zip` = '{$billingzip}',

You stored $_POST['billingzip'] in $zip, so this should be this:

`zip` = '{$zip}',

Last, but not least:

$result = mysql_query($sql, $dbsel)

As stated earlier, $dbsel either contains true or false, so it is wrong here, it should be the $db reference. Also, since you don't work with multiple database connections you don't need to reference any at all here.

$result = mysql_query($sql /* , $db */)

And the usual advice concerning mysql questions: If you write new code don't use the mysql_* functions at all. They are in the process of becoming deprecated and will be removed in future versions of PHP. Learn with mysqli_* or PDO right away. Both methods allow you to use prepared statements, which allows you to make sure your site is safe from SQL injections without having you to bother with escaping user provided content.

Do yourself a favor, comment the complete block out and rewrite it with PDO or mysqli_*.

Upvotes: 1

przeqpiciel
przeqpiciel

Reputation: 328

First what i see is 

$result = mysql_query($sql, $dbsel) or  die(mysql_error().$sql);

In my opinion you should wrote:

$result = mysql_query($sql, $db) or  die(mysql_error().$sql);

Upvotes: 1

Related Questions