Help with a simple insert statement

I've been out of coding for several years and my old scripts don't seem to work with my new hosting ISP. Any ideas where this is wrong?
The only thing that gets entered into the db is the Date_Added variable. Error reporting says "Notice: Undefined variable: k_name in /home/content/75/7090875/html/other/leviathan/webs/locator/add_krewe.php on line 43" for the other three variables.
[php]
<?php
error_reporting(E_ALL);
if (isset($_POST['submit'])) {
// process form
$Date_Added = date("Y-m-d");
$k_name = $k_name;
echo $k_name;
$sql = "INSERT INTO krewes (k_name, k_city, k_state, k_url, Date_Added) values('$k_name', '$k_city', '$k_state', '$k_url', '$Date_Added')";

$result = mysql_query($sql);

// Display successful submit

if($result)
{
echo "
<table align='center' width='80%'>
<tr>
<td class='body2'>
<br>
<center>
Thank you, the krewe of $k_name information has been entered into the database at $Date_Added.<br>
<center><a href='step4.php'><img src='next.jpg'></a>.
</center>
</td>
</tr>
</table>

\n";

}
}

else{


// display html and form

?>

<center>
<table width='550' bgcolor="4D71A6">


<tr>
<td><p align="center" class="bmain"><font size="2" face="arial" color="D6E1F6">Congratulations! Step two is complete.<br>In this step, we will enter your krewe's contact information.</font>
</div></td>
</tr>

<tr>
<td>
<p align="center"><font face="arial" size="2" color="D6E1F6"><b>NOTE: All fields are required.</b></font>
</td>
</tr>
</table>

<form method="post" action="<?php echo $_SERVER['PHP_SELF'] ; ?>">

<center>
<table border="0" width="550" bgcolor="4D71A6">
<tr>
<td width="205"><font face="arial" size="2" color="D6E1F6">

krewe Name:<b>
</b>
</td>
<td width="263"><input type="Text" name="k_name" size="20"></td>
</tr>
<tr>
<td width="205"><font face="arial" size="2" color="D6E1F6">
City:</td>
<td width="263"><input type="Text" name="k_city" size="20"></td>
</tr>
<tr>
<td width="205"><font face="arial" size="2" color="D6E1F6">
State:<b>
</td>
<td width="263">
<?PHP
// Populate dropdown from DB





$link = mysql_connect($hostname,$username, $password) OR DIE ('Unable to connect to database! Please try again later.');
mysql_select_db($dbname);

$query = "SELECT state FROM states";
$result = mysql_query($query);
print "<SELECT name=k_state>";
while ($line = mysql_fetch_array($result))
{
foreach ($line as $value)
{
print "<OPTION value='$value'";
}
print ">$value</OPTION>";
}
mysql_close($link);
print "</SELECT>";
?>
</td>
</tr><tr>
<td width="205"><font face="arial" size="2" color="D6E1F6">

Website: <b> <font color="#FF0000">*</font>
</b>
</td>
<td width="263"><input type="Text" name="k_url" size="20"></td>
</tr>
</table>
</center>
<p align="center">
<input type="Submit" name="submit" value="Submit Information">
<input type="Reset" name="reset" value="Reset Form">

</p>
</form>

</div>

<?PHP
[php]
Thanks for any help. I'm sure it's something simple due to lack of any coding in 7 years.

Hi,

First of all, you should fix the PHP forum tags and delete your database authentication data (and change them on your server, of course).

I'm also confused about the line numbers, because they don't fit the error message at all. Is there something above the code you gave us? And what is

supposed to do?

Anyway, your old code seems to rely on the infamous register_globals "feature" that would directly inject POST, GET etc. parameters into your code (causing massive security problems). This is now obsolete and deactivated on your new host, so you have to actually pull the data from the $_POST array:


Apart from that, you definitely need to work on the security of your scripts. Currently they are completely unsecured, allowing everybody to manipulate the database queries and inject any JavaScript code. See

http://en.wikipedia.org/wiki/SQL_injection
http://en.wikipedia.org/wiki/Cross-site_scripting

The general rule is: Never insert any user input without escaping it first with the proper function to prevent it from being interpreted as code.

For example, the database values must be escaped with mysql_real_escape_string(), and the HTML input must be escaped with htmlentities(). There are also more modern approaches, but that's a different story ...

Jacques3, first of all, thank you for the security info. I'd been changing things and adding/deleting code all night so that extra bit with the access info was certainly not meant to stay there. Same with the k_name=k_name. that was a test in one form or another. I'll clean it up and repost it. As for your other comments, I'll do some reading. Need a refresher and needed somewhere to start.
The line numbers are right based on the full script that includes html before the php. It's the 'Insert into....' that is the line in question.
Thanks again for the info and suggestions. Most appreciated.

If this worked on your old system, it's probably because register_globals was set to true, which is a security issue and is no longer enabled in newer versions of PHP. Use the $_POST superglobal (go read the manual).

Also go read up on SQL Injection, as you're wide open to being attacked through it. You should also be moving away from the deprecated mysql_* functions, going to mysqli or PDO; doing so, and using Prepared Statements in the process, will remove the potential SQL injection.

@ptr2void: Already said all that.