tags:

views:

57

answers:

4

hello,

am trying to fetch some data from a form, but i cant for some reason. here are some lines of my code.

cellphone: <input type = "text" name = "cellphone"><br />
username : <input type = "text" name = "username"><br />

    $cellphone = $_GET["cellphone"];
    //$cellphone = int() $cellphone;
    $username= $_GET["username"];

$link = mysql_connect('myhost', 'myuser', 'mypass') or die("could not connect to database");
    mysql_select_db ('hunter',$link) or die ("could not find database");
    echo "fetced database";
    //injecting user info into database
    mysql_query("INSERT INTO player values ('','$firstname','$lastname','$location','$cellphone','$username','$email','$password')")or die("could not inject into database.");

but i can not get the cell number to get into my database for some reason. please help me :D

+1  A: 
Jacco
mysql_real_escape_string() don't do the job. mysql_real_escape_string() **plus** quotes does. and it shouldn't be only "input validation", but query building rule
Col. Shrapnel
@Col. Shrapnel, True; if it is a string, you need quotes. And yes, escaping strings should be part of your query building process. This however is an answer to a beginners question, so I try persuade the OP to a) read more and learn, and b) use a proven library with prepared statements and let it handle a lot of the complex work for them.
Jacco
A: 
  • Replace die("msg") with die(mysql_error()) in order to debug the reason of the failure
  • Don't insert user provided data directly into the DB, use mysql_real_escape_string() or similar to sanitize the data and protect against SQL injections
  • if the problem is that you phone field is declared as int into the DB, then assure it is an integer before performing the insert. You can try to cast to int, but I think you should perform some more accurate sanitization on the data, checking the expected "admitted" format and type for each field and returning a per field error to the user in case of mis-insertion

By the way, if you store a phone number as an integer you cant handle very well the international prefix (+39 or 0039 for Italy for example), as "+" is not a number, and "00" would be lost in the cast to integer ....

AlberT
mysql_real_escape_string() **do not sanitize anything!**
Col. Shrapnel
A: 

this may be that your mysql column only accepts INT but input is alphanumeric. in this case, you may use $cellphone = filter_var($_GET['cellphone'], FILTER_SANITIZE_NUMBER_INT);if you are expecting an integer-only input

Ygam
+1  A: 
  1. make your form POST method, not GET. GET is for requestig data and POST for storing.
  2. Consider to use varchar type field for the phone number.
  3. Though it would be a very good idea to normalize a phone number before insert, by stripping all non-numeric characters from it.
Col. Shrapnel