管理面板：PHP表单不会将数据发送到MySQL

Question

I have a simple code to add banners from admin panel to the index of the site. But the add function doesnt work correctly here is the form to add banner

                            <h2>Add Banner</h2>                            
<?php include ("../engine/config/config.php"); ?>
                                <form method="post" action="">
        Clicks
        <input type="text" name="click" value="0" style="width: 200px;" /> <div class="hr"></div>        
        Impressions
        <input type="text" name="imp" value="0" style="width: 200px;" /> <div class="hr"></div>                     
        LINK
        <input type="text" name="url" value="http://" style="width: 200px;" /> <div class="hr"></div>
        Size
      <select name="razmer">
<option value='468x60'>468x60</option>
<option value='88x31'>88x31</option>
</select>
<div class="hr"></div>
        Banner<br />
        <input type="text" name="picurl" value="http://" style="width: 200px;" /><div class="hr"></div>
        <input type="submit" name="submit" value="Submit"> <br  />
        </form>

<?
if($_POST['submit']) {
$click = $_POST['click'];
$imp = $_POST['imp'];
$url = $_POST['url'];
$razmer = $_POST['razmer'];
$picurl = $_POST['picurl'];
    $sql = "INSERT INTO `banneradd` (click, imp, url, razmer, picurl, username) VALUES ('$click', '$imp', '$url', '$razmer', '$picurl', '')";
    $result = mysql_query($sql);
    echo "<div class='hr'>The Banner has been added, please go back to the index: <a href='view_reklama.php'> Index </a></div>";
    }
    ?>

So it say it was added but when I go back ITS NOT. There is no error or anything, can someone help? Thanks in advance :)

Answer 1

Okay, there are way too many things wrong with your code, so if you're learning from a particular site or person... find a different source.

1. Don't open PHP with <? . This is the shorthand style. It is disabled on many if not most web servers, and for good reason -- because XML introduces its encoding using the same opening <? and it causes conflict. Always open your PHP with <?php . http://www.php.net/manual/en/ini.core.php#ini.short-open-tag

2. Don't use if($_POST['submit']) , use if (isset($_POST['submit'])) . Your current script should generate an error, but it's probably being masked because PHP defaults to not showing very many errors. It does trigger a warning, though, because you're checking if the variable (or rather array value) $_POST['submit'] is equal to true . In fact, that variable is undefined. Use isset() to check if a variable exists. http://php.net/manual/en/function.isset.php

3. Sanitize your user's input. If somebody typed a ' into any of your fields, your query would break. Why? Because in your query, you're placing your stringed values in single quotes, and any instance of another single quotation mark would break out of that. There is such a thing as magic quotes in PHP (which automatically escapes POST values), but it's absolutely awful, so please disable it. http://php.net/manual/en/security.magicquotes.php The best way to escape user input is with real escape functions (more on that later).

4. mysql_ functions are deprecated. Use PDO or MySQLi. If you're getting used to the mysql_ functions, it is easier to transition to MySQLi. For simplicity, I'll use the procedural style, but it's much better to go with the OOP style....

5. If you want to debug MySQL commands with PHP, you should format your queries carefully, print the error, and also print the computed query, because sometimes you need to look at the actual resulted query in order to see what is wrong with it.

That said, here's what I suggest:

<?php
error_reporting(E_ALL);
    // Turn on all error reporting. Honestly, do this every time you write a script,
    // or, better yet, change the PHP configuration.

$connection = mysqli_connect('host', 'username', 'password', 'database');
    // Somewhere in your config file, I assume you're calling mysql_connect.
    // This is a pretty similar syntax, although you won't need mysql_select_db.

if (isset($_POST['submit'])) {
    $click = mysqli_real_escape_string($connection, $_POST['click']);
        // This will escape the contents of $_POST['click'], e.g.
        // if the user inputted: Hello, 'world'! then this will produce:
        // Hello, \'world\'!
    $imp = mysqli_real_escape_string($connection, $_POST['imp']);
    $url = mysqli_real_escape_string($connection, $_POST['url']);
    $razmer = mysqli_real_escape_string($connection, $_POST['razmer']);
    $picurl = mysqli_real_escape_string($connection, $_POST['picurl']);

    $query = "
INSERT INTO `banneradd` (
    `click`,
    `imp`,
    `url`,
    `razmer`,
    `picurl`,
    `username`
)
VALUES
    (
        '$click',
        '$imp',
        '$url',
        '$razmer',
        '$picurl',
        ''
    );
";
    // Format your query nicely on multiple lines. MySQL will tell you what line
    // the error occurred on, but it's not helpful if everything's on the same line.
    $result = mysqli_query($connection, $query);
    $error = mysqli_error($connection);
    if ($error) {
        echo "A MySQL error occurred: $error<br>";
        echo "<pre>$query</pre>";
            // If an error occurred, print the error and the original query
            // so you can have a good look at it.
        die;
            // Stop executing the PHP.
    }

    echo '<div class="hr">The Banner has been added, please go back to the index: <a href="view_reklama.php"> Index </a></div>';
}
?>

See if that helps. Chances are, the MySQL error will be helpful with diagnosing the problem. You might have just misspelled a column name or table name.