Posted by Jerim79 on 11/08/06 23:26

Carl wrote:
> Reply Inline...
>
> Jerim79 wrote:
> >
> > Okay, I found something that works. It probably isn't the best way, but
> > it works. At the beginning of the script I set each variable to a local
> > variable. Such as:
> > $FName=$_POST["FName"];
> >
> > That may not be the best way to do it, but it works. The email script
> > is working great now. Which just leaves the MySQL connection. Here is
> > the code:
> >
> > $username='username';
> > $password='password';
> > $hostname='localhost';
> > $databasename='database';
> > //Here is where the database connection is actually made
> > $conection = mysql_connect($hostname, $username, $password);
> > mysql_select_db($databasename) or die ("Cannot connect to
> > database" . msyql_error());
> > //This sets the query to a variable for easy calling
> > $query='INSERT INTO table() VALUES($FName,
> > $LName, $Company, $Title, $Address, $Apt, $City, $State, $Zip,
> > $Phone,
> > $Fax, $Email, $Var1, $Var2, $Var3, $Var4, $Var5)'
> > //With the database connection open, I insert the data using
> > $query
> > $result = mysql_query($query) or die ('Query failed: ' .
> > mysql_error());
> > //After reading the information into the table, we close the
> > database connection
> > mysql_close();
> >
> > The error message I get:
> >
> > Query failed: Unknown column '$FName' in 'field list'
>
> If you want the variables in your SQL statement to be parsed by the php
> interpreter, your SQL statement string needs to be in double quotes.
> This behaviour is described here:
>
> http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing
>
> Note that you will still be left with an error as the string values
> should themselves be enclosed in single quotes (you're using mysql,
> right?). Numeric values do not need to be enclosed in single quotes,
> but you must remember to ensure that they are infact numeric values or
> cast them explicitly.
>
> $query = "INSERT INTO table() VALUES('$FName', '$LName'...
>
> Alternatively, you can kill two birds with one stone and sanitize the
> input while building the SQL statement.
>
> $query = sprintf("INSERT INTO table() VALUES('%s', '$s'...
> mysql_real_escape_string($FName),
> mysql_real_escape_string($LName),...
>
> >
> > If I enclose the variables inside the VALUES() part with quotations,
> > such as "$FName", "$LName","$Title" that data does get put into the
> > table with no error. Which is to say that $FName gets written to the
> > table, and not the data that $FName represents.
>
> As stated above, this is due to the fact that php wil not expand the
> value of a variable inside of single quotes. '$var' literally means
> '$var'. With "$var", the php interpreter will attempt to resolve to the
> value for the variable $var.
>
>
> Hope that helps,
> Carl.
>
> >So I know the database
> > connection is working and it is able to write. I tried defining the
> > columns in table() such as table(FNAME, LNAME, TITLE) with the same
> > error as above. I tried using $_POST[FName] in the VALUES() function
> > but it just returns a syntax error and tells me to check the manual for
> > my version of MySQL for the correct version. I am running 4.0.1 by the
> > way.

Thanks so much for the help. Once I get it working, I am going to go
back and clean everything up.

[Back to original message]