Insert mysql from form and exteral variable

ismailctg · April 2, 2011, 5:01am

A mysql table with 8 field, which 4 value i want to take from a form and other 4 value from initializing variable. My code is here…

1st field is auto increment, all value is inserting in table except initialized variable $cat and $subcat…

[I]
<?php

$cat = "aits";
$subcat = "asdf";

if (isset($_POST[‘name’]) && isset($_POST[‘body’])) {
$ret = add_to_database();
if (!$ret) {
print “”;
} else {
print “Thank you for submission”;
}
} else {
write_form();
}

//functions
function write_form() {
$self =$_SERVER[‘PHP_SELF’];
echo <<<EOT
<form action=“$self” method=“POST”>
<table>
<tr>
<td width=“50”>Cell 1</td>
<td width=“350”><input type=“text” name=“name” style=“width:100%”/></td>
</tr>
<tr>
<td>Cell 3</td>
<td><textarea name=“body” cols=“41” rows=“5” name=“des”>
</textarea></td>
</tr>
<tr>
<td>Cell 3</td>
<td><input type=“text” name=“url” style=“width:100%”/></td>
</tr>
<tr>
<td>Cell 3</td>
<td><input type=“text” name=“email” style=“width:100%”/></td>
</tr>
</table>

</br>
<input type=“submit” style=“margin-left:200px” value=“submit”/>

</form>
EOT;
}
echo “$cat”;
echo “</br>”;
echo “$subcat”;

function add_to_database() {
$name = trim($_POST[‘name’]);
$body = trim($_POST[‘body’]);
$url = trim($_POST[‘url’]);
$email = trim($_POST[‘email’]);

echo “$cat”;
echo “</br>”;
echo “$subcat”;

	$date=date("Y-m-d");

mysql_connect("localhost","root", "mdismail") or die("Couldn't connect to server");
mysql_select_db("test");


$sql = "INSERT INTO submit VALUES (' ','$name','$body','$url','$email','$cat','$subcat','$date')";

mysql_query($sql);

mysql_close();
return true;

}
echo “$cat”;
?>[/I]

please give me a solution

Cups · April 2, 2011, 12:22pm

If you posted the entire code and you wrote it then I should tell you what you are doing is totally insecure.

If you posted the entire code and if someone else wrote that then you should both be sacked, you for buying it and them for writing it.

That said, if this WAS working before, and has suddenly stopped working this may have been caused by a little known feature of Mysql.

In Mysql 4 you were able to do this:


$sql = "INSERT INTO submit VALUES (' ','$name','$body' // etc

Which exploited a failure in Mysql’s integer handling for auto-increment fields - we were allowed to enter an empty string.

In Mysql 5, you must use either leave the field out completely


$sql = "INSERT INTO submit VALUES ( '$name','$body' // etc

OR Enter a 0.


$sql = "INSERT INTO submit VALUES (0 , '$name','$body' // etc

So it was not a bug in Mysql 5 but a bug in Mysql 4 which permitted us to make such an error.