INSERT INTO an SQL Database

Hi all,

I am trying to store data entered into a form on a webpage in an SQL Database. I am using PHP to send the data to the database - The same script also handles the sending of an email to a specified person. I have included the entire script below, as I’m not sure where exactly the error is. The email is working fine and I’m not getting any error messages either on screen or on my server’s error log. But for some reason, the data is just not making it’s way on to the database. When I view the database, it’s still empty. I have checked all of the database details (username, password, name, host etc…) and it is all correct.

I’m hoping somebody can point me in the right direction. Here is the script (I have blanked out the database details but they are present and are correct in the actual script).


<?php

if (isset($_POST['youremail']))
{

$url = "http://ivegotkids.com/aries";
$email = $_POST['email'];
$youremail = $_POST['youremail'];
$igkmail = 'noreply@ivegotkids.com' ;
$sender = $_POST['yourname'];
$recipient = $_POST['friendname'];
$subject = 'I thought you might like this.';
$comment = $_POST['message'];
$message = "<img src='http://ivegotkids.com/wp-content/themes/thepink/images/logo.png'><br /><br />Hi <strong>". $recipient . ".</strong> Your friend <strong>" . $sender . "</strong> saw this horoscope on ivegotkids.com and thought you might find it interesting. Visit the page here: (" . $url . ") <br /><br />
<strong>". $sender ."</strong> included this message: <i>" . $comment . "</i><br /><br /><font size='1'>This is not spam. You have received this email because your friend " . $sender . " (" . $youremail . ") entered your details into our system. We may contact you again in the future with details of services we feel you may be interested in. If you do not want this then please email information@ivegotkids.com and we will remove your email address from our database.</font>";
$from = "" . $sender . " <" . $youremail . ">";
$headers = "From: " . $from . "\\r\
";
$headers .= "Reply-To: ". strip_tags($_POST['youremail']) . "\\r\
";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\\r\
";

mail($email, $subject, stripslashes($message), $headers);

echo "Thank you! Your mail has been sent.";

$con = mysql_connect('xx.xx.xx.xx','xxxxxxxx','xxxxxxxx');
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db('xxxxxxx', $con);

mysql_query("INSERT INTO emails (Name, Email) VALUES ('". $sender .", ". $youremail ."')");
mysql_query("INSERT INTO emails (Name, Email) VALUES ('". $recipient .", ". $email ."')");

mysql_close($con);


}
else
{
echo 
'
<img src="http://ivegotkids.com/wp-content/themes/thepink/images/logo.png">
<br /><br />
<span class="formtitle">Send "<span class="pagetitle">I\\'ve Got Kids!: Aries"</span> to a friend by e-mail.</span>
<br />
Fill out the form below and click on submit to send this to your friend.
<br /><br />
<form method="post">
Your Name: <input type="text" name="yourname" length="40"/> <br />
Your Email: <input type="text" name="youremail" length="50"/> <br /><br>
Friend\\'s Name: <input type"text" name="friendname" length="40" /><br>
Friend\\'s E-Mail: <input type="text" name="email" length="50" /><br /><br />
Include a message from you:<br />
<textarea rows="4" cols="50" name="message"> </textarea><br /><br />
<input type="submit" value="Send To Friend">
</form><br /><br />
<span class="font-small">All data entered into this form will be collected and stored by ivegotkids.com (mEazy LTd.) in line with our Privacy Policy.</span>';
}

?>

I would also like to make the form safe from SQL Injection but have not succeeded. I need some pointers on how to do this.

Try putting “or die(mysql_error());” at the end of your mysql_query. Maybe your queries aren’t working properly. Also you also can put this:

ini_set(‘display_errors’, 1);
ini_set(‘log_errors’, 1);
ini_set(‘error_log’, dirname(FILE) . ‘/error_log.txt’);
error_reporting(E_ALL);

At the top of your php page and it will print our any errors, if you are having any. Hopefully this will help you debug it.

Hi there,

Thank you for that suggestion. I managed to figure out through the errors displayed that I had forgotten to quote each value so it was taking it all as one value going into two columns. I have now fixed this.

So how about my second question on how to prevent SQL Injections? Any ideas on the best way to do this? I know it’s bad to input form data directly into a database so I want to check the form data first.

Got it covered. You can ignore the second question :slight_smile: