PHP contact form - saving data (my first one)

Greetings,

I have a php contact form where I can echo the form values to the screen
but the data won’t save to the database. I get the “empty query message”.
Here is my addcontact.php file :
thanks for any suggestions


<?php

// testing functions
echo 'filename : '.basename($_SERVER['SCRIPT_NAME']);
// New line
echo "<br><br>";
echo 'path : '.$_SERVER['SCRIPT_NAME'];
echo "<br><br>";
echo "<br><br>";
echo 'THANK YOU '.$firstname;
echo "<br><br>";
echo 'A new contact will be added to our database with the following information :';
echo "<br><br>";
echo 'Company : '.$company;
echo "<br><br>";
echo 'Last name : '.$lastname;
echo "<br><br>";
echo 'First name: '.$firstname;
echo "<br><br>";
echo 'Middle name: '.$middlename;
echo "<br><br>";
echo 'Email: '.$email;
echo "<br><br>";
echo 'Comments: '.$notes;

include ("db_connect.php");

mysql_query("INSERT INTO dealers (company, lastname, firstname, middlename, email, notes) VALUES ($company,$lastname,$firstname, $middlename, $email, $notes)");

if (!mysql_query($sql,$conn))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($conn);

?>

You are calling mysql_query() without passing it a SQL statement.

Change to something like this:


include 'db_connect.php';

$sql = "INSERT INTO `dealers` (`company`, `lastname`, `firstname`, `middlename`, `email`, `notes`) VALUES ({$company}, {$lastname}, {$firstname}, {$middlename}, {$email}, {$notes})";

if ( ! mysql_query($sql, $conn))
{
   die('Error: '.mysql_error());
}
else
{
   echo '&lt;p&gt;'.mysql_affected_rows($conn).' record(s) added.&lt;/p&gt;';
}
mysql_close($conn);

It looks like you have register_globals enabled in your PHP configuration. You should disable it as it is very insecure.

If not already done, you should escape the variables that you are inserting e.g. with mysql_real_escape_string().

Alternatively, look into using MySQL Improved (mysqli) and [url=http://www.php.net/manual/en/mysqli-stmt.bind-param.php]bound parameters to prevent SQL injection.

Instead of using multiple echo statements, it would be better to use heredoc syntax instead.


mysql_query("INSERT INTO dealers 
(company, lastname, firstname, middlename, email, notes) 
VALUES ($company,$lastname,$firstname, $middlename, $email, $notes)");

When VALUES are strings you must quote them eg


... VALUES (... '$email', '$notes')");

If your sql statement is double quoted, as in your case, then use single quotes to do this. (and vice versa).

Generally though it is a good idea to do something like this:



// put your query into a variable 
$sql = "INSERT INTO dealers 
(company, lastname, firstname, middlename, email, notes) 
VALUES ($company,$lastname,$firstname, $middlename, $email, $notes)";

// EDIT like hurrakan says above, pass in the connection :)
mysql_query( $sql, $connection);


This means that in order to preserve your sanity you can now do this:


// temporary line of debug which you can comment in/out
echo $sql;

Pick that output up, copy and paste it into your database directly and then you’ll know a) whether your PHP is bad b) whether your sql statement is badly formed or not and c) whether you actually matching data (in the case of selects)