PHP Form Isn't Inserting into Database

[keelerz]

I have written this PHP script but it is not working. I also do not know how to record the date and time of the form's submission. Any ideas? I have to insert the date & time into the 'signups' table with the attribute name 'reg_submit_date'.

Code:

<?php

$host="localhost"; // Host name
$username="******"; // Mysql username
$password="******"; // Mysql password
$db_name="database_test"; // Database name
$tbl_name="signups"; // Table name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form
$firstname=$_POST['firstname'];
$lastname=$_POST['lastname'];
$total_payable=$_POST['total_payable'];

// Insert data into mysql
$sql="INSERT INTO $tbl_name(firstname, lastname, total_payable)VALUES('$firstname', '$lastname', '$total_payable')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful".
if($result){
echo "Successful!";
echo "<BR>";
}

else {
echo "Error occured";
}

// close connection
mysql_close();
?>

[traq]

don't post usernames/passwords in your code. replace these with **** for your own security.

Some notes included:

PHP Code:

<?php

$host="********"; // Host name
$username="********"; // Mysql username
$password="********"; // Mysql password
$db_name="database_test"; // Database name
$tbl_name="signups"; // Table name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

//  THIS IS VERY UNSAFE!!
/*
// Get values from form
$firstname=$_POST['firstname'];
$lastname=$_POST['lastname'];
$total_payable=$_POST['total_payable'];
*/
//  ALWAYS SANITIZE USER-SUBMITTED DATA BEFORE INSERTING IT INTO YOUR DATABASE!
//  You might want to actually validate the submitted data 
//  (make sure it _is_ the data you want, is correctly formatted, etc.),
//  but at the very least, you need to make sure you are not injecting malicious code.

    // Get values from form and sanitize for database insertion
    $firstname = mysql_real_escape_string($_POST['firstname']);
    $lastname = mysql_real_escape_string($_POST['lastname']);
    $total_payable = mysql_real_escape_string($_POST['total_payable']);
    // note time of submission
    $reg_submit_date = time();
    // (this creates a Unix Timestamp.
    //  it's the quickest, most reliable way to store the time of submission,
    //  but will need to be formatted (e.g., using the date() function) 
    //  to be made human-readable.)

// Insert data into mysql
    //  It's good practice to `backtick` your mysql table and column names
    //  no, `backticks` are _not_ 'quotes'
$sql="INSERT INTO `$tbl_name`(`firstname`, `lastname`, `total_payable`, `reg_submit_date`)VALUES('$firstname', '$lastname', '$total_payable', '$reg_submit_date')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful".
if($result){
echo "Successful!";
echo "<BR>";
}

else {
echo "Error occured";
}

// close connection
mysql_close();
?>

[keelerz]

Hey traq,
Thanks for the heads up! I have done the validation of the form with Javascript before submitting clean data into the Database.
I very much appreciate your guidance with the notes you have provided.

You mentioned that the $reg_submit_date = time(); creates a Unix Timestamp and that I need format it to become human readable.

Does that mean I should do this?

Code:

$reg_submit_date = gmdate (date("Y-m-d H:i:s"));

[traq]

Hey traq,
Thanks for the heads up! I have done the validation of the form with Javascript before submitting clean data into the Database.

Javascript is a great convenience for the user; it is completely useless for security. It operates on the user's computer, so it's completely out of your control. The (malicious) user could create their own script, with whatever information they like, and submit it to your url. They could simply turn javascript off.

At the end of the day, validation and sanitization must be done server-side.

You mentioned that the $reg_submit_date = time(); creates a Unix Timestamp and that I need format it to become human readable.

Does that mean I should do this?

Code:

$reg_submit_date = gmdate (date("Y-m-d H:i:s"));

PHP Code:

// I think you mean either
$reg_submit_date = gmdate("Y-m-d H:i:s");
//or
$reg_submit_date = date("Y-m-d H:i:s");
// ? 


if you want to store it that way, sure, that's fine.

Personally, I prefer storing the timestamp, and only formatting it when it's ready to be displayed. The timestamp is much easier to store and manipulate than a human-readable date - i.e., if you save the timestamp, you can format it any way you like (display only the date, add l [<--that's a lowercase L], or switch it up like D, M. dS, Y \a\t H:i:s). You can also use the timestamp in scripting, e.g., to compare dates and return something like "You submitted this ten days ago.". In contrast, if you save Y-m-d H:i:s, it will always read Y-m-d H:i:s.

I very much appreciate your guidance with the notes you have provided.

no problem; you're very welcome.