PHP/MySQL

"Please leave a message at the beep, we will get back to you when your support contract expires."

Moderators: phlip, Prelates, Moderators General

PHP/MySQL

Postby Hemmers » Tue Jan 31, 2012 6:58 pm UTC

So, trying to teach myself HTML, PHP and MySQL all at the same time :shock:

I've got a form, which seems to behave itself and sends data to PHP, which should then write a new row in MySQL.

Code: Select all
<?php
INCLUDE 'conn.php';

$compfore = $_REQUEST["compfore"];
$compsur = $_REQUEST["compsur"];
$sex = $_REQUEST["sex"];
$nation = $_REQUEST["nation"];

$query = "INSERT INTO competitor (forename, surname, sex, nationality)
  VALUES ($compfore, $compsur, $sex, $nation)";

$result = mysql_query($query, $conn) or die(mysql_error());

?>
conn.php:
Code: Select all
<?php
$server = "localhost";
$user = "user";
$pwd = "pwd";
$dbn = "db";

$conn = mysql_connect($server, $user, $pwd) or die(mysql_error());
mysql_select_db($dbn);
?>



I'm getting errors on line 2 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' )' at line 2), which is just confusing because there is no ')' on line 2
I also managed to fix that and get an error down the bottom before I broke the top again :(

Is there something dreadfully wrong with my syntax? Can't work it out, as is abundantly obvious, I'm a total newbie, so it's probably all wrong...

Thanks!
Hemmers
 
Posts: 117
Joined: Mon Nov 22, 2010 3:50 pm UTC

Re: PHP/MySQL

Postby Xanthir » Tue Jan 31, 2012 9:01 pm UTC

Print out the $query string and show it?

Also, you need to learn this early - NEVER EVER put any data that came anywhere *near* a user directly into a sql string. ALWAYS escape it first with mysql_real_escape_string(). (Don't escape values too early, or you'll run into trouble. Escape them right at the moment you splice them into a string.)

Yes, that's a *completely* retarded and long function name. Alias it to something short so it won't kill your fingers every time.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))
User avatar
Xanthir
My HERO!!!
 
Posts: 4325
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex

Re: PHP/MySQL

Postby Hemmers » Tue Jan 31, 2012 11:33 pm UTC

Fixed it eventually, missed a few single quotes and there was actually a problem in the HTML form as well.

Thanks for the advice on escaping. I'd come across it but was deliberately ignoring it initially as I was just trying to get data from a form to a table first - I'm that new at this! Will be sure not to escape values too early though.
Hemmers
 
Posts: 117
Joined: Mon Nov 22, 2010 3:50 pm UTC

Re: PHP/MySQL

Postby Steax » Wed Feb 01, 2012 4:16 am UTC

Better option - use PHP prepared statements through PDO. Pretty much regarded as best practice nowadays.

Good luck on your conquest!
In Minecraft, I use the username Rirez.
User avatar
Steax
SecondTalon's Goon Squad
 
Posts: 3037
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: PHP/MySQL

Postby ocb » Fri Mar 02, 2012 4:07 am UTC

Steax wrote:Better option - use PHP prepared statements through PDO. Pretty much regarded as best practice nowadays.


this PDO is getting popular. I might try it

http://www.clothes4u.com.au/
Last edited by ocb on Mon Jul 02, 2012 3:49 am UTC, edited 2 times in total.
ocb
 
Posts: 2
Joined: Fri Mar 02, 2012 4:06 am UTC

Re: PHP/MySQL

Postby Kithplana » Sat Mar 03, 2012 6:38 am UTC

ocb wrote:
Steax wrote:Better option - use PHP prepared statements through PDO. Pretty much regarded as best practice nowadays.


this PDO is getting popular. I might try it

You should. It's awesome and harder to mess up than escaping.
User avatar
Kithplana
 
Posts: 400
Joined: Mon May 14, 2007 11:12 pm UTC


Return to The Help Desk

Who is online

Users browsing this forum: No registered users and 4 guests