What's wrong with this php code?

Question

I created a web form to insert data into a mysql database. I thought I had the php to insert the data from the form nailed, but alas, when I hit submit nothing happened. I do have the proper hostname and other db details correct, I just didn't post them here.

I probably have multiple errors in this code. I'm hoping some of the experts can point me in the right direction.

Thanks in advance.

<?php
$con = mysql_connect("hostname","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("dbname", $con);

$sql="INSERT INTO games (game_name, release_date, game_category, game_type, game_console)
VALUES
('$_POST[game_name]','$_POST[release_date]','$_POST[game_category]','$_POST[game_type]','$_POST[game_console]')";

mysql_query($sql);

$sql2 = "INSERT INTO trophy_totals (game_name, bronze_ttl, silver_ttl, gold_ttl, plat_ttl, hidden_ttl, total_points)
VALUES
('$_POST[game_name]','$_POST[bronze_ttl]','$_POST[silver_ttl]','$_POST[gold_ttl]','$_POST[plat_ttl]','$_POST[hidden_ttl]','$_POST[total_points]')";

mysql_query($sql2);
?>

<?php
    foreach($_POST['trophy'] as $trophy) {
        $sql3 = "INSERT INTO trophies (game_name, tr_name, tr_description, tr_color, tr_ach_value) VALUES ('".$_POST['game_name']."', '".$trophy['name']."', '".$trophy['desc']."', '".$trophy['color']."', '".$trophy['tr_ach_value']."')";
        mysql_query($sql3);
    }
echo "Record added";

mysql_close($con)


?>

Is it a problem with my form possibly?

<form action="http://www.yeahthatrocks.com/update.php" method="post">
Game Name:  <input name="game_name" type="text" size="25" maxlength="255" /><br></br>
Release Date:  <input name="release_date" type="text" size="25" /><p></p>

<p>Console:
  <select name="game_console">
    <option value="PS3">PS3</option>
    <option value="Xbox 360">Xbox 360</option>
    <option value="Both">Both</option>
  </select>

  Game Category:  
  <select name="game_category">
    <option value="Retail">Retail</option>
    <option value="PSN">PSN</option>
    <option value="Arcade">Arcade</option>
    <option value="Arcade">DLC</option>
  </select>

  Game Type:  
  <select name="game_type">
    <option value="Action">Action</option>
    <option value="Action RPG">Action RPG</option>
    <option value="Adventure">Adventure</option>
    <option value="Board">Board</option>
    <option value="Card">Card</option>
    <option value="Casino">Casino</option>
    <option value="Educational">Educational</option>
    <option value="Fighting">Fighting</option>
    <option value="Flight">Flight</option>
    <option value="Game Show">Game Show</option>
    <option value="Hunting">Hunting</option>
    <option value="Music">Music</option>
    <option value="Other">Other</option>
    <option value="Pinball">Pinball</option>
    <option value="Platformer">Platformer</option>
    <option value="Puzzle">Puzzle</option>
    <option value="Racing">Racing</option>
    <option value="RPG">RPG</option>
    <option value="Shooter">Shooter</option>
    <option value="Sports">Sports</option>
    <option value="Strategy">Strategy</option>
    <option value="Virtual Pet">Virtual Pet</option>
  </select>



 Trophy Totals:</p> 

 Bronze:  <input name="brinze_ttl" type="text" size="3" maxlength="3" />
 <br/>
Silver:  <input name="Silver Total" type="text" size="3" maxlength="3" /><br/>
Gold:  <input name="Gold Total" type="text" size="3" maxlength="3" /><br/>
Platinum:  <input name="Platinum Total" type="text" size="3" maxlength="3" /><br/>
Hidden:  <input name="Hidden Total" type="text" size="3" maxlength="3" /><br/>
Xbox Pts.:  <input name="Xbox Pts Total" type="text" size="5" maxlength="5" /><br/>



</p>
<p>&nbsp;</p>
<p>Trophies:</p>
Trophy Name:    <input name="tr_name[0]" type="text" size="50" maxlength="255" /><br/>
Descripton:     <input name="tr_desc[0]" type="text" size="50" maxlength="255" /><br/>
Trophy Color:   <select name="tr_color[0]">
  <option value="Bronze">Bronze</option>
  <option value="Silver">Silver</option>
  <option value="Gold">Gold</option>
  <option value="Platinum">Platinum</option>
  <option value="Hidden">Hidden</option>
</select>
Points: <input name="tr_ach_value[0]" type="text" size="4" maxlength="4" /><p></p>

