I have the following form that I am inserting in to a database with a primary key called index to give them all a numerical value. What am I doing wrong that it won’t add it? It doesn’t give me an error messages at all. Thanks for the assistance!
FORM:
<form action = "addissue.php" METHOD = "POST">
<table>
<tr>
<td>Date Issue Occurred:</td>
<!--http://www.dynamicdrive.com/dynamicindex7/jasoncalendar.htm-->
<td><script>DateInput('orderdate', true, 'DD-MON-YYYY')</script></td>
</tr>
<tr>
<td>Please select the application affected:</td>
<td><select name = "application">
<option value = "default1">1</option>
<option value = "2">2</option>
</select></td>
</tr>
<tr>
<td>Start Time:</td>
<td><input type = "text" name = "start" /></td>
</tr>
<tr>
<td>End Time:</td>
<td><input type = "text" name = "end" /></td>
</tr>
<tr>
<td>Duration:</td>
<td><input type = "text" name = "dur" /></td>
</tr>
<tr>
<td>Service Level Affecting?</td>
<td><input type = "radio" name = "sla" value = "Yes" />Yes
<input type = "radio" name = "sla" value = "No" />No</td>
</tr>
<tr>
<td>System State:</td>
<td><select name = "state">
<option value = "down">Down</option>
<option value = "degradated">Degradated</option>
<option value = "feature">Feature Broken</option>
</select></td>
</tr>
<tr>
<td>Issue Description:</td>
<td><textarea name = "issuedesc"rows = "5" cols = "90">Enter Issue Description Here.</textarea></td>
</tr>
<tr>
<td>Resolution Description:</td>
<td><textarea name = "resdesc" rows = "5" cols = "90">Enter Resolution Description Here.</textarea></td>
</tr>
<tr>
<td>Group Issue Is Assigned To:</td>
<td><select name = "group">
<option value = "default1">1</option>
<option value = "2">2</option>
</select></td>
</tr>
<tr>
<td><input type = "submit" value = "Submit"></td>
</tr>
</table>
</form>
Addissue.php
<?php
include('db_loginreport.php');
$con = mysql_connect($db_host, $db_username, $db_password);
if(!$con)
{
die('Could not connect: ' . mysql_error());
}
$db_select = mysql_select_db($db_database);
if(!$db_select)
{
die("Could not select the database. <br />".mysql_error());
}
$date = $_POST["orderdate"];
$app = $_POST["application"];
$starttime = $_POST["start"];
$endtime = $_POST["end"];
$duration = $_POST["dur"];
$sysstate = $_POST["state"];
$issdesc = $_POST["issuedesc"];
$resdesc = $_POST["resdesc"];
$assigned = $_POST["group"];
$query = "Insert INTO issuetrack (date, app, starttime, endtime, duration, sla, sysstate,issdesc, resdesc, assigned)
VALUES ($date, $app,$starttime,$endtime,$duration,$sysstate,$issdesc,$resdesc,$assigned)";
$result = mysql_query($query);
if(!$result)
{
die("Could not query the database: <br />".mysql_error());
}
?>
db format:
# Column Type
1 index int(11)
2 date varchar(11)
3 app varchar(50)
4 starttime varchar(16)
5 endtime varchar(16)
6 duration varchar(5)
7 sla varchar(3)
8 sysstate varchar(20)
9 issdesc varchar(2048)
10 resdesc varchar(2048)
11 assigned varchar(30)
You have 2 problems. The insert fails because your variables are not enclosed in quotes as in
'$date':Also, note that you are missing an entry for
$slain your query. I have added it above.Your second problem is that your script is wide open to tampering via SQL injection.
At a minimum, you MUST escape all of these variables with
mysql_real_escape_string(), even if it is for an internal application only.