FORM METHOD=post ACTION='*.php' only sends empty spaces to mysql ?

Hi,
i'am running a debian sarge with the delivered apache2 mysql and php4.
The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
and send it to
"mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
database.
These already worked on php3 and mysql-3 and now on php4 and mysql4 it
doesn't work. I can't found any changes between php3 and php4, mysql3
and mysql4 that explained the fact that only empty spaces are given to
the mysql database.


mitarbeiter_eingabe.php -> mysql_mitarbeiter_daten_hinzufuegen.php ->
mysql-database

if i replace a %s in mysql_mitarbeiter_daten_hinzufuegen.php with a
real value like "Armin" he write it in the mysql-database ?

What did i miss or didn't see ?


Greetings
Armin Irger


----------
mitarbeiter_eingabe.php :
----------
<? // mitarbeiter_eingabe.php
require("globals.php");
require("common.php");
GenerateHTMLHeader('Enter a new employee');


echo "<FORM METHOD=post
ACTION='mysql_mitarbeiter_daten_hinzufuegen.php'>< PRE>";
printf ("Title: <INPUT TYPE=text SIZE=35 NAME=titel
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["titel"] : "");
printf ("First name: <INPUT TYPE=text SIZE=35 NAME=vorname
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["vorname"] : "");
printf ("Last name: <INPUT TYPE=text SIZE=35 NAME=nachname
VALUE=\"%s
\">
<BR>\n", ($formValues) ? $formValues["nachname"] : "");
printf ("eMail: <INPUT TYPE=text SIZE=35 NAME=email
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["email"] : "");
printf ("Phone (at work): <INPUT TYPE=text SIZE=35
NAME=telefon_dienstlich
VALUE=\"%s\">
<BR>\n", ($formValues) ? $formValues["telefon_dienstlich"] :
"");
printf ("Initials: <INPUT TYPE=text SIZE=35 NAME=kürzel
VALUE=\"%s\"
>
<BR>\n", ($formValues) ? $formValues["kürzel"] : "");
echo "<BR><BR>";
echo "<INPUT TYPE=submit VALUE='Save'>";
echo "</PRE></FORM>";

generateHTMLFooter();




----------
mysql_mitarbeiter_daten_hinzufuegen.php :
----------

<? // mysql_mitarbeiter_daten_hinzufuegen.php
require("globals.php");
require("common.php");

$sql_query = "INSERT into $table_mit(TITEL, VORNAME, NACHNAME,
EMAIL, TELEFON_DIENSTLICH, KUERZEL)
values ('%s','%s','%s','%s','%s','%s')";
// Serververbindung testen

if (!($link=mysql_pconnect($host,$user,$passwd))) {
DisplayErrMsg(sprintf("Fehler bei Verbindungsaufbau zu Server
%s, unter Benutzer %s",$host,$user));
exit();
}

// Datenbankverbindung testen
if (!mysql_select_db($database, $link)) {
DisplayErrMsg(sprintf("Fehler bei Auswahl der Datenbank %s",
$database));
DisplayErrMsg(sprintf("Fehler: %d %s",mysql_errno($link),
mysql_error($link)));
exit();
}

// SQL Query Ausführen
if (!mysql_query(sprintf($sql_query,$titel,$vorname,$ nachname,
$email,$telefon_dienstlich,$kürzel),
$link)) {
DisplayErrMsg(sprintf("Fehler beim Ausführen der SQL-Abfrage %s",
$sql_query));
DisplayErrMsg(sprintf("Fehler: %d %s",mysql_errno($link),
mysql_error($link)));
exit();
}

GenerateHTMLHeader('Data saved sucessfully!');


generateHTMLFooter();


?>

----------
mysql.log
----------

050222 17:13:19 21 Connect active@localhost on
21 Init DB ACTIVE
21 Query INSERT into MITARBEITER(TITEL,
VORNAME, NACHNAME,
EMAIL, TELEFON_DIENSTLICH, KUERZEL)
values ('','','','','','')

irger.armin@web.de (Armin Irger) wrote in
news:e9a6097d.0502220826.4eabd3a7@posting.google.c om:

