Add data to mysql database

ianhaney · November 29, 2013, 1:27pm

Hi

I am having some hopefully small issue regarding saving data to mysql database

I have a form that adss data to a mysql database and it saves three of the fields to the database table but not the other 5, have gone through the coding and just can’t see what the issue is

It adds the ref and role and active/inactive field to the database but not the division, location, salary, description and added by fields

I have pasted the pastebin link below with the new.php coding in

Thank you in advance

Ian

lorenw · December 1, 2013, 7:52pm

The problem is in this line.


if ($ref == '' || $role == '' || $division = '' || $location = '' || $salary = '' ||
 $description = '' || $addedby = '' || $active = '' )

The single = sets $location to empty etc…, they should all be == (doubles)

SpacePhoenix · December 2, 2013, 6:36am


<?php
error_reporting(-1);
ini_set('display_errors', 'On');
?>

<?php
    session_start();
    if(empty($_SESSION['loggedin']))
    {
        header('Location: http://' . $_SERVER['HTTP_HOST'] . '/sites/sgr/admin/login.php');
        exit;
    }
 
    echo 'You will only see this if you are logged in.';
    
    ?>


<?php
/* 
 NEW.PHP
 Allows user to create a new entry in the database
*/
 
 // creates the new record form
 // since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $ref, $role, $division, $location, $salary, $description, $addedby, 
$active, $error)
 {
 ?>
 
 <?php 

include ( 'includes/header.php' );

?>
<title>Admin Add Job Page</title>
</head>
 <body>
 <div id="container">
 <?php 
 // if there are any errors, display them
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 
 
 <form action="" method="post">
 <div>
 <strong>Ref: *</strong> <input type="text" name="ref" value="<?php echo $ref; ?>" />
 <br/><br>
 <strong>Role: *</strong> <input type="text" name="role" value="<?php echo $role; ?>" />
 <br/><br>
 <strong>Division: *</strong> <input type="text" name="division" value="<?php echo $division; ?>" />
 <br /><br>
 <strong>Location: *</strong> <input type="text" name="location" value="<?php echo $location; ?>" />
 <br /><br>
 <strong>Salary: *</strong> <input type="text" name="salary" value="<?php echo $salary; ?>" />
 <br /><br>
 <strong>Description: *</strong> <textarea name="description" value="<?php echo $description; ?>" cols="30" rows="6" /></textarea>
 <br /><br>
 <strong>Added By: *</strong> <input type="text" name="addedby" value="<?php echo $addedby; ?>" />
 <br>
 <label style="color: #FFFFFF;"><input type="radio" name="active" value="1" <?php if($active == 1) echo 'checked="checked"'; ?> > Active</label>
<br>
<label style="color: #FFFFFF;"><input type="radio" name="active" value="0" <?php if($active == 0) echo 'checked="checked"'; ?> > Inactive</label>
<br>
 <input type="submit" name="submit" value="Submit">
 </div>
 </form> 
 </div>
 </body>
 </html>
 <?php 
 }

 // connect to the database
 //include('connect-db.php');
 $con = mysqli_connect("","","","");
 
 // check if the form has been submitted. If it has, start to process the form and save it to the database
 if (isset($_POST['submit']))
 { 
 // get form data, making sure it is valid
 $id = $_POST['id'];
 $ref = mysql_real_escape_string(htmlspecialchars($_POST['ref']));
 $role = mysql_real_escape_string(htmlspecialchars($_POST['role']));
 $division = mysql_real_escape_string(htmlspecialchars($_POST['division']));
 $location = mysql_real_escape_string(htmlspecialchars($_POST['location']));
 $salary = mysql_real_escape_string(htmlspecialchars($_POST['salary']));
 $description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
 $addedby = mysql_real_escape_string(htmlspecialchars($_POST['addedby']));
 $active = (int)$_POST['active'];
 
 // check to make sure all fields are entered
 if ($ref == '' || $role == '' || $division = '' || $location = '' || $salary = '' || 
 $description = '' || $addedby = '' || $active = '' )
 {
 // generate error message
 $error = 'ERROR: Please fill in all required fields!';
 
 // if either field is blank, display the form again
 renderForm($id, $ref, $role, $division, $location, $salary, $description, $addedby, $active, $error);
 }
 else
 {
 // save the data to the database
 mysqli_query($con, "INSERT INTO jobs (ref,role,division,location,salary,description,addedby,active) VALUES('$ref','$role','$division','$location','$salary','$description','$addedby','$active')")
 or die(mysql_error());
 
 // once saved, redirect back to the view page
 header("Location: view.php"); 
 }
 }
 else
 // if the form hasn't been submitted, display the form
 {
 renderForm('','','','','','','','','','');
 }
?>

You’re mixing up function from the mysql_* extension and the mysqli_* extension. Please be aware that the mysql_* extension is now deprecated as of the current version of PHP and will very likely be removed from the next 5.x version and will likely not be in PHP 6.x (when it eventually is released). You should migrate over to either the mysqli_* extension or to PDO. PDO is a better choice as it doesn’t tie you down so much to a particular database server software.

Once you have migrated you should use Prepared Statements to prevent SQL Injection attacks. Have a read of this article from the PHP manual, it shows how to use prepared statements with PDO and also explains the principle.

system · October 8, 2014, 5:14am