Inserting Data into a Database from a form using PHP

**code green** · Apr 3 '07, 04:03 PM

First never do this [PHP]Values ('$_post[subject]','$_post[from]','$_post[comments]')";[/PHP]Always validate $_POST data before inserting into a database. The error is SQL based because you are using an SQL reserved word 'FROM' as a field name.

**paviktherin** · Apr 3 '07, 04:08 PM

Originally posted by code green

First never do this [PHP]Values ('$_post[subject]','$_post[from]','$_post[comments]')";[/PHP]Always validate $_POST data before inserting into a database. The error is SQL based because you are using an SQL reserved word 'FROM' as a field name.

Oh man, thank you so much. So if I just change it to say user insted that could fix that problem? and thank you, I forgot about the validating.

**Motoma** · Apr 3 '07, 04:17 PM

You may also have to backtick the 'From' column in your insert, as it is a reserved word. Also, you need to refer to the POST array using capital letters. And you need to either concatenate the strings, or escape the variable name, because you cannot directly enclose array elements in a string. And associative arrays need to have strings as their keys, not literals, thus enclose subject, from, and comments in single or double quotes:

[PHP]
$sql="insert into two_fridas (Subject, `From`, Comments)
Values ('{$_POST['subject']}','{$_POST['from']}','{$_POST['comments']}')";
[/PHP]

**paviktherin** · Apr 3 '07, 05:16 PM

Originally posted by Motoma

You may also have to backtick the 'From' column in your insert, as it is a reserved word. Also, you need to refer to the POST array using capital letters. And you need to either concatenate the strings, or escape the variable name, because you cannot directly enclose array elements in a string. And associative arrays need to have strings as their keys, not literals, thus enclose subject, from, and comments in single or double quotes:

[PHP]
$sql="insert into two_fridas (Subject, `From`, Comments)
Values ('{$_POST['subject']}','{$_POST['from']}','{$_POST['comments']}')";
[/PHP]

Interesting, thanks guys for all your help. Looks like I still have quite a bit to learn. :P Thanks again.

**paviktherin** · Apr 3 '07, 09:46 PM

Okay thanks guys it looks like it is doing something cuz the insert.php page gives me the echo response of thank you, your comment has been added. However on the database it has only added blanks in the columns

<?php
$con = mysql_connect(" hostname","user name","password ");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db ("ammloc_posts" , $con);

$sql="insert into two_fridas (Subject, Name, Comments)

Values ('{$_POST['subject']}','{$_POST['name']}','{$_POST['comments']}')";

if (!mysql_query($ sql,$con))
{
die('Error: ' . mysql_error());
}
echo "Thank you, your comment has been added.";

mysql_close($co n);
?>

so I am not sure what it is that is keeping it from actually receiving and updating the table in the database with the text. and my database is set up as varchar (30) for both the subject and name and as blob/text for the comments.

thank you for your help

**Motoma** · Apr 4 '07, 01:54 AM

Echo your SQL statement to get some clues.

**code green** · Apr 4 '07, 11:36 AM

Your basics are letting you down. Assuming the SQL is fine now it is inserting blank fields because the POST variable is blank. BUT you will never know this because you are still not validating the POST variables.

**paviktherin** · Apr 4 '07, 01:00 PM

yeah I know that the validation is killing me, I will have to look into that. Know any good sites that help explain validation? thanks again guys.

**Motoma** · Apr 4 '07, 01:52 PM

Originally posted by paviktherin

yeah I know that the validation is killing me, I will have to look into that. Know any good sites that help explain validation? thanks again guys.

Do a print_r() on your POST and GET arrays to see what they are.

**code green** · Apr 4 '07, 01:54 PM

Checking your $_POST variables
[PHP]if(isset($_POST['subject']{ #to check submitted
$subject = $_POST['subject']; #transfer to variable
if(!empty($subj ect){ #ensure not empty
//followed by other specific validation ie.
// is_string() is_numeric() strlen() etc
//if everything OK then
$subject = mysql_escape_st ring($subject); #prep for DB
}
}[/PHP]Is the basic testing for a POST variable.
I suggest studying the php functions mentioned here.
Have fun

**paviktherin** · Apr 4 '07, 04:39 PM

OK, i figured out that the reason it was sending blanks to the database table is because I had a onclick formReset() in the form so that it would clear the form after they submitted it, unfortunately it was clearing the form and sending that cleared information. so now I have it sending stuff, or at least it echos what was entered into the form. However now it is giving me an error of duplicate entry for Key 1. and that will create a problem because I need it to be able to accept duplicates, in case the person comments twice, or the subject is the same. any ideas?

**Motoma** · Apr 4 '07, 05:22 PM

You have your User ID field set up as a Primary Key in your table.