I have a form that submits user inputs to the following php script (i've excluded the lines which define the mysql info):
if (isset($_POST['ttname'])); {
$dbc = @mysql_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME) OR die('No DB connection');
$ttarray = array(1=> $_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
$_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
$_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);
$name = $_POST['ttname'];
$tt = implode(',', $ttarray);
$query = "INSERT INTO Timetable ('NAME','TIMETABLE')
VALUES ($name,$tt)";
$result = mysql_query($query,$dbc) or die('Query Failed');
}
However, whenever i try to to submit data to the form the query fails to execute.
I would be greatful to anybody who could help explain to me why this is happening.
At least something like that:
$tt = mysql_real_escape_string(implode(',', $ttarray));
$query = "INSERT INTO Timetable ('NAME','TIMETABLE') VALUES ('$name','$tt')";
1) $tt was not escaped at all
2) You've tired to insert more values than fields available. By changing $tt to '$tt' you will make number of fields the same.
You're passing 4 params to mysql_connect, AFAIK the DB must not be one of them.
resource mysql_connect ([ string $server = ini_get("mysql.default_host") [, string $username = ini_get("mysql.default_user") [, string $password = ini_get("mysql.default_password") [, bool $new_link = false [, int $client_flags = 0 ]]]]] )
At the VERY LEAST rewrite your code like this (quite verbose):
if (isset($_POST['ttname']));
{
$dbc = mysql_connect(DB_HOST, DB_USER, DB_PASS) OR die('No DB connection');
mysql_select_db(DB_NAME);
$ttarray = array($_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
$_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
$_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);
$sanitized = array();
foreach($ttarray as $value)
{
$sanitized[] = mysql_real_escape_string($value);
}
$name = mysql_real_escape_string($_POST['ttname']);
$tt = implode(',', $sanitized);
$query = "INSERT INTO Timetable ('name','timetable') VALUES ('".$name."', '".$tt."')";
$result = mysql_query($query, $dbc) or die('Query Failed');
}
But I strongly suggest you using PDO and prepared statements in the future to prevent high-flawed queries like that. mysql_real_escape_string is a great function but it's not 100% accurate and doesn't make your queries injection-proof.