By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,302 Members | 1,812 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,302 IT Pros & Developers. It's quick & easy.

FORM METHOD=post ACTION='*.php' only sends empty spaces to mysql ?

P: n/a
Hi,
i'am running a debian sarge with the delivered apache2 mysql and php4.
The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
and send it to
"mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
database.
These already worked on php3 and mysql-3 and now on php4 and mysql4 it
doesn't work. I can't found any changes between php3 and php4, mysql3
and mysql4 that explained the fact that only empty spaces are given to
the mysql database.
mitarbeiter_eingabe.php -> mysql_mitarbeiter_daten_hinzufuegen.php ->
mysql-database

if i replace a %s in mysql_mitarbeiter_daten_hinzufuegen.php with a
real value like "Armin" he write it in the mysql-database ?

What did i miss or didn't see ?
Greetings
Armin Irger
----------
mitarbeiter_eingabe.php :
----------
<? // mitarbeiter_eingabe.php
require("globals.php");
require("common.php");
GenerateHTMLHeader('Enter a new employee');
echo "<FORM METHOD=post
ACTION='mysql_mitarbeiter_daten_hinzufuegen.php'>< PRE>";
printf ("Title: <INPUT TYPE=text SIZE=35 NAME=titel
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["titel"] : "");
printf ("First name: <INPUT TYPE=text SIZE=35 NAME=vorname
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["vorname"] : "");
printf ("Last name: <INPUT TYPE=text SIZE=35 NAME=nachname
VALUE=\"%s
\">
<BR>\n", ($formValues) ? $formValues["nachname"] : "");
printf ("eMail: <INPUT TYPE=text SIZE=35 NAME=email
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["email"] : "");
printf ("Phone (at work): <INPUT TYPE=text SIZE=35
NAME=telefon_dienstlich
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["telefon_dienstlich"] :
"");
printf ("Initials: <INPUT TYPE=text SIZE=35 NAME=kürzel
VALUE=\"%s\"

<BR>\n", ($formValues) ? $formValues["kürzel"] : "");
echo "<BR><BR>";
echo "<INPUT TYPE=submit VALUE='Save'>";
echo "</PRE></FORM>";

generateHTMLFooter();


----------
mysql_mitarbeiter_daten_hinzufuegen.php :
----------

<? // mysql_mitarbeiter_daten_hinzufuegen.php
require("globals.php");
require("common.php");

$sql_query = "INSERT into $table_mit(TITEL, VORNAME, NACHNAME,
EMAIL, TELEFON_DIENSTLICH, KUERZEL)
values ('%s','%s','%s','%s','%s','%s')";
// Serververbindung testen

if (!($link=mysql_pconnect($host,$user,$passwd))) {
DisplayErrMsg(sprintf("Fehler bei Verbindungsaufbau zu Server
%s, unter Benutzer %s",$host,$user));
exit();
}

// Datenbankverbindung testen
if (!mysql_select_db($database, $link)) {
DisplayErrMsg(sprintf("Fehler bei Auswahl der Datenbank %s",
$database));
DisplayErrMsg(sprintf("Fehler: %d %s",mysql_errno($link),
mysql_error($link)));
exit();
}

// SQL Query Ausführen
if (!mysql_query(sprintf($sql_query,$titel,$vorname,$ nachname,
$email,$telefon_dienstlich,$kürzel),
$link)) {
DisplayErrMsg(sprintf("Fehler beim Ausführen der SQL-Abfrage %s",
$sql_query));
DisplayErrMsg(sprintf("Fehler: %d %s",mysql_errno($link),
mysql_error($link)));
exit();
}

