CODEWITHSUNDEEP
phpmysqlhtmldatabaseforms
Will Evans
Will Evans

Reputation: 227

MySQL Not Inserting Into Column

I have the code below: 

    <html><body>
<?php
$con = mysql_connect("localhost","will","blahblah");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("blahblah", $con);

$sql="INSERT INTO links (link, notes, username)
VALUES
('$_POST[link]','$_POST[notes]','$_POST[username]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 link added";

mysql_close($con)
?>
</body></html>

It should insert a link and notes and a username into my database but it doesn't. I am clueless as to why and would appreciate some help with it! It is getting these values from the form below:

   <div id="stylized" class="myform">
<form id="form" name="form" method="post" action="user.php">
<label>Username
<span class="small">Enter Your Username</span>
</label>
<input type="text" name="name" id="username" />

<label>Link
<span class="small">Paste Your Link</span>
</label>
<input type="text" name="email" id="link" />

<label>Notes
<span class="small">Add Some Notes</span>
</label>
<input type="text" name="password" id="notes" />

<button type="submit"></button>
<div class="spacer"></div>

</form>
</div>

Thanks!

Upvotes: 0

Views: 419

Answers (5)

Pascal MARTIN
Pascal MARTIN

Reputation: 400932

I see at least three problems, with your code :

First, when injecting strings into an SQL query, you must escape it, using mysql_real_escape_string() :

$link = mysql_real_escape_string($_POST['link']);
$notes = mysql_real_escape_string($_POST['notes']);
$username = mysql_real_escape_string($_POST['username']);

$sql="INSERT INTO links (link, notes, username)
VALUES ('$link','$notes','$username')";


Third, in your PHP code, you must use the name attribute of your input fields -- and not their id attributes.

Considering your HTML code looks like this :

<input type="text" name="name" id="username" />
<input type="text" name="email" id="link" />
<input type="text" name="password" id="notes" />

You should work with :

  • $_POST['name'], and not $_POST['username']
  • $_POST['email'], and not $_POST['link']
  • $_POST['password'], and not $_POST['notes']

Note : using a name and an id that are that different leads to troubles ;-)


So, to summarize, your code should look a bit more like this :

$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);
$name = mysql_real_escape_string($_POST['name']);

$sql="INSERT INTO links (link, notes, username)
VALUES ('$email','$password','$name')";

Note : you should use the same names for the input fields, and the fields in the table -- it would make your code easier to understand.

Upvotes: 2

Piotr Salaciak
Piotr Salaciak

Reputation: 1663

Replace it :

$sql="INSERT INTO links (link, notes, username)
VALUES
('$_POST[link]','$_POST[notes]','$_POST[username]')";

with:

$sql="INSERT INTO links (link, notes, username)
VALUES
('". mysql_escape_string($_POST['name']) ."','".
     mysql_escape_string($_POST['email']) ."','". 
     mysql_escape_string($_POST['password']) ."')";

Note that POST variables you're trying to use in Your query are completely different from those on your form

Upvotes: 1

Bohdan
Bohdan

Reputation: 2027

The items in $_POST are indexed by name attribute, not by id.

Upvotes: 0

Lekensteyn
Lekensteyn

Reputation: 66405

id attributes are meaningless when submitting the form. You probably want to swap the name and id attributes.

Currently, $_POST['name'], $_POST['email'] and $_POST['password'] are being submitted instead of $_POST['username'], $_POST['link'] and $_POST['notes'].

Your code is also vulnerable to SQL injection.

Upvotes: 0

hage
hage

Reputation: 6153

The indexes of POST variables must match the names of the form items.

So either write:

<input type="text" name="link" id="link" /> or use $_POST[email]

Adapt for the other variables.

Upvotes: 0

Related Questions