Home/ Questions/Q 7602659
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T23:28:06+00:00

I am working on having data taken from a form submit to a database,

  • 0

I am working on having data taken from a form submit to a database, however, whenever I submit there are no errors yet my data never appears in my database. Can anyone help me with some information on what I might have done incorrectly? I am using phpMyAdmin to view my table.
Thank You,
Stephen

<?php

$user= $_POST["txtUser"];
$fName= $_POST["txtFname"];
$lName= $_POST["txtLname"];
$email= $_POST["txtEmail"];
$date= date("r"); 



$dbh=mysql_connect('webdb.uvm.edu','swakita','MYPASSWORD');

if (!$dbh)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("SWAKITA", $dbh);

if (isset($_POST['butSubmit'])) {
mysql_query("INSERT INTO tblWhere (pk_Username, fldFirstName, fldLastName, fldAdminLevel, fldTotalPosts, fldDateJoined, fldEmail) VALUES (" . $user . "," . $fName .     "," . $Lname . ", '4', '0', $date, $email)");
mysql_close();
print $user;
}
?>

EDIT
This error is thrown:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” at line 1

Here is my code currently:

<?php

$user= $_POST["txtUser"];
$fName= $_POST["txtFname"];
$lName= $_POST["txtLname"];
$email= $_POST["txtEmail"];
$date= date("r"); 



$dbh=mysql_connect('webdb.uvm.edu','swakita','efaemaey');

if (!$dbh)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db('SWAKITA', $dbh);

if (isset($_POST['butSubmit'])) {
mysql_query("INSERT INTO tblWhere (pk_Username, fldFirstName, fldLastName, fldAdminLevel, fldTotalPosts, fldDateJoined, fldEmail) VALUES (' mysql_real_escape_string($user)', 'mysql_real_escape_string($fName)', 'mysql_real_escape_string($Lname)', '4', '0', 'mysql_real_escape_string($date)', 'mysql_real_escape_string($email)'");
if (mysql_errno()) {
echo $sql . "<br/>\n" . mysql_error();
}
mysql_close();
print $user;
}
?>

EDIT EDIT
I was missing a parentheses after ‘mysql_real_escape_string($email)’ but now it is posting “mysql_real_escape_string(Example First Name)” instead of just the value. What did I do wrong with my parentheses now?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you use your fields coming from the POST request directly in the query, you’re vulnerable of SQL injection, escape them first.

    $user = mysql_real_escape_string($_POST["txtUser"]);
...

    To see the problem, check the result of mysql_query

    mysql_query(...);
if (mysql_errno()) {
    echo $sql . "<br/>\n" . mysql_error();
}

    I think the problem is that you’re not putting quotes around fields like user.

    VALUES (" . $user . "," . $fName . ", ...

    should be:

    VALUES ('" . $user . "', '" . $fName . "', ...

    or simpler:

    VALUES('$user', '$fName', ...

    If you quote your string with double quotes “, you can use $variable inside the string and they will get evaluated, while if you use a string delimited with single quotes ‘, it will literally print $variable.

    • 0