WhiteDragon WhiteDragon - 6 months ago 9
PHP Question

The result of PHP code is wrong?

When I tried make a simple PHP code, I had a problem that the result had showed some things which weren't expected such as "' . "\n"; echo' ". Where is my code wrong?

Here is my code:

<html>
<head>
<title>Putting Data in the DB</title>
</head>
<body>
<?php
/*insert students into DB*/
if(isset($_POST["submit"])) {
$db = mysql_connect("mysql", "martin");
mysql_select_db("martin");
$date=date("Y-m-d"); /* Get the current date in the right SQL format */
$sql="INSERT INTO students VALUES(NULL,'" . $_POST["f_name"] . "','" .
$_POST["l_name"] . "'," . $_POST["student_id"] . ",'" . $_POST["email"] .
"','" . $date . "'," . $_POST["gr"] . ")"; /* construct the query */
mysql_query($sql); /* execute the query */
mysql_close();
echo"<h3>Thank you. The data has been entered.</h3> \n";
echo'<p><a href="data_in.php">Back to registration</a></p>' . "\n";
echo'<p><a href="data_out.php">View the student lists</a></p>' ."\n";
}
else {
?>
<h3>Enter your items into the database</h3>
<form action="data_in.php" method="post">
First Name: <input type="text" name="f_name" /> <br/>
Last Name: <input type="text" name="l_name" /> <br/>
ID: <input type="text" name="student_id" /> <br/>
email: <input type="text" name="email" /> <br/>
Group: <select name="gr">
<option value ="1">1</option>
<option value ="2">2</option>
<option value ="3">3</option>
</select><br/><br/>
<input type="submit" name="submit" /> <input type="reset" />
</form>
<?php
} /* end of "else" block */
?>
</body>
</html>


Result is here:


Thank you. The data has been entered. \n"; echo' Back to registration

' . "\n"; echo' View the student lists

' ."\n"; } else { ?> Enter your items into the database

Answer

Correct code:

<html>
<head>
    <title>Putting Data in the DB</title>
</head>
<body>
<?php if (isset($_POST["submit"])): ?>
    <?php
        /*insert students into DB*/
        $db = mysql_connect("mysql", "martin");
        mysql_select_db("martin");
        $date = date("Y-m-d");  /* Get the current date in the right SQL format */
        $sql = "INSERT INTO students  VALUES(NULL,'" . $_POST["f_name"] . "','" .
            $_POST["l_name"] . "'," . $_POST["student_id"] . ",'" . $_POST["email"] .
            "','" . $date . "'," . $_POST["gr"] . ")";  /* construct the query */
        mysql_query($sql);  /* execute the query */
        mysql_close();
    ?>
    <h3>Thank you. The data has been entered.</h3>
    <p><a href="data_in.php">Back to registration</a></p>
    <p><a href="data_out.php">View the student lists</a></p>
<?php else: ?>
    <h3>Enter your items into the database</h3>
    <form action="data_in.php" method="post">
        First Name: <input type="text" name="f_name"/> <br/>
        Last Name: <input type="text" name="l_name"/> <br/>
        ID: <input type="text" name="student_id"/> <br/>
        email: <input type="text" name="email"/> <br/>
        Group: <select name="gr">
            <option value="1">1</option>
            <option value="2">2</option>
            <option value="3">3</option>
        </select><br/><br/>
        <input type="submit" name="submit"/> <input type="reset"/>
    </form>
<?php endif ?>

By the way, please try to use PDO
http://www.w3schools.com/php/php_mysql_prepared_statements.asp
Otherwise somebody can enter "); TRUNCATE table students; -- and clear all your data.

It's classic - https://xkcd.com/327/