Sign in
Microsoft.com
 
Expression > Forums Home > Expression Studio Forums > Expression Web and SuperPreview > Database code problem
Ask a questionAsk a question
Search Forums:
 

QuestionDatabase code problem

  • Thursday, November 05, 2009 1:05 AMRahkashimaster Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hey, i'm looking for some PHP and mysql database experts!

    I set up a mysql database (I would have used SQL, but my book told me how to use MySQL) through my hosting control panel, and I wrote the PHP code needed to populate it. When I insert the variables into the piece that sends it to the database, it doesn't send form results, it sends the Values I put in: $Name, $Email, etc.

    Here is the code:

     <?php
    $Name=$_POST['Name'];
    $email=$_POST['email'];
    $message=$_POST['message'];
    $connection=mysql_connect ("server","username", "password") or die ('I cannot connect to the database.');
     mysql_select_db ("databasename", $connection) or die ("Unable to select database");
    $query = 'INSERT INTO `databasename`.`tablename` (`ID`, `Name`, `email`, `message`) VALUES (\'\', \'$Name\', \'$email\', \'$message\');';
     mysql_query($query);
     mysql_close();
     ?>

    Any ideas as to why it sends the $name, $email, $message instead of the form results?

    ~Rahkashi~
     

All Replies

  • Thursday, November 05, 2009 1:24 AMVeignMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Because that's what you are telling it to send.  Actually your insert statement is quite messed up.  Is your table really named tablename?

    Change this:
    $query = 'INSERT INTO `databasename`.`tablename` (`ID`, `Name`, `email`, `message`) VALUES (\'\', \'$Name\', \'$email\', \'$message\');';

    to this:
    $query = "INSERT INTO tablename (ID, Name, email, message) VALUES ('', '".$Name."', '".$email."', '".$message."')";

    If ID is an autoincrement Primary Key field then leave it totally off your INSERT statement.

    Also, check out my DB Class for PHP:
    http://www.veign.com/code-view.php?type=web&codeid=70

    My class contains a method (sql_quote) for sanitizing values before they're sent to a database - this is extremely important when dealing with user submitted data.  As it stands now your SQL statement is wide open to a SQL Injection attack.
    --
    Chris Hanscom - Microsoft MVP
    On Facebook | On Twitter | Resource Center | Veign's Blog | Web Development Help

    Get a Complete Website Analysis by Veign