Writing to database?

[martynball]

I can read the values in my database which I manually added for testing, but I cannot add new values into the database... I am following this tutorial:
http://teamtutorials.com/web-develop...base-using-php

Here is my code (Password removed of course):

PHP Code:

<html>
<head>
<title>Database Test</title>
<?php
// Connect to the database server
mysql_connect('localhost', 'martynba_martynb', 'password') or die('Error connecting to the database, MySQL returned: ' . mysql_error());
// Select the database
mysql_select_db('martynba_comments') or die('Error selecting database, MySQL returned: ' . mysql_error());

//Build query
$query = mysql_query("SELECT * FROM commentTable");

//Display results
    while ($row = mysql_fetch_array($query)) {
    echo "<br /> ID: " .$row['ID']. 
    "<br /> First Name: ".$row['FNAME'].
    "<br /> Last Name: ".$row['LNAME'].
    "<br /> Phone Number: ".$row['PHON'];}
?> 
</head>
<body>
<hr />
<form medthod="post" action="update.php">
First Name:<br />
<input type="text" name="FName" size="30" /><br />
Last Name:<br />
<input type="text" name="LName" size="30" /><br />
Phone Number:<br />
<input type="text" name="PHON" size="12" /><br />
<input type="submit" value="Update Database"/>
</form>
</body>
</html>

update.php:

PHP Code:

<?php
$FNAME = $_POST['FName'];
$LNAME = $_POST['LName'];
$PHON = $_POST['PHON'];

mysql_connect ("localhost", "martynba_martynb", "password") or die ('Error: ' . mysql_error());
mysql_select_db ("martynba_comments");

$query="INSERT INTO commentTable (ID, FNAME, LNAME, PHON)
VALUES ('NULL','".$FName."','".$LName."','".PHON."')";

echo "Database Updated With: " .$FName. " ".$LName." ".$PHON ;
?>

Database Name: martynba_comments
Database User Name: martynba_martynba
Table Name: commentTable
Table Columns: ID, FNAME, LNAME, PHON

[diabolo]

is it displaying any errors when you try to insert information?
also does your db user have the right credentials

[martynball]

Nope, it is just writing "Database Updated With:" but no data at the end.

And credentials?

[Mr. DOS]

• PHP is case-sensitive, so fix the variable names either in the declarations at the top of the script or where you use them.
• Don't insert an ID at all, null or otherwise: providing the column is set up as an autoincrementing primary key, MySQL will figure that out by itself.
• You should have quotation marks around column names in the query.
• Put an or die() on the mysql_select_db() just in case it's failing there.
• Probably not related, but you really, really should be mysql_real_escape_string-ing everything going into that query. Not doing so leaves you potentially vulnerable to SQL injections, and that would be Bad.

Considering the above comments and making some minor formatting changes, your code would come out like this:

PHP Code:

<?php

mysql_connect('localhost', 'martynba_martynb', 'password') or die('Error: ' . mysql_error());
mysql_select_db('martynba_comments') or die('Error: ' . mysql_error());

$FNAME = mysql_real_escape_string($_POST['FName']);
$LNAME = mysql_real_escape_string($_POST['LName']);
$PHON = mysql_real_escape_string($_POST['PHON']);

$query = 'INSERT INTO commentTable(\'FNAME\', \'LNAME\', \'PHON\')
VALUES(\'' . $FNAME . '\', \'' . $LNAME . '\', \'' . PHON . '\')';

echo('Database Updated With: ' . $FNAME . ' ' .$LNAME . ' ' . $PHON);

?>

As a general word of coding advice, I suggest you figure out your code formatting preferences (e.g., single quotes/double quotes, space between function name/no space, spaces around full stops when concatenating/ no spaces, and, possibly most importantly, your indentation style) and stick with them. You may not be OCD, but some of us are, and it'll make your code much more readable for those of us who are when you need help ;)

--- Mr. DOS

[lovewhite]

hi martyn

you have assigned a string to your $query variable to perform the INSERT but you haven't actually sent the query to myql

after this statement in your code

$query="INSERT INTO commentTable (ID, FNAME, LNAME, PHON)
VALUES ('NULL','".$FName."','".$LName."','".PHON."')";

add something like

$result = mysql_query ($query);

then test the value of $result - if its true then your insert was successful if false then you had a problem

[misson]

Don't insert an ID at all, null or otherwise: providing the column is set up as an autoincrementing primary key, MySQL will figure that out by itself.

