View Full Version : can someone please check my code?

05-20-2008, 03:38 PM
the code below should submit new values into database from a form but it doesn't work?!

$Assessor = mysql_real_escape_string(stripslashes($_POST['Assessor']));
$page = mysql_real_escape_string(stripslashes($_POST['page']));
$Dateadded = mysql_real_escape_string(stripslashes($_POST['Dateadded']));
$Assessment = mysql_real_escape_string(stripslashes($_POST['Assessment']));
$assignedto = mysql_real_escape_string(stripslashes($_POST['assignedto']));
$section = mysql_real_escape_string(stripslashes($_POST['section']));
$grade = mysql_real_escape_string(stripslashes($_POST['grade']));
$action = mysql_real_escape_string(stripslashes($_POST['action']));
$priority = mysql_real_escape_string(stripslashes($_POST['priority']));
$sql = "INSERT INTO assessment (Assessor,Page,Assessment,assignedto,section,grade,action,priority)
Values ('$Assessor', '$page', '$Assessment','$assignedto','$section','$grade','$action','$priority')";
$result = mysql_query($sql,$link) or die('Error: ' . mysql_error() . '<br>SQL: ' . $sql);
header("Location: display.php");

05-20-2008, 03:45 PM
replace in $sql, after "values (" for each variable:




see if work and post feedback if not.


05-20-2008, 03:48 PM
I have fixed it!

05-20-2008, 03:52 PM
Define "doesn't work". What does it do / not do that you otherwise expect? Does any of the data make it into the database? Does it throw an error? Does it just show a blank page and sit there? Please be as specific as possible.

Comment out the call to header(), and display the value of the $sql statement string to the page, see what it shows.

Does the form actually POST to the script? At the top of the script, do this:


I do notice that you expect and escape 9 strings coming from POST, but only insert 8. Your column / data count is correct and as far as I can tell, the SQL statement is fine.

Something else I notice, you're using a variation of uppercase and lowercase column and variable names. You need to keep these consistent. Having consistency when it comes to variable naming and assignment conventions will really pay off in the long run.

Something else I should point out, you can eliminate all that reassignment code with a simple loop, e.g.

// check to see if the form was POSTed
// ( note the submit button counts for one element)
if ( sizeof($_POST) > 1 ) {
// undo magic_quotes in one fell swoop
$POSTDATA= array_map('stripslashes', $_POST);
foreach( $POSTDATA AS $k => $v ) {
// reassign the index name to the value, escaping as we go
$$k = mysql_real_escape_string($v);
// submit to database
} else {
// form wasn't POSTed

That's it. A couple of simple lines of code, nice and neat.