开发者

my php script enters blank info into mysql db!

开发者 https://www.devze.com 2023-01-31 07:25 出处:网络
When I try to enter data from a form I have made it adds a new entry as i can see from phpmyadmin but does not transfer other details across

When I try to enter data from a form I have made it adds a new entry as i can see from phpmyadmin but does not transfer other details across

I am using a simple form that collects 9 fileds post is to update.php. Here is what I have in update.php

<?php
$realname = $_POST['realname'];
$age = $_POST['age'];
$country = $_POST['country'];
$gamename = $_POST['gamename'];
$gamelevel = $_POST['gamelevel'];
$itemlevel = $_POST['itemlevel'];
$class = $_POST['class'];
$played = $_POST['played'];
$support = $_POST['support'];

mysql_connect ("localhost", "mydb_userid", "MYPASSWORD") or die ('Error: ' . mysql_error());
mysql_select_db ("mydb_recruitment");

$query="INSERT INTO applicants (ID, realname, age, country, gamename, gamelevel, itemlevel, class, played, support)VALUES ('NULL','".$realname."','".$age."','".$country."','".$gamename."','".$gamelevel."','".$itemlevel."','".$class."','".$played."','".$support."')";

mysql_query($query) or die ('Error updating DB');

echo "You have sucessfully sent an application. Your details will be reviewed and someone will get back to you";

?>

Hope someone can help, searching the net seems to sugest something about global variables - but i dont know if i have control of that as its an hosted site.

this is the signup form:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Candidate Registration</title>
</head>

<body>

<form medthod="post" action="update.php">

Real Name:<br />
<input type="text" name="realname" size="50" /><br />

Age:<br />
<in开发者_开发知识库put type="text" name="age" size="10" /><br />

Country:<br />
<input type="text" name="country" size="20" /><br />

In Game Name:<br />
<input type="text" name="gamename" size="30" /><br />

In Game Level:<br />
<input type="text" name="gamelevel" size="10" /><br />

In Game Item Level:<br />
<input type="text" name="itemlevel" size="10" /><br />

Class Played:<br />
<input type="text" name="class" size="30" /><br />

How long have you played wow?:<br />
<input type="text" name="played" size="10" /><br />

Please enter a brief statement of why you want to join:<br />
<input type="text" name="support" size="5000" /><br />
<br />
<input type="submit" value="Update DB" />

</form>
</body>
</html>

this is the update.php form

<?php
$realname = $_POST['realname'];
$age = $_POST['age'];
$country = $_POST['country'];
$gamename = $_POST['gamename'];
$gamelevel = $_POST['gamelevel'];
$itemlevel = $_POST['itemlevel'];
$class = $_POST['class'];
$played = $_POST['played'];
$support = $_POST['support'];

mysql_connect ("localhost", "mydb_daniel", "mypwd") or die ('Error: ' . mysql_error());
mysql_select_db ("mydb_recruitment");

$query="INSERT INTO applicants (ID, realname, age, country, gamename, gamelevel, itemlevel, class, played, support)VALUES ('NULL','".$realname."','".$age."','".$country."','".$gamename."','".$gamelevel."','".$itemlevel."','".$class."','".$played."','".$support."')";

mysql_query($query) or die ('Error updating DB');

echo "You have sucessfully sent an application. Your details will be reviewed and someone will get back to you";

?>

I understand peoples concerns about sercurity, but please understand this only for me to mess around with and produce a basic signup form for my guild, i wont be requesting credit card details :)


Is your form method set to POST? - unless you have explicitly added this the variables will be within the $_GET superglobal so your variables would be like this:

$realname = $_GET['realname'];

If it is set to POST - please do a var_dump($_POST) at the top of your script and see if any variables are making it to your script.

Something else that i've seen before is caused when people are redirecting in a .htaccess from domain.com to www.domain.com and they post a script explicity to domain.com/script.php and the script then redirects to www.domain.com/script.php and this empties the POST.

EDIT

You have spelt method wrong in your form tag - if you update this then it should work as your misspelling will be causing the variables to be sent as GET vars.

You can fix your security issues in a basic way like this:

$realname = mysql_real_escape_string($_POST['realname']);
$age = mysql_real_escape_string($_POST['age']);
$country = mysql_real_escape_string($_POST['country']);
$gamename = mysql_real_escape_string($_POST['gamename']);
$gamelevel = mysql_real_escape_string($_POST['gamelevel']);
$itemlevel = mysql_real_escape_string($_POST['itemlevel']);
$class = mysql_real_escape_string($_POST['class']);
$played = mysql_real_escape_string($_POST['played']);
$support = mysql_real_escape_string($_POST['support']);


Whoa, slow down. You've not even escaped this data!

$realname = mysql_real_escape_string($_POST['realname']);

Or to escape it all:

$_POST = array_map('mysql_real_escape_string', $_POST);

Note the second solution isn't entirely reliable. Can produce some strange results. It is generally better to run these inputs through a function/class for validation and cleansing.

On your ghost issue, try this and note response after form submit (put right at top):

var_dump($_POST);
exit;

You spelled method attribute wrong in your query, that is why it isn't working.

0

精彩评论

暂无评论...
验证码 换一张
取 消