By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
439,971 Members | 1,467 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 439,971 IT Pros & Developers. It's quick & easy.

Help posting to guestbook

Thekid
100+
P: 145
Hi, I'm using xampplite and I'm trying to make a guestbook and a forms page where you can post to the guestbook with PHP & MySQL. I got the code from a website but it wasn't working so I tinkered with it a little and it's closer but not quite right. I made a database named 'guestbook' with a table named 'visitors'. In it are the following fields:
TimeStamp
Name
Last
email
comment

Here is the code to the guestbook (guestbook.php), followed by forms page (insertguest.php) and finally the script that should add it to the database (add2tbl.php)

guestbook.php (which seems to work ok?)
Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <head><title>Guest book - display the info</title>
  3. </head>
  4.  
  5. <body bgcolor=#ffffff>
  6.  
  7. <?php
  8.  
  9. if (empty($srt)) {
  10. $srt='TimeStamp';
  11. }
  12.  
  13. if (empty($offset)) {
  14. $offset='0';
  15. }
  16.  
  17. echo '<h2>Entries from the guest book sorted by </h2>';
  18.  
  19.  
  20. mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
  21. $query = "SELECT * FROM visitors order by $srt limit $offset,10";
  22. $result = mysql_db_query("guestbook", $query);
  23.  
  24. if ($result) { //Print results in table
  25.  
  26. echo "<table width=90% align=center border=1><tr>
  27. <td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
  28. srt=TimeStamp\">Visit time and date</a></td>
  29. <td align=center bgcolor=#00FFFF><a href=\"guestbook.php?srt=Name\">Name</a></td>
  30. <td align=center bgcolor=#00FFFF><a href=\"guestbook.php?srt=Last\">Last
  31. Name</a></td>
  32. <td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
  33. srt=email\">Email</a></td>
  34. <td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
  35. srt=comment\">Comment</a></td>
  36. </tr>";
  37.  
  38. while ($r = mysql_fetch_array($result)) {
  39. $TimeStamp = $r["TimeStamp"];
  40. $Name = $r["Name"];
  41. $Last = $r["Last"];
  42. $email = $r["email"];
  43. $comment = $r["comment"];
  44. echo "<tr>
  45. <td>$TimeStamp</td>
  46. <td>$Name</td>
  47. <td>$Last</td>
  48. <td>$email</td></tr>
  49. <tr> <td colspan=4 bgcolor=\"#ffffa0\">$comment</td>
  50. </tr>";
  51. } //End while loop
  52. echo "</table>";
  53. } //End if true
  54. else { //Begin if false
  55. echo "error.";
  56. } //end if false
  57. mysql_free_result($result);
  58.  
  59. $next=$offset+'10'; //View next or previous entries
  60. $prev=$offset-'10';
  61.  
  62. $query = "SELECT * FROM visitors";
  63. $res = mysql_db_query("guestbook", $query);
  64. $num=mysql_num_rows($res);
  65.  
  66. echo "<table align=center><tr>";
  67.  
  68. if ($prev>='0')
  69. {
  70. echo "<form method='post'>";
  71. echo "<input type=hidden name=offset value=$prev>";
  72. echo "<input type=hidden name=srt value=$srt>";
  73. echo "<td align=center><input type=submit value='Previous Entries'></td>";
  74. echo "</form>";
  75. }
  76.  
  77. if ($num>=$next)
  78. {
  79. echo "<form method='post'>";
  80. echo "<input type=hidden name=offset value=$next>";
  81. echo "<input type=hidden name=srt value=$srt>";
  82. echo "<td align=center><input type=submit value='Next Entries'></td>";
  83. echo "</form>";
  84. }
  85.  
  86. echo "</tr></table>";
  87.  
  88.  
  89. ?>
  90.  
  91.  
  92. </body>
  93. </html> 
  94.  
insertguest.php (come up as form and will display the text from add2tbl.php)
Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <head><title>Adding entry to guest book</title>
  3. </head>
  4.  
  5. <body bgcolor=#ffffff>
  6.  
  7. <h1>Add an entry</h1>
  8.  
  9.  
  10. <form method="post" action="add2tbl.php">
  11. <table width=90% align=center>
  12. <tr><td>First Name:</td><td><input type=text name='Name' size=40
  13. maxlength=100></td></tr>
  14. <tr><td>Last Name:</td><td><input type=text name='Last' size=40 maxlength=100></td></tr>
  15. <tr><td>email:</td><td><input type=text name='email' size=40 maxlength=100></td></tr>
  16. <tr><td>Your Comment:</td><td><textarea name=comment rows=4
  17. cols=60></textarea></td></tr>
  18. <tr><td></td><td><input type=submit></td></tr>
  19. </table>
  20. <input type=hidden name=timestamp <?php $dte=date("d/m/Y H:i:s");
  21. echo "value='$dte'";?>><br>
  22. </form>
  23. </body>
  24. </html> 
  25.  
add2tbl.php -for some reason the VALUES won't add properly. If left as is below, it works but will add the values as the text, ie TimeStamp, Name. I've tried changing them to variables like: VALUES ('$TimeStamp', '$Name', '$Last', etc...but that doesn't work either. I need the VALUES to reflect the input from insertguest.php. Thank you!
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. echo '<b><p>Thank you for your input!</p></b>';
  3. mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
  4. $query = "INSERT INTO `guestbook`.`visitors` (`TimeStamp`, `Name`, `Last`, `email`, `comment`) 
  5. VALUES ('TimeStamp', 'Name', 'Last', 'email', 'comment')";
  6. $result = mysql_db_query('guestbook', $query);
  7. ?>
  8.  
  9.  
Mar 26 '09 #1
Share this Question
Share on Google+
5 Replies