Trophy Name:    <input name="tr_name[1]" type="text" size="50" maxlength="255" /><br/>
Descripton:     <input name="tr_desc[1]" type="text" size="50" maxlength="255" /><br/>
Trophy Color:   <select name="tr_color[1]">
  <option value="Bronze">Bronze</option>
  <option value="Silver">Silver</option>
  <option value="Gold">Gold</option>
  <option value="Platinum">Platinum</option>
  <option value="Hidden">Hidden</option>
</select>
Points: <input name="tr_ach_value[1]" type="text" size="4" maxlength="4" /><p></p>

Trophy Name:    <input name="tr_name[2]" type="text" size="50" maxlength="255" /><br/>
Descripton:     <input name="tr_desc[2]" type="text" size="50" maxlength="255" /><br/>
Trophy Color:   <select name="tr_color[2]">
  <option value="Bronze">Bronze</option>
  <option value="Silver">Silver</option>
  <option value="Gold">Gold</option>
  <option value="Platinum">Platinum</option>
  <option value="Hidden">Hidden</option>
</select>
Points: <input name="tr_ach_value[2]" type="text" size="4" maxlength="4" /><p></p>

Trophy Name:    <input name="tr_name[3]" type="text" size="50" maxlength="255" /><br/>
Descripton:     <input name="tr_desc[3]" type="text" size="50" maxlength="255" /><br/>
Trophy Color:   <select name="tr_color[3]">
  <option value="Bronze">Bronze</option>
  <option value="Silver">Silver</option>
  <option value="Gold">Gold</option>
  <option value="Platinum">Platinum</option>
  <option value="Hidden">Hidden</option>
</select>
Points: <input name="tr_ach_value[3]" type="text" size="4" maxlength="4" /><p></p>

Trophy Name:    <input name="tr_name[4]" type="text" size="50" maxlength="255" /><br/>
Descripton:     <input name="tr_desc[4]" type="text" size="50" maxlength="255" /><br/>
Trophy Color:   <select name="tr_color[4]">
  <option value="Bronze">Bronze</option>
  <option value="Silver">Silver</option>
  <option value="Gold">Gold</option>
  <option value="Platinum">Platinum</option>
  <option value="Hidden">Hidden</option>
</select>
Points: <input name="tr_ach_value[4]" type="text" size="4" maxlength="4" /><p></p>

Trophy Name:    <input name="tr_name[5]" type="text" size="50" maxlength="255" /><br/>
Descripton:     <input name="tr_desc[5]" type="text" size="50" maxlength="255" /><br/>
Trophy Color:   <select name="tr_color[5]">
  <option value="Bronze">Bronze</option>
  <option value="Silver">Silver</option>
  <option value="Gold">Gold</option>
  <option value="Platinum">Platinum</option>
  <option value="Hidden">Hidden</option>
</select>
Points: <input name="tr_ach_value[5]" type="text" size="4" maxlength="4" /><p></p>


<input name="submit" type="button" value="submit" />
</form>

Answer 1

Not 100% on this but maybe try swapping your foreach statement out with:

for (i = 0; i <=5; i++)
{
    $sql3 = "INSERT INTO trophies (game_name, tr_name, tr_description, tr_color, tr_ach_value) VALUES ('".$_POST['game_name']."', '".$_POST['tr_name'][i]."', '".$_POST['tr_desc'][i]."', '".$_POST['tr_color'][i]."', '".$_POST['tr_arch_value'][i]."')";
    mysql_query($sql3);
}

Answer 2

Try escaping the $_POST parameters in your query in {}'s, like so:

$sql = "INSERT INTO games (game_name, release_date, game_category, game_type, game_console)
VALUES
('{$_POST['game_name']}', '{$_POST['release_date']}', '{$_POST['game_category']}', '{$_POST['game_type']}', '{$_POST['game_console']}')";

What others have said about SQL injection is also true. You should, at the very least, be escaping these strings using mysql_real_escape_string but using PDO or prepared statements is probably a good idea too.

Answer 3

Enable error reporting (http://php.net/manual/en/function.error-reporting.php) too see what errors there are in your code.

Just to warn you, check for sql injections http://en.wikipedia.org/wiki/SQL_injection

Answer 4

First it doesn't look like you're actually passing in the right values to connection. Instead of:

$con = mysql_connect("hostname","username","password");

you should do something like

$con = mysql_connect("localhost","root","some password");

Same thing for your database; you want the actual name of your database instead of dbname unless of course that is really the name of your database.

Also, be careful of how you're doing your INSERTS and such. You're not escaping any of the values so you're susceptible to SQL injection.

Answer 5

SQL trouble? Easy solution - echo $sql and run it in your SQL editor to see if it's valid. I've tracked down more SQL problems that way.

Answer 6

Your code is susceptible to SQL injection. You have to escape the parameters e.g. with mysql_real_escape_string. Also I can recommend the PDO database interface which is DBMS independent and have safer methods.

http://www.php.net/manual/en/book.pdo.php