Radio Button - MYSQL

PHP
1

Hi All,

I’m trying to get some radio button values to insert into a database… now they are part of the group, and this is represented in the form… Everything else works fine apart from the MYSQL statement that handles the INSERT command.

The code for the HTML is shown below:


								<td><input type="radio" name="choice" value="work"/> I want to wacth</td>
							</tr>
							<tr>
								<td></td>
								<td><input type="radio" name="choice" value="watch"/>I want to work</td>

Here is the PHP Script:


<?php

	// Start the session
	session_start();
	
	// Fetch the configuration file for MYSQL connection
	require_once('config.php');
	
	// Array to store errors
	$errmsg_arr = array();
	
	// Validation error flag
	$errflag = false;
	
	// Connect to mysql server
	$con = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
		if (!$con) {
			
			die ('Error connecting to server ' . mysql_error());
		}
	
	// Select database
	$db = mysql_select_db(DB_DATABASE);
		if(!$db) {
			die ('Cannot select database');
		}
		
	
	// Prevent SQL Injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	// Clean the POST values from the form
	$name = clean($_POST['name']);
	$email = clean($_POST['email']);
	$option = $_POST['choice'];
	$day = clean($_POST['day']);
	$month = clean($_POST['month']);
	$year  = clean($_POST['year']);
	
	// Input validations
	if($name == '') {
		$errmsg_arr[] = 'Name is missing';
		$errflag = true;
	}
	if($email == '') {
		$errmsg_arr[] = 'E-mail address is missing';
		$errflag = true;
	}
	if($option == '') {
		$errmsg_arr[] = 'Please select watch or work';
		$errflag = true;
	}
	if($day == 'DD') {
		$errmsg_arr[] = 'Please choose a day from 1-31';
		$errflag = true;
	}
	if($day == 'MM') {
		$errmsg_arr[] = 'Please choose a month from 1-12';
		$errflag = true;
	}
	if($day == 'YYYY') {
		$errmsg_arr[] = 'Please choose a year from 1936-1994';
		$errflag = true;
	}
	
	// Check for duplicate e-mail address
	if($email != '') {
		$qry = "SELECT * FROM members WHERE email_address='$email'";
		$result = mysql_query($qry) or die ('error' . mysql_error());
		if($result) {
			if(mysql_num_rows($result) > 0) {
				$errmsg_arr[] = 'E-mail address already registered';
				$errflag = true;
			}
			@mysql_free_result($result);
		}
		else {
			die("Query Failed");
		}
	}
	
	// If there are input errors send it back to the registration form
	if($errflag) {
		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
		session_write_close();
		header("location: index.php");
		exit();
	}
	
		
	// Create the SQL Query
	$insrt_query = "INSERT INTO members (name, email_address, option, day, month, year) VALUES ('$name','$email','$_POST[choice]','$day','$month','$year')";
	$result_qry = mysql_query($insrt_query) or die ('Error' . mysql_error());
	
	// Create and Send an e-mail address
	
?>

I’ve got a feeling I need to perform an IF statement but unsure…

Any ideas please reply…

Thanks

2 
     
         
    // Create the SQL Query 

// typo? insrt?

$insrt_query = "INSERT INTO members 
        (name, email_address, option, day, month, year) 
VALUES ('$name','$email','". $_POST[choice] ."','$day','$month','$year')";

PHP does not expand arrays inside a double quoted string.

Use the . character to join up (concatenate) parts of the string.

Watch your quoting very carefully.

Also inserting data into your database without filtering or escaping it will permit sql injection attacks.

If you are missing an if clause it would be to check that the choice being sent was one of the permitted ones.


$allowed = array('work', 'watch');

if(isset($_POST['choice']) && in_array($_POST['choice'], $allowed) ) {

// go ahead and add the operation

}

As things stand you also have to handle the case where neither of the radio buttons is checked, unless you have a pressing need, add the html attribute selected=selected to the most likely radio option.

3

Hey Cups,

Thanks for the advice…

Problem resolved :smiley: thanks again…