1

When I try to enter data from a form I have made it adds a new entry as i can see from phpmyadmin but does not transfer other details across

I am using a simple form that collects 9 fileds post is to update.php. Here is what I have in update.php

<?php
$realname = $_POST['realname'];
$age = $_POST['age'];
$country = $_POST['country'];
$gamename = $_POST['gamename'];
$gamelevel = $_POST['gamelevel'];
$itemlevel = $_POST['itemlevel'];
$class = $_POST['class'];
$played = $_POST['played'];
$support = $_POST['support'];

mysql_connect ("localhost", "mydb_userid", "MYPASSWORD") or die ('Error: ' . mysql_error());
mysql_select_db ("mydb_recruitment");

$query="INSERT INTO applicants (ID, realname, age, country, gamename, gamelevel, itemlevel, class, played, support)VALUES ('NULL','".$realname."','".$age."','".$country."','".$gamename."','".$gamelevel."','".$itemlevel."','".$class."','".$played."','".$support."')";

mysql_query($query) or die ('Error updating DB');

echo "You have sucessfully sent an application. Your details will be reviewed and someone will get back to you";

?>

Hope someone can help, searching the net seems to sugest something about global variables - but i dont know if i have control of that as its an hosted site.

this is the signup form: 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Candidate Registration</title>
</head>

<body>

<form medthod="post" action="update.php">

Real Name:<br />
<input type="text" name="realname" size="50" /><br />

Age:<br />
<input type="text" name="age" size="10" /><br />

Country:<br />
<input type="text" name="country" size="20" /><br />

In Game Name:<br />
<input type="text" name="gamename" size="30" /><br />

In Game Level:<br />
<input type="text" name="gamelevel" size="10" /><br />

In Game Item Level:<br />
<input type="text" name="itemlevel" size="10" /><br />

Class Played:<br />
<input type="text" name="class" size="30" /><br />

How long have you played wow?:<br />
<input type="text" name="played" size="10" /><br />

Please enter a brief statement of why you want to join:<br />
<input type="text" name="support" size="5000" /><br />
<br />
<input type="submit" value="Update DB" />

</form>
</body>
</html>

this is the update.php form

<?php
$realname = $_POST['realname'];
$age = $_POST['age'];
$country = $_POST['country'];
$gamename = $_POST['gamename'];
$gamelevel = $_POST['gamelevel'];
$itemlevel = $_POST['itemlevel'];
$class = $_POST['class'];
$played = $_POST['played'];
$support = $_POST['support'];

mysql_connect ("localhost", "mydb_daniel", "mypwd") or die ('Error: ' . mysql_error());
mysql_select_db ("mydb_recruitment");

$query="INSERT INTO applicants (ID, realname, age, country, gamename, gamelevel, itemlevel, class, played, support)VALUES ('NULL','".$realname."','".$age."','".$country."','".$gamename."','".$gamelevel."','".$itemlevel."','".$class."','".$played."','".$support."')";

mysql_query($query) or die ('Error updating DB');

echo "You have sucessfully sent an application. Your details will be reviewed and someone will get back to you";

?>

I understand peoples concerns about sercurity, but please understand this only for me to mess around with and produce a basic signup form for my guild, i wont be requesting credit card details :)

Improve this question
2
  • Have you specified the name attributes of the html form elements, e.g. <input type="text" name="realname" /> Commented Dec 20, 2010 at 23:11
  • you spelt method wrong, please update and try again Commented Dec 20, 2010 at 23:19

2 Answers 2

Reset to default
1

Is your form method set to POST? - unless you have explicitly added this the variables will be within the $_GET superglobal so your variables would be like this:

$realname = $_GET['realname'];

If it is set to POST - please do a var_dump($_POST) at the top of your script and see if any variables are making it to your script.

Something else that i've seen before is caused when people are redirecting in a .htaccess from domain.com to www.domain.com and they post a script explicity to domain.com/script.php and the script then redirects to www.domain.com/script.php and this empties the POST.

EDIT

You have spelt method wrong in your form tag - if you update this then it should work as your misspelling will be causing the variables to be sent as GET vars.

You can fix your security issues in a basic way like this:

$realname = mysql_real_escape_string($_POST['realname']);
$age = mysql_real_escape_string($_POST['age']);
$country = mysql_real_escape_string($_POST['country']);
$gamename = mysql_real_escape_string($_POST['gamename']);
$gamelevel = mysql_real_escape_string($_POST['gamelevel']);
$itemlevel = mysql_real_escape_string($_POST['itemlevel']);
$class = mysql_real_escape_string($_POST['class']);
$played = mysql_real_escape_string($_POST['played']);
$support = mysql_real_escape_string($_POST['support']);
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Christ, way to hog points. Edit your answer to include the answer, edit to include my suggestion, actually ASK the asker to select your answer. Really? Where's your integrity man? Note, I asked in the comments to mine after you out of absolute frustration.
@Zenph haha. I edited my answer to include the answer to the question that i answered. I added the mysql_real_escape_string to answer his further question about security, i wasn't aware you invented this technique! I'm not trying to hog points at all but its frustrating when new posters dont understand that they need to accept an answer. I would have been happy for you to have the accepted answer had you actually answered the question he asked which - if you rememeber - was not actually about security but about why his form wasnt working
@Daniel move your mysql_connect and mysql_select_db to the top of your script after the opening php tag
I'm not even bothered about whose answer was selected. I actually up-voted your answer after it was selected because the security info was in there. I just feel a bit 'dirty' after your complete lack of attention to security turned into an edited answer about it.
@Zenph Dude, come on. complete lack of attention to security is taking it a bit far. I'll drop you an upvote as i agree with much of what you've said, now move on.
1

Whoa, slow down. You've not even escaped this data!

$realname = mysql_real_escape_string($_POST['realname']);

Or to escape it all:

$_POST = array_map('mysql_real_escape_string', $_POST);

Note the second solution isn't entirely reliable. Can produce some strange results. It is generally better to run these inputs through a function/class for validation and cleansing.

On your ghost issue, try this and note response after form submit (put right at top):

var_dump($_POST);
exit;

You spelled method attribute wrong in your query, that is why it isn't working.

Improve this answer

29 Comments

true, but one thing at a time :)
Not at all, should be done at the same time! This kind of thing should be required. Developers are only going to shift their thinking when people they listen to (like you) keep repeating to them: security first!
i agree with you - the array_map suggestion is not a good start though as it really neglects fundamentals and should only be considered when you're in a position to understand the positive and negative issues it will cause.
array(0) { } You have sucessfully sent an application. Your details will be reviewed and someone will get back to you
@Daniel - are you doing any redirection in a .htaccess like i mentioned in my post?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.