Adding records to MySQL using PHP and page security

Question

This is an effort to create a PHP page to add data to a table. I am getting a parsing error on line 79 so I have been fiddling with it for a while:

Parse error: syntax error, unexpected T_STRING in /home/sharah19/dev.rahmaninet.org/new.php on line 79

Also I have another question: Whats the easiest way to make this page secure? So only users who are authenticated through the login page can add a record?

The contents of new.php:

<?php
/* 
NEW.PHP
Allows user to create a new entry in the database
*/

  // creates the new record form
 // since this form is used multiple times in this file, I have made it a function that     is easily reusable
function renderForm($first, $last,$email, $error)
{

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"    "http://www.w3.org/TR/html4/strict.dtd">
 <html>
 <head>
 <title>Add a New Record</title>
 <link href="rahmani.css" rel="stylesheet">
 </head>
 <body>
 <div id="main">
<h1>RahmaniNET CRM System</h1>
<?php include("header.php"); ?>
<?php 
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?> 

<form action="" method="post">
<div>
<strong>First Name: *</strong> <input type="text" name="first_name" value="<?php echo   $first_name; ?>" /><br/>
<strong>Last Name: *</strong> <input type="text" name="last_name" value="<?php echo   $last_name; ?>" /><br/>
<strong>email: *</strong> <input type="text" name="email" value="<?php echo $email; ?>"   /><br/>
<p>* required</p>
 <input type="submit" name="submit" value="Submit">


 </div>
</div>
</form> 
</body>
</html>
<?php 
}




// connect to the database
include('connect-db.php');


// check if the form has been submitted. If it has, start to process the form and save      it to the database
if (isset($_POST['submit']))
{ 
// get form data, making sure it is valid
$first_name = mysql_real_escape_string(htmlspecialchars($_POST['first_name']));
$last_name = mysql_real_escape_string(htmlspecialchars($_POST['last_name']));
$email = mysql_real_escape_string(htmlspecialchars($_POST['email']));

// check to make sure both fields are entered
if ($first_name == '' || $last_name == ''|| $email == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';

// if either field is blank, display the form again
renderForm($first_name, $last_name, $email, $error);
}
else
{
// save the data to the database
mysql_query("INSERT contacts SET first_name='$first_name', last_name='$last_name',email   ='$email' )
or die(mysql_error()); 

// once saved, redirect back to the view page
header("Location: view.php"); 
}
}
else
// if the form hasn't been submitted, display the form
{
renderForm('$first', '$last','$email', $error);
}
?>

Answer 1

The error comes from the lack of a closing quote on your MySQL query:

mysql_query("INSERT contacts SET first_name='$first_name', last_name='$last_name',email   ='$email') or die(mysql_error());

It should be:

mysql_query("INSERT contacts SET first_name='$first_name', last_name='$last_name',email   ='$email'") or die(mysql_error());

Also you ask:

Also I have another question: Whats the easiest way to make this page secure? So only users who are authenticated through the login page can add a record?

If you are using Apache then you should you use Apache AuthType Basic. More details are here. Details under “Getting it working.”

Answer 2

You are missing a double quote in your sql string:

mysql_query("INSERT contacts SET first_name='$first_name', last_name='$last_name',email   ='$email' )