> Hi,
> i'am running a debian sarge with the delivered apache2 mysql and php4.
> The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
> and send it to
> "mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
> database.
> These already worked on php3 and mysql-3 and now on php4 and mysql4 it
> doesn't work. I can't found any changes between php3 and php4, mysql3
> and mysql4 that explained the fact that only empty spaces are given to
> the mysql database.
>
>
> mitarbeiter_eingabe.php -> mysql_mitarbeiter_daten_hinzufuegen.php ->
> mysql-database
>
> if i replace a %s in mysql_mitarbeiter_daten_hinzufuegen.php with a
> real value like "Armin" he write it in the mysql-database ?
>
> What did i miss or didn't see ?
>
>
> Greetings
> Armin Irger
>
> <snip>


Your form variables are not properly set in the script that writes to the
database.

Check the register_globals setting in php.ini (should be ON for the way
you're doing it here) or get the variables from the $_POST system
variable.


Example:

Change:

if (!mysql_query(sprintf($sql_query,$titel,$vorname,$ nachname,
$email,$telefon_dienstlich,$kürzel),
$link)) {

To:

if( !mysql_query(sprintf($sql_query,
$_POST['titel'],
$_POST['vorname'] .... etc...


By the way, these values should be escaped here (see mysql_escape_string
function ) depending on the magic_quotes_gpc config setting.

.oO(Armin Irger)

>i'am running a debian sarge with the delivered apache2 mysql and php4.
>The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
>and send it to
>"mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
>database.
>These already worked on php3 and mysql-3 and now on php4 and mysql4 it
>doesn't work.

Make sure error_reporting is set to E_ALL in your php.ini, you should
receive some notices. It's most likely a register_globals issue, the
default setting changed to Off in recent PHP versions for security
reasons. Use the superglobal array $_POST (or $_GET) to access the
submitted values, so instead of $vorname use $_POST['vorname'].

11.20. Warum funktionieren meine Formulare nicht?
http://www.php-faq.de/q/q-formular-r...r-globals.html

Some other things:

* Use <?php instead of the short open tag <?, it's more portable.
* Consider to use label and fieldset elements to improve your form's
usability.
* HTML allows single quotes around attribute values, this avoids ugly
escaping of double quotes inside a double quoted string.
* Do a search on Google for 'SQL Injection', your code is vulnerable.

16.18. Wie kann ich bösartigen Code in SQL-Abfragen unterbinden?
http://www.php-faq.de/q/q-sql-injection.html

Micha

Michael Fesser <netizen@gmx.net> wrote in message news:<iipm11hg8mehlbjbotgbksuq41noca7bnj@4ax.com>. ..
> .oO(Armin Irger)
>
> >i'am running a debian sarge with the delivered apache2 mysql and php4.
> >The file "mitarbeiter_eingabe.php" gets the data over a html <FORM>
> >and send it to
> >"mysql_mitarbeiter_daten_hinzufuegen.php" to write it in an mysql
> >database.
> >These already worked on php3 and mysql-3 and now on php4 and mysql4 it
> >doesn't work.
>
> Make sure error_reporting is set to E_ALL in your php.ini, you should
> receive some notices. It's most likely a register_globals issue, the
> default setting changed to Off in recent PHP versions for security
> reasons. Use the superglobal array $_POST (or $_GET) to access the
> submitted values, so instead of $vorname use $_POST['vorname'].
>
> 11.20. Warum funktionieren meine Formulare nicht?
> http://www.php-faq.de/q/q-formular-r...r-globals.html
>
> Some other things:
>
> * Use <?php instead of the short open tag <?, it's more portable.
> * Consider to use label and fieldset elements to improve your form's
> usability.
> * HTML allows single quotes around attribute values, this avoids ugly
> escaping of double quotes inside a double quoted string.
> * Do a search on Google for 'SQL Injection', your code is vulnerable.
>
> 16.18. Wie kann ich bösartigen Code in SQL-Abfragen unterbinden?
> http://www.php-faq.de/q/q-sql-injection.html
>
> Micha



Thanks.
It works.

Greetings
Armin Irger