#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Ormond Beach, Florida
    Posts
    162
    Rep Power
    13

    Help with a simple insert statement


    I've been out of coding for several years and my old scripts don't seem to work with my new hosting ISP. Any ideas where this is wrong?
    The only thing that gets entered into the db is the Date_Added variable. Error reporting says "Notice: Undefined variable: k_name in /home/content/75/7090875/html/other/leviathan/webs/locator/add_krewe.php on line 43" for the other three variables.
    [php]
    <?php
    error_reporting(E_ALL);
    if (isset($_POST['submit'])) {
    // process form
    $Date_Added = date("Y-m-d");
    $k_name = $k_name;
    echo $k_name;
    $sql = "INSERT INTO krewes (k_name, k_city, k_state, k_url, Date_Added) values('$k_name', '$k_city', '$k_state', '$k_url', '$Date_Added')";

    $result = mysql_query($sql);

    // Display successful submit

    if($result)
    {
    echo "
    <table align='center' width='80%'>
    <tr>
    <td class='body2'>
    <br>
    <center>
    Thank you, the krewe of $k_name information has been entered into the database at $Date_Added.<br>
    <center><a href='step4.php'><img src='next.jpg'></a>.
    </center>
    </td>
    </tr>
    </table>

    \n";

    }
    }

    else{


    // display html and form

    ?>

    <center>
    <table width='550' bgcolor="4D71A6">


    <tr>
    <td><p align="center" class="bmain"><font size="2" face="arial" color="D6E1F6">Congratulations! Step two is complete.<br>In this step, we will enter your krewe's contact information.</font>
    </div></td>
    </tr>

    <tr>
    <td>
    <p align="center"><font face="arial" size="2" color="D6E1F6"><b>NOTE: All fields are required.</b></font>
    </td>
    </tr>
    </table>

    <form method="post" action="<?php echo $_SERVER['PHP_SELF'] ; ?>">

    <center>
    <table border="0" width="550" bgcolor="4D71A6">
    <tr>
    <td width="205"><font face="arial" size="2" color="D6E1F6">

    krewe Name:<b>
    </b>
    </td>
    <td width="263"><input type="Text" name="k_name" size="20"></td>
    </tr>
    <tr>
    <td width="205"><font face="arial" size="2" color="D6E1F6">
    City:</td>
    <td width="263"><input type="Text" name="k_city" size="20"></td>
    </tr>
    <tr>
    <td width="205"><font face="arial" size="2" color="D6E1F6">
    State:<b>
    </td>
    <td width="263">
    <?PHP
    // Populate dropdown from DB





    $link = mysql_connect($hostname,$username, $password) OR DIE ('Unable to connect to database! Please try again later.');
    mysql_select_db($dbname);

    $query = "SELECT state FROM states";
    $result = mysql_query($query);
    print "<SELECT name=k_state>";
    while ($line = mysql_fetch_array($result))
    {
    foreach ($line as $value)
    {
    print "<OPTION value='$value'";
    }
    print ">$value</OPTION>";
    }
    mysql_close($link);
    print "</SELECT>";
    ?>
    </td>
    </tr><tr>
    <td width="205"><font face="arial" size="2" color="D6E1F6">

    Website: <b> <font color="#FF0000">*</font>
    </b>
    </td>
    <td width="263"><input type="Text" name="k_url" size="20"></td>
    </tr>
    </table>
    </center>
    <p align="center">
    <input type="Submit" name="submit" value="Submit Information">
    <input type="Reset" name="reset" value="Reset Form">

    </p>
    </form>

    </div>

    <?PHP
    [php]
    Thanks for any help. I'm sure it's something simple due to lack of any coding in 7 years.
    Last edited by Scurvy; October 16th, 2012 at 10:38 PM.
  2. #2
  3. No Profile Picture
    Banned
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    57
    Rep Power
    0
    Hi,

    First of all, you should fix the PHP forum tags and delete your database authentication data (and change them on your server, of course).

    I'm also confused about the line numbers, because they don't fit the error message at all. Is there something above the code you gave us? And what is
    PHP Code:
    $k_name $k_name
    supposed to do?

    Anyway, your old code seems to rely on the infamous register_globals "feature" that would directly inject POST, GET etc. parameters into your code (causing massive security problems). This is now obsolete and deactivated on your new host, so you have to actually pull the data from the $_POST array:
    PHP Code:
    $k_name $_POST['k_name'];
    $k_city $_POST['k_city'];
    ... 
    Apart from that, you definitely need to work on the security of your scripts. Currently they are completely unsecured, allowing everybody to manipulate the database queries and inject any JavaScript code. See

    http://en.wikipedia.org/wiki/SQL_injection
    http://en.wikipedia.org/wiki/Cross-site_scripting

    The general rule is: Never insert any user input without escaping it first with the proper function to prevent it from being interpreted as code.

    For example, the database values must be escaped with mysql_real_escape_string(), and the HTML input must be escaped with htmlentities(). There are also more modern approaches, but that's a different story ...
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Ormond Beach, Florida
    Posts
    162
    Rep Power
    13
    Jacques3, first of all, thank you for the security info. I'd been changing things and adding/deleting code all night so that extra bit with the access info was certainly not meant to stay there. Same with the k_name=k_name. that was a test in one form or another. I'll clean it up and repost it. As for your other comments, I'll do some reading. Need a refresher and needed somewhere to start.
    The line numbers are right based on the full script that includes html before the php. It's the 'Insert into....' that is the line in question.
    Thanks again for the info and suggestions. Most appreciated.
  6. #4
  7. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,556
    Rep Power
    2338
    If this worked on your old system, it's probably because register_globals was set to true, which is a security issue and is no longer enabled in newer versions of PHP. Use the $_POST superglobal (go read the manual).

    Also go read up on SQL Injection, as you're wide open to being attacked through it. You should also be moving away from the deprecated mysql_* functions, going to mysqli or PDO; doing so, and using Prepared Statements in the process, will remove the potential SQL injection.
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  8. #5
  9. No Profile Picture
    Banned
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    57
    Rep Power
    0
    @ptr2void: Already said all that.

    Comments on this post

    • ptr2void agrees : Ugh, you're right....long day ;)

IMN logo majestic logo threadwatch logo seochat tools logo