When a NULL is inserted into an auto-incremented column in MySQL, the NULL will be replaced with the next value in the auto-increment sequence. In short, it won't cause problems, but it's unnecessary.

You should have quotation marks around column names in the query. Put an or die() on the mysql_select_db() just in case it's failing there.

Rather than or die (and another article on the same theme), throw an exception or generate an error. Either is a more graceful way of stopping script execution.

Probably not related, but you really, really should be mysql_real_escape_string-ing everything going into that query. Not doing so leaves you potentially vulnerable to SQL injections, and that would be Bad.

Seconded. The modern route is to use the PDO driver and prepared statements, which aren't vulnerable to SQL injection (though there's still HTML injection/cross site scripting and cross-site request forgery). Some more references:

• PHP manual section on SQL injection
• SQL Injection Attacks by Example
• SQL Injection Walkthrough

As a general word of coding advice, I suggest you figure out your [...] indentation style) and stick with them.

Again, seconded. It will help you catch some very basic typos. If you get a good editor/IDE, it will handle the indenting for you.

[martynball]

Here is my code now, but it still isn't working :/

It is just writing "Database Updated With:" on the screen, but no values, and the database isn't updated.

PHP Code:

<html>
<head>
<title>Database Test</title>
<?php
// Connect to the database server
mysql_connect('localhost', 'martynba_martynb', 'mlb0891sr3dm') or die('Error connecting to the database, MySQL returned: ' . mysql_error());
// Select the database
mysql_select_db('martynba_comments') or die('Error selecting database, MySQL returned: ' . mysql_error());

//Build query
$query = mysql_query("SELECT * FROM commentTable");

//Display results
    while ($row = mysql_fetch_array($query)) {
    echo "<br /> ID: " .$row['ID']. 
    "<br /> First Name: ".$row['FNAME'].
    "<br /> Last Name: ".$row['LNAME'].
    "<br /> Phone Number: ".$row['PHON'];}
?> 
</head>
<body>
<hr />
<form medthod="post" action="update.php">
First Name:<br />
<input type="text" name="FNAME" size="30" /><br />
Last Name:<br />
<input type="text" name="LNAME" size="30" /><br />
Phone Number:<br />
<input type="text" name="PHON" size="12" /><br />
<input type="submit" value="Update Database"/>
</form>
</body>
</html>

update.php:

PHP Code:

<?php

mysql_connect('localhost', 'martynba_martynb', 'mlb0891sr3dm') or die('Error: ' . mysql_error());
mysql_select_db('martynba_comments') or die('Error: ' . mysql_error());

$FNAME = mysql_real_escape_string($_POST['FName']);
$LNAME = mysql_real_escape_string($_POST['LName']);
$PHON = mysql_real_escape_string($_POST['PHON']);

$query = 'INSERT INTO commentTable(\'FNAME\', \'LNAME\', \'PHON\')
VALUES(\'' . $FNAME . '\', \'' . $LNAME . '\', \'' . PHON . '\')';
$result = mysql_query ($query);

echo('Database Updated With: ' . $FNAME . ' ' .$LNAME . ' ' . $PHON);

?>

[descalzo]

<input type="text" name="FNAME" size="30" />

VS

$FNAME = mysql_real_escape_string($_POST['FName']);

CapITaliZATIOn MaTTerS.

[martynball]

Fixed the caps on everything. Also, I have found the reason I have had so much trouble with this, with some help from a friend who does not know code at all.

<form medthod="post" action="update.php">

[drf1229]

I noticed that when I first looked at it. Too bad I didn't see this yesterday