Error in simple INSERT INTO statement

[BlackRiver]

Code:

<html>
<head></head>
<body>

<?php

if (!$_POST['submit'])
{

// forma nije poslana

?>

<form action="<?=$_SERVER['PHP_SELF')?>" method="post">

Ime i Prezime: <input type="text" name="Ime_Prezime">
Datum: <input type="text" name="Datum">
E-Mail: <input type="text" name="e_mail">
Komentar: <input type="text" name="Komentar">
<input type="submit" name="Posalji">
</form>

<?php
}

else

{

//uzmi podatke iz forme

$ime_prezime = (trim($_POST['Ime_Prezime']) == '') ?
die ('GRESKA: Unesi ime i prezime') : mysql_real_escape_string($_POST['ime_prezime']);
$e_mail = mysql_real_escape_string($_POST['e_mail']);
$komentar= mysql_real_escape_string($_POST['Komentar']);

// otvaranje konekcije sa bazom

$konekcija = mysql_connect('localhost','root')
or die ('Povezivanje sa bazom nije uspjelo!');

// Odabir baze

mysql_select_db('Komentari') or die ('Odabir baze nije uspio!');

// stvaranje upita

$upit = INSERT INTO podaci_o_komentaru (Ime_Prezime,e_mail,Komentar) VALUES ('$ime_prezime','$e_mail','$komentar')";  <--- this is where the error is

// izvrsi upit

$rezultat = mysql_query($upit)
or die ("Greska u upitu: $upit. " . mysql_error());

// zatvori konekciju

mysql_close($konekcija);

}

?>

</body>
</html>

It says: Parse error: parse error in D:\wamp\www\TestSite2\ubacivanje_podataka.php on line 48

Cant figure it out really

[BlackRiver]

I was missing " in my $upit.Now,when I run it,it displays my form,but there is a line saying
Notice: Undefined index: submit in D:\wamp\www\TestSite2\ubacivanje_podataka.php on line 7.If I try running the insert statement it says Forbidden You don't have permission to access /TestSite2/< on this server..

So that all very confusing at the moment!

[kows]

you have a regular bracket instead of a curved bracket on PHP_SELF. and you're also using short tags, and you shouldn't be.

PHP Code:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

to check whether or not the form has been submitted, you should be checking the REQUEST_METHOD and not trying to see if $_POST['submit'] is set. this is also why you're getting a notice about an undefined index. do this instead:

PHP Code:

if($_SERVER['REQUEST_METHOD'] == "POST"){

  //form was submitted

}else{

  //form was not submitted

} 


[BlackRiver]

Any idea why I get Forbidden msg when I submit my form?

[kows]

you most likely didn't change the <form> tag's "action" from using short tags (like I had mentioned to above). if short tags are not enabled by your host, then you will be submitting a form to: "\TestSite2\<", which is an invalid URL. it wouldn't include the rest of the short tags because the question mark signifies the start of the query string, and Apache would have treated it as such.

if this isn't the case, then you must be doing something drastically wrong and you'll need to post your updated code.

[Slyke]

Just a knitpick here.

PHP Code:

<?php echo $_SERVER['PHP_SELF']; ?>

This is not secure. Check This Out for more information.

A quick way to fix it though would be to:

PHP Code:

<?php echo htmlentities($_SERVER['PHP_SELF']); ?>

[penagate]

Good catch Slyke.

I'd go one step further and recommend never including anything from $_GET, $_POST, $_COOKIE, or $_SERVER anywhere in output. If you need those values to appear, validate or sanitise them first and put them into another variable. This makes it easy to spot potential vulnerabilities in your code: anything like the above should throw up a red flag straight away.