GenerateHTMLHeader('Data saved sucessfully!');
generateHTMLFooter();
?>

----------
mysql.log
----------

050222 17:13:19 21 Connect active@localhost on
21 Init DB ACTIVE
21 Query INSERT into MITARBEITER(TITEL,
VORNAME, NACHNAME,
EMAIL, TELEFON_DIENSTLICH, KUERZEL)
values ('','','','','','')
Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
ir*********@web.de (Armin Irger) wrote in
news:e9**************************@posting.google.c om:
Hi,
i'am running a debian sarge with the delivered apache2 mysql and php4.
The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
and send it to
"mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
database.
These already worked on php3 and mysql-3 and now on php4 and mysql4 it
doesn't work. I can't found any changes between php3 and php4, mysql3
and mysql4 that explained the fact that only empty spaces are given to
the mysql database.
mitarbeiter_eingabe.php -> mysql_mitarbeiter_daten_hinzufuegen.php ->
mysql-database

if i replace a %s in mysql_mitarbeiter_daten_hinzufuegen.php with a
real value like "Armin" he write it in the mysql-database ?

What did i miss or didn't see ?
Greetings
Armin Irger

<snip>

Your form variables are not properly set in the script that writes to the
database.

Check the register_globals setting in php.ini (should be ON for the way
you're doing it here) or get the variables from the $_POST system
variable.
Example:

Change:

if (!mysql_query(sprintf($sql_query,$titel,$vorname,$ nachname,
$email,$telefon_dienstlich,$kürzel),
$link)) {

To:

if( !mysql_query(sprintf($sql_query,
$_POST['titel'],
$_POST['vorname'] .... etc...
By the way, these values should be escaped here (see mysql_escape_string
function ) depending on the magic_quotes_gpc config setting.
Jul 17 '05 #2

P: n/a
.oO(Armin Irger)
i'am running a debian sarge with the delivered apache2 mysql and php4.
The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
and send it to
"mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
database.
These already worked on php3 and mysql-3 and now on php4 and mysql4 it
doesn't work.


Make sure error_reporting is set to E_ALL in your php.ini, you should
receive some notices. It's most likely a register_globals issue, the
default setting changed to Off in recent PHP versions for security
reasons. Use the superglobal array $_POST (or $_GET) to access the
submitted values, so instead of $vorname use $_POST['vorname'].

11.20. Warum funktionieren meine Formulare nicht?
http://www.php-faq.de/q/q-formular-r...r-globals.html

Some other things:

* Use <?php instead of the short open tag <?, it's more portable.
* Consider to use label and fieldset elements to improve your form's
usability.
* HTML allows single quotes around attribute values, this avoids ugly
escaping of double quotes inside a double quoted string.
* Do a search on Google for 'SQL Injection', your code is vulnerable.

16.18. Wie kann ich bösartigen Code in SQL-Abfragen unterbinden?
http://www.php-faq.de/q/q-sql-injection.html

Micha
Jul 17 '05 #3

P: n/a
Michael Fesser <ne*****@gmx.net> wrote in message news:<ii********************************@4ax.com>. ..
.oO(Armin Irger)
i'am running a debian sarge with the delivered apache2 mysql and php4.
The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
and send it to
"mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
database.
These already worked on php3 and mysql-3 and now on php4 and mysql4 it
doesn't work.


Make sure error_reporting is set to E_ALL in your php.ini, you should
receive some notices. It's most likely a register_globals issue, the
default setting changed to Off in recent PHP versions for security
reasons. Use the superglobal array $_POST (or $_GET) to access the
submitted values, so instead of $vorname use $_POST['vorname'].

11.20. Warum funktionieren meine Formulare nicht?
http://www.php-faq.de/q/q-formular-r...r-globals.html

Some other things:

* Use <?php instead of the short open tag <?, it's more portable.
* Consider to use label and fieldset elements to improve your form's
usability.
* HTML allows single quotes around attribute values, this avoids ugly
escaping of double quotes inside a double quoted string.
* Do a search on Google for 'SQL Injection', your code is vulnerable.

16.18. Wie kann ich bösartigen Code in SQL-Abfragen unterbinden?
http://www.php-faq.de/q/q-sql-injection.html

Micha


Thanks.
It works.

Greetings
Armin Irger
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.