-1

I am trying to submit some data to my mysql database, however nothing is appearing. Could someone help me figure out what I am doing wrong.

PHP File after Submitting Form:

$db_name="database";
$tbl_name="messages";

session_start();
$from= $_SESSION['username'];


// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// get data that sent from form 
$to=$_POST['to'];
$subject=$_POST['subject'];
$message=$_POST['message'];
$date = date('m/d/Y');

$sql="INSERT INTO $tbl_name(to, from, message, subject, date,read)VALUES('$to', '$from',                  $message', '$subject', '$date',0)";
$result=mysql_query($sql);

Note: Server is working. Database Name: database Table Name: messages

user3496349
  • 189
  • 1
  • 10

2 Answers2

2

to and from are reserved words which must be wrapped in backticks.

(`to`, `from`, message, subject, date,read)

It's best to not choose those words if at all possible.

Plus, a missing quote in $message' change to '$message'

('$to', '$from', '$message', '$subject', '$date',0)

Also remove the quotes in:

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

to:

mysql_connect($host, $username, $password)or die("cannot connect"); 
mysql_select_db($db_name)or die("cannot select DB");

Using error reporting.

Plus, your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO

Footnotes:

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Passwords

I also noticed that you are storing passwords in plain text. This is not recommended.

Use one of the following:

Other links:

Community
  • 1
  • 1
Funk Forty Niner
  • 73,764
  • 15
  • 63
  • 131
  • 1
    so...many...corrections :) Take all the suggestions in this user3496349. You need to read up more on PHP+MySQL security practices. – Devon Apr 09 '14 at 02:47
  • 1
    I keep these extra notes handy for such an occasion @Devon It saves from retyping it all over again; there are so many who use plain text passwords, it's mind-boggling. – Funk Forty Niner Apr 09 '14 at 02:49
0

echoing your query by adding this:

$sql="INSERT INTO $tbl_name(to, from, message, subject, date,read)VALUES('$to', '$from',                  $message', '$subject', '$date',0)";
die($sql);

gives me this:

INSERT INTO messages(to, from, message, subject, date,read)VALUES('', '', ', '', '04/08/2014',0)

there's a quote missing there from 'message'... change this line:

$sql="INSERT INTO $tbl_name(to, from, message, subject, date,read)VALUES('$to', '$from',                  '$message', '$subject', '$date',0)";
patrick
  • 10,664
  • 7
  • 58
  • 75
  • Thanks. Also, why is that from colored blue. Does this have a reference to a command in mysql? Communicating with my other database's work fine however I don't use the word "to" or "from" – user3496349 Apr 09 '14 at 02:38
  • they're reserved words. SO must do something to that, I didn't make it blue... also, filter your code before you use it at least ($subject=filter_input(INPUT_POST,"subject",FILTER_SANITIZE_STRING)) to prevent code from being inserted in your MySQL DB (as per @Fred's remark). The code you have there is highly vulnerable for infections! – patrick Apr 09 '14 at 02:41
  • Most definitely! Since I'm running on a local WAMP server it shouldn't be a problem but when posting live I definitely will need to revise my communications and prevent sql injections. – user3496349 Apr 09 '14 at 02:47