How to combine Query and Variable in PHP?

HelloWorld · #1 (**permalink**) 08-06-2007, 09:18 PM

Here's my current code, I want to send query to MySQL to add the username and password that's just created:

PHP Code:

 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>MyCMS Installer</title>
</head>

<body>
<?php
include 'config.php';
print 'Table has been created.'.'<br/>';
print 'Installation succeeded.';
?>
<form action="<?php echo ($_SERVER['PHP_SELF']); ?>?p=submitted" method="POST">
Admin Username: <input type="text" name="adminuser" accesskey="u" /><br />
Admin Password: <input type="text" name="adminpass" accesskey="p" />
</form>

<?php
if (isset($_GET['p']) && $_GET['p'] == 'submitted') {
    $adminUserName = $_POST['adminuser'];
    $adminPassword = $_POST['adminpass'];
}
$query = 'INSERT INTO `mycms` VALUES('; // please help here
?>
</body>
</html>

Any comments on my implementations are welcomed...

TeraTask · #2 (**permalink**) 08-06-2007, 10:04 PM

I'd write:

PHP Code:

  <?php
if ($_GET['p'] == 'submitted') {
    $adminUserName = mysql_real_escape_string(stripslashes($_POST['adminuser']));
    $adminPassword = mysql_real_escape_string(stripslashes($_POST['adminpass']));
    $query = "INSERT INTO `mycms` set adminuser='$adminUserName', adminpass='$adminPassword'"; 
    if (mysql_query($query)) {
        //Insert successful
    } else {
        //Insert failed.
        echo "Unable to add admin.  MySQL reported &quot;".mysql_error()."&quot;<br />";
    }
}
?>

Please note that everything I changed was for a specific reason.  Let me know if you have any specific questions.

HelloWorld · #3 (**permalink**) 08-06-2007, 10:23 PM

Thanx a lot TeraTask,
Btw, all of the sudden.. I'm kind of confused to when should I use:

PHP Code:

  $_GET['p']

over

PHP Code:

  $_POST['p']

When do I have to use one over the other? I was thinking that either one of them is going to parse the string of the specified on the equal sign from the web browser... but when should I use one over the other?

TeraTask · #4 (**permalink**) 08-07-2007, 06:24 AM

$_GET is for when the variable is in the URL.
$_POST is for when the variable is posted.

Had you done

PHP Code:

 
<form action="<?php echo ($_SERVER['PHP_SELF']); ?>" method="POST">
<input type="hidden" name="p" value="submitted" />
Admin Username: <input type="text" name="adminuser" accesskey="u" /><br />
Admin Password: <input type="text" name="adminpass" accesskey="p" />
</form>

You would have had to use $_POST

Note also that had you done

PHP Code:

 
<form action="<?php echo ($_SERVER['PHP_SELF']); ?>" method="GET">
<input type="hidden" name="p" value="submitted" />
Admin Username: <input type="text" name="adminuser" accesskey="u" /><br />
Admin Password: <input type="text" name="adminpass" accesskey="p" />
</form>

That all variables would be in the URL when the form was submitted and subsequently they'd all be available via $_GET (not too bright for a username/password, but I am trying to give an example)

BTW: It doesn't hurt to give people a submit button.

Few will realize that they can just hit enter.