0

The form submits correctly and it sends me an email. No error is reported and the SQL it creates works fine, I tested it at phpMyAdmin. mysql_error() raises nothing, it just doesn't add a row. Can anyone see what's going on?

<?PHP 

$to = "[email protected]";
$subject = "New Lead"; 
$date = date ("l, F jS, Y"); 
$time = date ("h:i A");
$mysql = mysql_connect("db.perfora.net:3306","db","password");

if(!$mysql)
{
    die("Could Not Connect: ".mysql_error());
}

mysql_select_db("db",$mysql);



if ($_SERVER['REQUEST_METHOD'] == "POST") { 
    $name = $_POST['firstname']." ".$_POST['lastname'];
    $email = $_POST['email'];
    $phone = "(".$_POST['areacode'].") ".$_POST['firstthree']."-".$_POST['lastfour'];
    $area = $_POST['area'];
    $lookdate = $_POST['lmm']."/".$_POST['ldd']."/".$_POST['lyyyy'];
    $lookdatedb = date("{$_POST['lmm']}.{$_POST['ldd']}.{$_POST['lyyyy']}");
    $movedate = $_POST['mmm']."/".$_POST['mdd']."/".$_POST['myyyy'];
    $movedatedb = date("{$_POST['mmm']}.{$_POST['mdd']}.{$_POST['myyyy']}");
    $loft = $_POST['loft'] ? "loft" : "";
    $highrise = $_POST['highrise'] ? "highrise" : "";
    $traditional = $_POST['traditional'] ? "traditional" : "";
    $price = $_POST['price'];
    $comments = $_POST['comments'];

$sql = "INSERT INTO Leads 
            (Name, Email, Phone, Area, LookDate, MoveDate, Loft, HighRise, Traditional, Price, Comments) 
            VALUES 
            ('$name', '$email', '$phone', '$area', '$lookdatedb', '$movedatedb', '{$_POST['loft']}', '{$_POST['highrise']}', '{$_POST['traditional']}', '$price', '$comments')";

if (mysql_query($sql,$con))
{
  echo "Row added.";
}
else
{
  echo "Error adding row: " . mysql_error();
  echo("\n\n".$sql);
}


$msg = "
    New Lead Submitted On $date at $time.\n\n

    Name: $name\n
    Email: $email\n
    Phone: $phone\n
    Area: $area\n
    Look Date: $lookdate\n
    Move Date: $movedate\n
    Type: $loft $highrise $traditional \n
    Price: $price\n
    Comments: $comments\n


";  

}
mysql_close($mysql);
mail($to, $subject, $msg, "From:$email"); 
if ($forward == 1) { 
    header ("Location:$location"); 
} 
else { 
    echo "Thank you for submitting our form. We will get back to you as soon as possible."; 
} 

?>

Response:

Thank you for submitting our form. We will get back to you as soon as possible.

Generated SQL:

INSERT INTO Leads (Name, Email, Phone, Area, LookDate, MoveDate, Loft, HighRise, Traditional, Price, Comments) VALUES ('work work', '[email protected]', '(214) 131-4131', 'dallas', '02.18.2010', '02.25.2010', '', '1', '1', '$333333333333333333', '33fdsdfsdfsd')

Database Structure:

http://imgur.com/iQHRk.jpg

Improve this question
7
  • 3
    You could at least state some question (just in order to be polite). Commented Feb 4, 2010 at 2:00
  • Man ... Using THAT many embedded variables in strings is really annoying, and probably bound to cause errors in the future. Commented Feb 4, 2010 at 2:03
  • Where is $forward defined at, besides the if ($forward == 1)? Am I blind? Commented Feb 4, 2010 at 2:04
  • @Anthony Forloney: No you are not, it is not defined , but it is not part of the problem. Commented Feb 4, 2010 at 2:07
  • 1
    You, my friend, are asking for SQL injection. Commented Feb 4, 2010 at 2:14

3 Answers 3

Reset to default
2

Let's see, your DB connection handle is obviously referenced by $mysql, but you've done this:

if (mysql_query($sql,$con))

Your DB handler is wrong.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0 
mysql_query($sql,$con);

should return something why don't you take a look at that

i.e.

$result = mysql_query('SELECT * WHERE 1=1');
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

It's a best practice to check for errors when you can.

Also to be noted, you are not escaping any of the user input so your code is vulnerable to SQL injections. please use mysql_real_escape_string.

Improve this answer

5 Comments

I did that, I have the wrong code up. mysql_error() raises no error, it just says: "Invalid query: ".
@unknown (google): So maybe your query is wrong? it just says, come on this is your problem. What does print_r($sql) give your? And please put this into your question.
output the sql with echo or vardump and try on phpmyadmin/mysql query tool.
I tried the sql using echo and it worked fine and inserted a row in phpMyAdmin, but from my form it does nothing and mysql_error() raises nothing.
please add to your question the DESC of your table + an example of the outputted SQL
0

take the post variable in another variable and then pass to the insert query i think it will be work like this

$sql = "INSERT INTO Leads (Name, Email, Phone, Area, LookDate, MoveDate, Loft, HighRise, Traditional, Price, Comments) VALUES ('$name', '$email', '$phone', '$area', '$lookdatedb', '$movedatedb', '$loft', '$highrise', '$traditional', '$price', '$comments')";

mysql_query($sql);

Improve this answer

Comments