php form is not displaying in browser, help please!

[phish]

Hi everyone, i'm a php*MySQL beginner but i'm sure (due to some testing) that i've configured everything (Installed Apache2Triad w mySQL 5.0) correctly.

I'm basically trying to test loading MySql database data (text) into my browser through a php script, so in other words i'm stuck on a tutorial

i've been running tests to see whether it had something to do with php scripts not being read correctly or at all, but it seems that when i tested with simpler scripts such as

<?php
echo "hello!"
?>
or
<?php
phpinfo();
?>
it works fine...and diplays the targeted script in the browser window.

Following is the php script configured to my user and with my password in "***"-format, connected through localhost...when (my php-file) http://localhost/jokes.php is selected, a blank screen is the result not even an error message

<?php
// If the user wants to add a joke
if (isset($addjoke)):
?>
<form action="<?php echo($PHP_SELF); ?>" method="POST">
<p>Type your joke herebr />
<textarea name="joketext" rows="10" cols="40" wrap"WRAP">
</textarea><br />
<input type="submit" name="submitjoke" value="SUBMIT" />
</p>
</form>
<?php
else:

// Connect to the database server
$dbcnx = @mysql_connect(
"localhost", "****", "********");
if (!$dbcnx) {
echo( "<P>Unable to connect to the " .
"database server at this time.</P>" );
exit();
}

// Select the jokes database
if (! @mysql_select_db("joke") ) {
echo( "<P>Unable to locate the joke " .
"database at this time.</P>" );
exit();
}

// If a joke has been submitted,
// add it to the database.
if ("SUBMIT" == $submitjoke) {
$sql = "INSERT INTO Jokes SET " .
"JokeText='$joketext', " .
"Date=CURDATE()";
if (mysql_query($sql)) {
echo("<P>Your joke has been added.</P>");
} else {
echo("<P>Error adding submitted joke: " .
mysql_error() . "</P>");
}
}

// If a joke has been deleted,
// remove it from the database.
if (isset($deletejoke)) {
$sql = "DELETE FROM Joke" .
"WHERE ID=$deletejoke";
if (mysql_query($sql)) {
echo("<P>The joke has been deleted.</P>");
} else {
echo("<P>Error deleting joke: " .
mysql_error() . "</P>");
}
}

echo("<P> Here are all the jokes " .
"in our database: </P>");

// Request the ID and text of all the jokes
$result = mysql_query(
"SELECT ID, JokeText FROM Joke");
if (!$result) {
echo("<P>Error performing query: " .
mysql_error() . "</P>");
exit();
}

// Display the text of each joke in a paragraph
// with a "Delete this Joke" link next to each.
while ( $row = mysql_fetch_array($result) ) {
$jokeid = $row["ID"];
$joketext = $row["JokeText"];
echo("<P>$joketext " .
"<A HREF='$PHP_SELF?deletejoke=$jokeid'>" .
"Delete this Joke</A></P>");
}

// When clicked, this link will load this page
// with the joke submission form displayed.
echo("<P><A HREF='$PHP_SELF?addjoke=1'>" .
"Add a Joke!</A></P>");

endif;
?>

What am i missing!? i'd be really happy to finally get to work on the actual work and not be stuck on this tut. to be stuck or not to be stuck, that's the question

[thr]

You can begin by posting in the correct forum...

[galen]

get rid of the @ in front of mysql_connect and you might get your error. For future reference put these questions in the php forum not the application design forum.

[phish]

Sorry for posting this in the wrong section, just added to the correct one.

i'm about to try the @ sign removal, atleast then i should get an error? YESSSSS

[matthijsA]

One problem I see is that the script relies on register globals being on. So for example, change:

PHP Code:

<?php
// If the user wants to add a joke
if (isset($addjoke)):
?>

to

PHP Code:

if(isset($_GET['addjoke']) {
// .... 
} 


Second, the use of $PHP_SELF. What is probably meant there is $_SERVER['PHP_SELF']. However, to use that is not save. PHP_SELF is tainted.

Furthermore,

PHP Code:

if ("SUBMIT" == $submitjoke) { 


should be

PHP Code:

if (isset($_POST['submitjoke']) { 


ok well, these are just a few things. There is much more, but I think it would be wise to read a bit more about the usage of variables, and the superglobals $_GET and $_POST, to get an understanding of all this.

Then, I strongly advise to read more about input validation of data and escaping output. This is probably just a script developed locally (with no security risks) but it doesn't harm to learn about security.