numberwhun
Expert Mod 2.5K+
P: 3,503
@Thekid
Hopefully one of the experts will correct me if I am wrong, but I don't think you can just reference the values as you have. When you hit submit on the form, the names, as you have them above are actually values, but they are part of the $_REQUEST array. So, you can reference them with:

Expand|Select|Wrap|Line Numbers
  1. $_REQUEST['TimeStamp']
  2.  
I only used the TimeStamp variable above just to give you an idea of what I am talking about. Try replacing the names in the VALUES section as shown above for each one and then see if it works.

Just to rule out any questions, here is what I am talking about:

Expand|Select|Wrap|Line Numbers
  1. <?php
  2. echo '<b><p>Thank you for your input!</p></b>';
  3. mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
  4. $query = "INSERT INTO `guestbook`.`visitors` (`TimeStamp`, `Name`, `Last`, `email`, `comment`) 
  5. VALUES ($_REQUEST['TimeStamp'], $_REQUEST['Name'], $_REQUEST['Last'], $_REQUEST['email'], $_REQUEST['comment'])";
  6. $result = mysql_db_query('guestbook', $query);
  7. ?>
  8.  
Regards,

Jeff
Mar 27 '09 #2

TheServant
Expert 100+
P: 1,168
The PHP $_REQUEST variable contains the contents of $_GET, $_POST, and $_COOKIE. I suggest just using one, so more than likely for a form (and what is already there - method="post") to use $_POST. $_REQUEST will work but searching for $_GET and $_COOKIE variables is not required if all your data is in the $_POST array. Hope that made sense.
Confirming numberwhun's comment that it cannot be values referenced like that, but need to be a variable as suggested. I might also take this time to make sure that some data checking is going on. DO NOT EVER just trust user input and try put the $_POST['variable_name'] into your database without checking and cleaning it! Any input should be checked and sanitized so that SQL Injection cannot happen. You should have something like:
Expand|Select|Wrap|Line Numbers
  1. <?php 
  2. $TimeStamp = sanitize( $_POST['TimeStamp'] );
  3. $Name = sanitize( $_POST['Name'] );
  4. $Last = sanitize( $_POST['Last'] );
  5. $email = sanitize( $_POST['email'] );
  6. $comment = sanitize( $_POST['comment] );
  7. $result = mysql_query( "INSERT INTO visitors (TimeStamp, Name, Last, email, comment) VALUES ($TimeStamp, $Name, $Last, $email, $comment)" ); 
  8. ?>
Where sanitize() is your own function. As already said, you should check the data entered in the form and reject it if it does not match what you expected it to look like (checking number fields are numbers, and names don't have special characters, etc...)
Mar 27 '09 #3

Markus
Expert 5K+
P: 6,050
Further reading:
Mar 27 '09 #4

Thekid
100+
P: 145
Thank you guys for your replies. This is what I ended up with and it works:

Expand|Select|Wrap|Line Numbers
  1. <?php
  2. echo '<b><p>Thank you for your input!</p></b>';
  3. mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
  4. $TimeStamp = htmlentities( $_POST['TimeStamp'] );
  5. $Name = htmlentities( $_POST['Name'] );
  6. $Last = htmlentities( $_POST['Last'] );
  7. $email = htmlentities( $_POST['email'] );
  8. $comment = htmlentities( $_POST['comment'] );
  9. $query = "INSERT INTO `guestbook`.`visitors` (`TimeStamp`, `Name`, `Last`, `email`, `comment`) 
  10. VALUES ('$TimeStamp', '$Name', '$Last', '$email', '$comment')";
  11. $result = mysql_db_query('guestbook', $query);
  12. ?>
  13.  
Mar 27 '09 #5

Markus
Expert 5K+
P: 6,050
Note: you're not preventing yourself from SQL Injection here.
Mar 27 '09 #6

Post your reply

Sign in to post your reply or Sign up for a free account.