I have been writing a script in PHP to take values from a form and store them in a MySQL table I created in the code, like this:
mysql_query("CREATE TABLE `userdetails` ( userid VARCHAR(10), field1 CHAR(33), field2 CHAR(33), field3 VARCHAR(34)");
This only executes once, as I don't have access to the site's cPanel or phpMyAdmin, just the FTP server details. I collect strings from three text boxes, and then delete the current contents.
mysql_query("DELETE FROM `userdetails` WHERE userid=$userid");
Next, I upload the strings to the MySQL server like this:
mysql_query("INSERT INTO `userdetails` (`userid`, `field1`, `field2`, `field3`) VALUES ($userid, $field1, $field2, $field3)")
With this script, I can get numbers to go on the database fine, but whenever I use a letter in the text box, it doesn't upload and the database field returns to NULL, I think.
From a little debugging, I can tell that the strings are storing the text box data fine, I can echo them and they display, with letters. It just doesn't upload. I have tried making a new table and trying again, that didn't work.
You are vulnerable to SQL injection attacks, and are building an incorrect query.
Consider:
$userid = 'foo';
produces
mysql_query("DELETE .... WHERE user=foo");
You probably don't have a field named foo in your database, so the query fails. Since you obviously lack ANY kind of error handling, you'll never see the database spit your query back out at you with the syntax error highlighted.
At bare minimum, you need
mysql_query("DELETE ... WHERE user='$userid'"); // note the quotes
and some error handling
$result = mysql_query(...) or die(mysql_error());
And you really should go read http://bobby-tables.com before someone pwns your server via your badly written scripts.