Hi I have written a script to add data to the database but it can't add data to the "user" table as well as no error message is showing. plz help me... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Adding data to the database</title> </head> <body> <?php if (isset($user_name) && isset($password) && isset($prefix) && isset($first_name) && isset($last_name) && isset($email) && isset($address1) && isset($address2) && isset($city) && isset($state) && isset($code) && isset($country) && isset($phone)) { $dberror=""; $ret=add_to_database($user_name,$password,$prefix,$first_name,$last_name,$email,$address1,$address2,$city,$state,$code,$country,$phone,$dberror); if(!$ret) { print "Error:$dberror<br/>\n"; } else { print "Thank you very much!!"; } } else { write_form(); } function add_to_database($user_name,$password,$prefix,$first_name,$last_name,$email,$address1,$address2,$city,$state,$code,$country,$phone,&$dberror) { $database="bluebell"; $username="root"; $password=""; $connect=mysql_pconnect("localhost",$username,$password); if(!$connect) { $dberror="Couldn't connect to the MySql Server.."; return false; } if(!mysql_select_db($database,$connect)) { $dberror=mysql_error(); return false; } $query="INSERT INTO user (user_name,password,prefix,first_name,last_name,email,address1,address2,city,state,code,country,phone) values ('$user_name','$password','$prefix','$first_name','$last_name','$email','$address1','$address2','$city','$state','$code','$country','$phone')"; if(!mysql_query($query,$connect)) { $dberror=mysql_error(); return false; } return true; } function write_form() { global $PHP_SELF; print "<form action=\"$PHP_SELF\" method=\"post\"> \n"; print "<input type='text' name='user_name'>Your User Name:\n"; print "<p><input type='password' name='password'>Your Password:</p>"; print "<p><select name='prefix'>"; print "<option value='Mr.'>Mr</option>"; print "<option value='Mrs.'>mrs</option>"; print "<option value='Dr.'>Dr</option>"; print "</select></p>"; print "<p><input type='text' name='first_name'>Your First Name:</p>"; print "<p><input type='text' name='last_name'>Your Last Name:</p>"; print "<p><input type='text' name='email'>Your Email Id:</p>"; print "<p><input type='text' name='address1'>Your Address Line1:</p>"; print "<p><input type='text' name='address2'>Your Address Line2:</p>"; print "<p><input type='text' name='city'>Your City:</p>"; print "<p><input type='text' name='state'>Your State:</p>"; print "<p><input type='text' name='code'>Your Postal Code:</p>"; print "<p><input type='text' name='country'>Your Country:</p>"; print "<p><input type='text' name='phone'>Your Phone Number:</p>"; print "<p><input type='submit' value='Submit'></p></form>"; } ?> </body> </html>
Better is post the error that you see, which will help us digging out the exact problem. Secondly the values are enclosed in single quotes, it is quoe possible that hte data also has single quotes which will make the query fail, and secondly most important is you are letting the hacker attempt SQL Injection. The function you call add_to_database must be called after adding slashes to exisitng variable value, for example Another thing might be, super globals might be set off, then you cannot receive get/post/request fields in the form of simple variables you will have to call such as: regards
I recommend you disable register globals and use the super global arrays (as Vooler has recommended) to retrieve the variables. Also, you should run mysql_real_escape_string on all data (it's better than addslashes - because it fully escapes any SQL query with a few exceptions.) Here's a line for you to use if you think magic quotes might be on. $_POST = (function_exists('get_magic_quotes_gpc') and get_magic_quotes_gpc()) ? array_map('stripslashes', $_POST) : $_POST;