php form mysql error to database

Question

I have a form that does not seem to want to write its data to my database. I am somewhat new to php mysql. When I test the script the page reloads with only a "0" displayed. I am not sure what am I missing? Any help is appreciated.

form

<form action="new.php" method="POST">
      <table>
        <tr>
          <td>Season Number: </td>
          <td><input type="text" name="season_sum" size="50" value="<? echo "$season_num";?>"></td>
        </tr>
        <tr>
          <td>Episode Number: </td>
          <td><input type="text" name="eps_num" size="50" value="<? echo "$eps_num";?>"></td>
        </tr>
        <tr>
          <td>Temp Episode Number: </td>
          <td><input type="text" name="temp_eps_num" size="50"></td>
        </tr>
        <tr>
          <td>Title: </td>
          <td><input type="text" name="title" size="50"></td>
        </tr>
        <tr>
          <td>Description: </td>
          <td><textarea type="text" name="descrip" cols="50" rows="7"></textarea></td>
        </tr>
        <tr>
          <td colspan="2"><input type="hidden" name="id">
            <input type="Submit" value="New Item"></td>
        </tr>
      </table>
    </form>

new.php

<?php
require "db.php";

//Test for user input
if (!empty($_POST[season_sum])&&
    !empty($_POST[eps_num])&&
    !empty($_POST[temp_eps_num])&&
    !empty($_POST[title])&&
    !empty($_POST[descrip]))

if ( ! empty($_POST['ID']))
$id = (int)$_POST['ID'];
else $id = 'NULL';

//Insert new entry
$query = "INSERT INTO `season` (`ID`, `season_num`, `temp_eps_num`, `esp_num`, `title`, `descrip`) VALUES ({$id}, '{$season_sum}', '{$eps_num}', '{$temp_eps_num}', '{$title}', '{$descrip}')";

// Send user back to the list once the update is successfully finished
header("Location: form.html");
?>

Answer 1

Not sure about the "0" but in general your code looks like you chopped things out for readability. If not...

    if (!empty($_POST[season_sum]) && !empty($_POST[eps_num]) && !empty($_POST[temp_eps_num]) && !empty($_POST[title]) && !empty($_POST[descrip]))
    {

        if ( !empty($_POST['ID']))
            $id = (int)$_POST['ID'];
        else 
            $id = 'NULL';

        // mysql_real_escape_string() example
        $descrip = mysql_real_escape_string($_POST['descrip']);

        //Insert new entry
        $query = mysql_query("INSERT INTO `season` (`ID`, `season_num`, `temp_eps_num`, `esp_num`, `title`, `descrip`) VALUES ({$id}, '{$season_sum}', '{$eps_num}', '{$temp_eps_num}', '{$title}', '$descrip')") or die(mysql_error());

        // Send user back to the list once the update is successfully finished
        header("Location: http://www.yoursite.com/form.html");
        exit;
    }

I didn't put in the escaping since it is easier just to suggest you wrap your db insert strings with mysql_real_escape_string(). Aside that you never actually run a query, and you do not wrap your if statement with curly braces. I don't even know what the page would think to do in this condition.

Try applying these changes and let us know if the error persists.

note - I added exit after your header location. Also, I put a full url path in as somewhere or another I heard this was better practice. I have no backing for that claim though. Just a thing I heard somewhere.

mysql_real_escape_string() explanation: to use it you must have a connection open. This is usually handled in your db class so if you discover it doing nothing, look into mysql_connect(); To use, just call like so:

$sql = mysql_query("SELECT * FROM `table` WHERE `id` = '".mysql_real_escape_string($string_to_escape)."'");

It will not add the single quote wrapper. All it does is help sanitize the string to prevent common sql injection attacks.

Answer 2

you are never actually sending the query, just defining the query string. To send it you netted to use mysql_query ($query).

See documentation for more details. http://php.net/manual/en/function.mysql-query.php

Answer 3

Disable the following line in new.php in the event the PHP code is throwing an error:

//header("Location: form.html")

Then you will need to execute the $query using mysql_query.

$query = "INSERT INTO ... ";

mysql_query($query);