Reputation: 17
Issues with my form
I seem to be missing something here. Every single post I find on the Google or StackOverflow, based on what I can see, shows that my code is correct. HOWEVER, every time I hit submit it just clears the page and brings me back to the top. I've tried bring it down to just the basic fields (without the functions) but that didn't change anything.
Here is my form:
<form acction="/php/newcarcode.php" method="post">
<table style="width:575px">
<tr>
<th>Currently Own</th>
<td><input type="checkbox" name="own"></td>
<td></td>
</tr>
<tr>
<th style="width:175px">Year</th>
<td style="width:375px"><input type="text" name="year" style="width:340px"></td>
<td style="width:25px"></td>
</tr>
<tr>
<th>Make</th>
<td><select name="dropdown" style="width:344px"><?php make() ?></select></td>
<td></td>
</tr>
<tr>
<th>Model</th>
<td><select name="dropdown" style="width:344px"><?php model() ?></select></td>
<td></td>
</tr>
<tr>
<th>Trim</th>
<td><input type="text" name="trim" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Purchased</th>
<td><input type="date" name="purchased" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Engine</th>
<td><select name="engine" style="width:344px"><?php engine() ?></select></td>
<td><a href="newengine.php"><img src="/images/addnew.png" width="33px" height="25px"></a></td>
</tr>
<tr>
<th>Drivetrain</th>
<td><select name="drivetrain" style="width:344px"><?php drivetrain() ?></select></td>
<td></td>
</tr>
<tr>
<th>Transmission</th>
<td><select name="trans" style="width:344px"><?php trans() ?></select></td>
<td><a href="newengine.php"><img src="/images/addnew.png" width="33px" height="25px"></a></td>
</tr>
<tr>
<th>Driver</th>
<td><select name="driver" style="width:344px"><?php driver() ?></select></td>
<td><a href="newengine.php"><img src="/images/addnew.png" width="33px" height="25px"></a></td>
</tr>
<tr>
<th>Type</th>
<td><select name="dropdown" style="width:344px"><?php type() ?></select></td>
<td></td>
</tr>
<tr>
<th>Doors</th>
<td><input type="number" name="doors" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Color</th>
<td><input type="text" name="color" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Cost</th>
<td><input type="number" name="cost" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Sale Price</th>
<td><input type="number" name="sale" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Profit</th>
<td><input type="number" name="profit" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Profile Pic</th>
<td><input type="text" name="profile" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Photo Album</th>
<td><input type="text" name="album" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th>Thumbnail Pic</th>
<td><input type="text" name="thumbnail" style="width:340px"></td>
<td></td>
</tr>
<tr>
<th style="height: 75px">Notes</th>
<td><textarea type="text" name="notes" style="width:340px" rows="4"></textarea></td>
<td></td>
</tr>
<tr>
<th style="height: 75px">Mods</th>
<td><textarea type="message" name="mods" style="width:340px" rows="4"></textarea></td>
<td></td>
</tr>
</table>
<br>
<input type="submit" value="Submit">
</form>
And then here is the php page that it's calling:
<?php
$con = mysql_connect("server", "mycaradmin", "SuperSecretPassword") or die(mysql_error());
mysql_select_db("mycars") or die(mysql_error());
$year = $_POST[year];
$make = $_POST[make];
$model = $_POST[model];
$trim = $_POST[trim];
$engine = $_POST[engine];
$trans = $_POST[trans];
$doors = $_POST[doors];
$type = $_POST[type];
$color = $_POST[color];
$drivetrain = $_POST[drivetrain];
$driver = $_POST[driver];
$own = $_POST[own];
$purchase = $_POST[purchase];
$sale = $_POST[sale];
$profit = $_POST[profit];
$profile = $_POST[profile];
$notes = $_POST[notes];
$mods = $_POST[mods];
$album = $_POST[album];
$sql = " INSERT INTO mycars.vehicles (
VYear,
VMakeID,
VModelID,
VTrim,
VEngineID,
VTransID,
VNumDoors,
VTypeID,
VColor,
VDrivetrainID,
PeopleID,
VCurrentlyOwn,
VPurchasePrice,
VSalePrice,
VProfit,
VAttachments,
VNotes,
VModifications,
VAlbum,
VDateOfPurchase
)
VALUES (
'$year',
'$make',
'$model;',
'$trim',
'$engine',
'$trans',
'$doors',
'$type',
'$color',
'$drivetrain',
'$driver',
'$own',
'$purchase',
'$sale',
'$profit',
'$profile',
'$notes',
'$mods',
'$album',
)"
;
if (!mysql_query($con,$sql))
{
die('Error: ' . mysql_error($con));
}
echo "1 record added";
mysql_close($con);
?>
Does not seem to matter what I change, I get the same results. I'm perplexed.
Upvotes: 0
Views: 126
Answers (6)
Reputation: 1702
I know this is extra topical and will likely get scored down... Never use mysql library, but instead use mysqli or PDO. You are also doing no validation of input to precent SQL, JavaScript or HTML injection.
You also have a stray extra semicolon and comma in your insert statement.
Consider changing your lines that look like:
$year = $_POST[year];
To lines that look something like:
$year = filter_var($_POST['year'], FILTER_SANITIZE_INT);
That will ensure that the year is an integer. You could/should also check that it a valid year in the range of the first car released to present day. filter_var can also filter using regex, or for other types of data with known format, using other filters than FILTER_SANITIZE_INT.
And your data base stuff:
$db = new mysqli(server", "mycaradmin", "SuperSecretPassword") or die();
$stmnt = $db->prepare('INSERT INTO mycars.vehicles (
VYear,
VMakeID,
VModelID,
VTrim,
VEngineID,
VTransID,
VNumDoors,
VTypeID,
VColor,
VDrivetrainID,
PeopleID,
VCurrentlyOwn,
VPurchasePrice,
VSalePrice,
VProfit,
VAttachments,
VNotes,
VModifications,
VAlbum,
VDateOfPurchase
)
VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)');
$stmnt->bindparam('ssssssssssssssssssss', '$year',
$make,
$model,
$trim,
$engine,
$trans,
$doors,
$type,
$color,
$drivetrain,
$driver,
$own,
$purchase,
$sale,
$profit,
$profile,
$notes,
$mods,
$album) or die($stmnt->error);
$stmnt->execute()or die($stmnt->error);
$stmnt->close();
$db->close();
This will protect your database from SQL injection, by preparing and compiling the statement before it's use. You should treat any and all input from the user as potentially harmful and dangerous, so if it comes from the user, sanitize it before using it and never pass it unprocessed into a database query.
Upvotes: 0
Reputation: 830
There are few issues in this code:
- You have specified the name property of Make and Model as 'dropdown', which is never used.
- Your code is open to SQL injection and other security problems.
You need to enclose the keys in case of associative arrays in php in either single or double quotes like this:
$year = $_POST["year"];
- You form action is also not correct, most probably its a typo.
Upvotes: 1
Reputation: 1270
also you have an extra comma after the last '$album' in your SQL statement
Upvotes: 1
Reputation: 544
You have no quotes on your $_POST variables:
$_POST[year]; should be $_POST['year'];
Upvotes: 2
Related Questions
- PHP form not working
- Form doesn't working properly
- Trouble with php form handling
- HTML Form doesn't work
- Trouble with my website form
- How to make form work
- Made a form in HTML and PHP but unable to figure out what is wrong
- Form with PHP doesn't work properly
- Need help with php html form
- PHP - problems with simple form not displaying correctly