CODEWITHSUNDEEP
phphtml
user3565273
user3565273

Reputation: 65

HTML form sending to MySQL via PHP

I got a little problem. I am trying to send some data from my page to my database.

HTML Code:

[insert_php]
    $current_user = wp_get_current_user(); //I am using wordpress and I need php on page script.
    echo $current_user->ID; // here it shows "1" because I am admin.
[/insert_php]

<form action="http://mysitee.com/xxx.php" method="post">
    E-mail: <input type="text" name="email">
    Nick: <input type="text" name="user_name">
    Server: <select name="server">
        <option value="1">1</option>
        <option value="2">2</option>
        <option value="3" selected>3</option>
        <option value="4">4</option>
    </select>
    <input type="hidden" name="reward" value="123">
    <input type="hidden" name="user_id" value="[insert_php]echo "$current_user->ID";[/insert_php]">
    <input type="submit" value="Submit">
</form>

And heres the PHP Code:

<?php
    $link = mysql_connect('site.com', 'login', 'pass');
    mysql_select_db('mydb');

    // Check connection
    if (!$link) {
        die('Could not connect: ' . mysql_error());
    }

    $user_id = mysql_real_escape_string($link, $_POST['user_id']);
    $user_name = mysql_real_escape_string($link, $_POST['user_name']);
    $server = mysql_real_escape_string($link, $_POST['server']);
    $email = mysql_real_escape_string($link, $_POST['email']);
    $nagroda = mysql_real_escape_string($link, $_POST['reward']);

    mysql_query("INSERT INTO winners (user_id, user_name, server, email, reward)
    VALUES ('$user_id', '$user_name', '$server', '$email', '$nagroda')");

    if (!mysql_query($link)) {
        die('Error: ' . mysql_error($link));
    }

    echo "1 record added";

    mysql_close($link);
?>

After all I should get user_id 1 in my database table but I am getting "0" and I am getting no varbiables in other columns. Also when I start this script I am just getting "Error:". Any ideas?

Upvotes: 1

Views: 96

Answers (3)

Funk Forty Niner
Funk Forty Niner

Reputation: 74232

Here. You were calling mysql_query() twice as Andrewsi stated, when using mysql_query("INSERT... and if (!mysql_query($link))

Plus, you're using a mysqli-based method mysql_real_escape_string($link get rid of the $link, or better yet, use mysqli_* exclusively.

Modified to read as $query = mysql_query("INSERT... then using the query variable
if (!$query,$link) instead.

<?php
    $link = mysql_connect('site.com', 'login', 'pass');
    mysql_select_db('mydb');

    // Check connection
    if (!$link) {
        die('Could not connect: ' . mysql_error());
    }

    $user_id = mysql_real_escape_string($_POST['user_id']);
    $user_name = mysql_real_escape_string($_POST['user_name']);
    $server = mysql_real_escape_string($_POST['server']);
    $email = mysql_real_escape_string($_POST['email']);
    $nagroda = mysql_real_escape_string($_POST['reward']);

    $query = mysql_query("INSERT INTO winners (user_id, user_name, server, email, reward)
    VALUES ('$user_id', '$user_name', '$server', '$email', '$nagroda')");

    if (!$query) {
        die('Error: ' . mysql_error());
    }

    echo "1 record added";

    mysql_close($link);
?>

Footnotes:

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Plus,

Here are a few tutorials on (mysqli) prepared statements that you can study and try:

Here are a few tutorials on PDO:

Upvotes: 5

dkakoti
dkakoti

Reputation: 667

There is a little modification in the code. I think it ll help
    <?php
        $link = mysql_connect('site.com', 'login', 'pass');
        mysql_select_db('mydb');

        // Check connection
        if (!$link) {
            die('Could not connect: ' . mysql_error());
        }

        $user_id = mysql_real_escape_string($link, $_POST['user_id']);
        $user_name = mysql_real_escape_string($link, $_POST['user_name']);
        $server = mysql_real_escape_string($link, $_POST['server']);
        $email = mysql_real_escape_string($link, $_POST['email']);
        $reward = mysql_real_escape_string($link, $_POST['reward']);

        $sql="INSERT INTO winners (user_id, user_name, server, email, reward)
        VALUES ('$user_id', '$user_name', '$server', '$email', '$nagroda')";

        if (!mysql_query($sql,$link)) {
            die('Error: ' . mysql_error($link));
        }

        echo "1 record added";

        mysql_close($link);
    ?>

Upvotes: 0

Parag Tyagi
Parag Tyagi

Reputation: 8970

Its -

mysql_real_escape_string(string, connection)

and you have done the opposite of it. Fix as below -

mysql_real_escape_string($_POST['user_id'], $link)


SUGGESTION: Don't use mysql_* statements as they are deprecated in recent PHP versions. Learn mysqli prepared or PDO.

Upvotes: 0

Related Questions