Form submits blank fields and creates 2 records? 3

[frainbreeze]

hello

Ok this is completely puzzling me, maybe i've been staring at it for too long and need another perspective (cue: tek-tips to the rescuuuuuee)

pretty straight forward survey form submitting to a mysql db with radio buttons/text boxes. has this in the form:

<tr>
 <td>(i) Network-to-Network learning</td>
 <td align="center">
 <? $QNUM = "Q1A"?>
 <input name="<? echo $QNUM; ?>" type="radio" value="Poor"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Below Average"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Average"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Good"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Excellent"></td>
</tr>
<tr>
 <td>(ii) Network development</td>
 <td align="center">
 <? $QNUM = "Q1B"?>
 <input name="<? echo $QNUM; ?>" type="radio" value="Poor"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Below Average"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Average"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Good"></td>
 <td align="center"><input name="<? echo $QNUM; ?>" type="radio" value="Excellent"></td>
</tr>

which is fine and dandy, spits out propertly in html. i've got this for the insert statement:

$sql = "INSERT INTO onlineform (Q1A, Q1B) VALUES ('$Q1A', '$Q1B')";
#sql statement shortened due to about 50 questions, but all are in the same format as above

mysql_query($sql) or die ("Found a mistake:".mysql_error());
$result = mysql_query($sql);

echo "sent";
echo $sql;

and when it runs it inserts not 1 but 2 rows of blank data. this is what shows up on the screen after submitting:



sentINSERT INTO onlineform (Q1A, Q1B) VALUES ('', '')



and so on and so forth(about 40 some odd blank entries edited out).

what the frick? if my radio buttons are called Q1A/Q1B shouldnt php pick up the $Q1A/$Q1B values and insert em? I dont think its isolated to just radios, as my text fields dont seem to show up in the query either. and why in the world of waldo is it inserting 2 records with only 1 insert statement?!

the <form> action and method(POST) are set, the <form> tag encompasses the submit button (another brilliant oversight i've made before), the submit button has a name="submit" and i have the whole thing in a giant all-encompassing

if (isset ($HTTP_POST_VARS['submit']) )

my brain hurts. its most likely a typo or some other moronic thing on my part, but i cant for the life of me seem to find where it is..

any help is (as usual) much appreciated

frainbreeze

 

[sleipnir214]

The problem of your values not showing up is probably because your PHP installation has register_globals turned off. The PHP online manual recommends that you leave it that way.

What's in $_POST['Q1A']?



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[frainbreeze]

slepnir:

$_POST['Q1A'] has the value of whatever the radiobutton value is for that question (the right value)

er, so does this mean it IS grabbing the values? if so, then where are they going..!

thanks

frainbreeze

 

[sleipnir214]

They're going exactly where they should -- into $_POST.

When you submit data to PHP, PHP puts the data into $_POST or $_GET as appropriate. This always happens. If and only if the runtime configuration directive register_globals is set to "on" will it then instantiate single variables for the values.

But, as this page in the PHP online manual indicates, running PHP with register_globals set to "on" has a number of security problems.

This realization that register_globals can affect security is a relatively recent one -- it was in version 4.2.0 that the default for this value became "off". And a lot of books on PHP were written with example code requiring it to be set to "on".

I recommend that you leave register_globals set to "off" and modify your code to reference the elements of $_POST.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[kenrbnsn]

They're not going anyplace. They are being deposited into the super global array $_POST. Use them from there. When 'register_globals' is turned off, PHP doesn't automatically populate the variables generated from a form.

If you want, you can do

if (!emtpy($_POST)) extract($_POST)

which will generate the variables you're using now.

Read about 'register_globals' and super global arrays in the PHP manual.

Ken

 

[sleipnir214]

I strongly recommend against using extract(). Use of this function can duplicate the "variable poisoning" point mentioned in the link I posted.

The way I look at it, in addition to being more secure, referencing the elements not only improves the security of your application, but adds an element of automatic documentation. I may not remember six months from now how the value got into $foo, but $_POST['foo'] is pretty obvious.




Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[skiflyer]

mysql_query($sql) or die ("Found a mistake:".mysql_error());
$result = mysql_query($sql);

And for your followup question about why it happens twice, it's right there. You call mysql_query($sql) twice.

You can combine those two to

$result=mysql_query($sql) or die(mysql_error());

 

[kenrbnsn]

I only mentioned the extract command so the original poster could get his code working as is. Then he can go and changes all of the references to $_POST['var'].

That's what I did when register_globals went from a default of 'on' to 'off' a few years ago. To make sure that all of the code I had written would continue to work, I put the extract statement in my code. Then I went back and modified the code to use $_POST.

Of course, using $_POST['var'] without doing any checking for what it contains can be just a dangerous as the old way of doing things.

Ken

 

[frainbreeze]

hello again

it seems to be working without me having to manually change all the variables to accommodate $_POST with this:

foreach (array_keys($_GET) as $key) $$key=$_GET[$key];

that i found on php.net after looking up register globals so im well chuffed! and im sure u guys all knew this but useful as php.net is, sometimes its hard to find an explanation for something you dont know the name of.. (i.e. typing in POST doesnt help)

cheers my dears, stars all round

frainbreeze

 

[skiflyer]

Your code chunk is identical to

extract($_GET);

The positives and negatives of which are discussed above.