Re: FORM METHOD=post ACTION='*.php' only sends empty spaces to mysql ?

From: Ehtor (nomail_at_nomail.com)
Date: 02/22/05 

Date: Tue, 22 Feb 2005 16:39:11 GMT

irger.armin@web.de (Armin Irger) wrote in
news:e9a6097d.0502220826.4eabd3a7@posting.google.com:

> Hi,
> i'am running a debian sarge with the delivered apache2 mysql and php4.
> The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
> and send it to
> "mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
> database.
> These already worked on php3 and mysql-3 and now on php4 and mysql4 it
> doesn't work. I can't found any changes between php3 and php4, mysql3
> and mysql4 that explained the fact that only empty spaces are given to
> the mysql database.
>
>
> mitarbeiter_eingabe.php -> mysql_mitarbeiter_daten_hinzufuegen.php ->
> mysql-database
>
> if i replace a %s in mysql_mitarbeiter_daten_hinzufuegen.php with a
> real value like "Armin" he write it in the mysql-database ?
>
> What did i miss or didn't see ?
>
>
> Greetings
> Armin Irger
>
> <snip>

Your form variables are not properly set in the script that writes to the
database.

Check the register_globals setting in php.ini (should be ON for the way
you're doing it here) or get the variables from the $_POST system
variable.

Example:

Change:

if (!mysql_query(sprintf($sql_query,$titel,$vorname,$nachname,
                         $email,$telefon_dienstlich,$kürzel),
                         $link)) {

To:

if( !mysql_query(sprintf($sql_query,
                                                $_POST['titel'],
                                                $_POST['vorname'] .... etc...

By the way, these values should be escaped here (see mysql_escape_string
function ) depending on the magic_quotes_gpc config setting.