seeking cause for err: "Duplicate entry '' for key 2"

[jswebdev]

i've created a very simple data collection form. the MySQL db table has 6 fields. an auto_incrementing int for the primary key, then 3 varchars for first, last name, and e-mail, an INT for phone number, and a TEXT for comments.
the form has 5 fields, each appropriate for the datatype (including a <textarea> for the comments). the form is on index.php and its action goes to a file named thanks.php so i can confirm to the user that their info was in fact entered into the db by echoing back the $_POST data submitted by the form action.
i also have an IF statement set to check for existence of $_POST data sent from the form in a required field, Email-- since it's the critical bit of data, if it's empty, the index.php page is loaded again.
however, all of this is not working, and my error is "Duplicate entry '' for key 2"
here's the code from the thanks.php page, where most of the parsing takes place. the only thing on the other page is the form, and i always make it successfully to the thanks.php page.

PHP: Select all

<?php 

$conn = mysql_connect("localhost", "private", "private");

mysql_select_db("seminar", $conn) or die(mysql_error());

if ($_POST['EMAIL'] = "") {

$url = "index.php";

header("Location: $url");

exit;

} else {

$inquery = "INSERT into interest values ('', '$_POST[F_NAME]', '$_POST[L_NAME]', '$_POST[email]', 

'$_POST[PHONE]', '$_POST[REMARK]')";

mysql_query($inquery, $conn) or die(mysql_error());

$htmlblock = "<h3>the following was recorded by your entry:</h3>

<p>First Name: '$_POST[F_NAME]'</p>

<p>Last Name: '$_POST[L_NAME]'</p>

<p>e-Mail: '$_POST[email]'</p>

<p>Phone: '$_POST[PHONE]'</p>

<p>Remarks: '$_POST[REMARK]'</p>";

}

?>

<p>

<?php 

echo $htmlblock;

?>

</p>

i posted a similar thread in another php forum-- although it brought to my attention something about "addslashes" (which isn't represented here cause i wanted you to see my original code) but their solution didn't solve the problem anyway-- so i'm still stumped.
thanks for reading!!.

[grahame]

Use the longer form of insert that names the fields, and don't try to fiddle the auto_increment field:

Code: Select all

insert into interest (forename, surname, email, phone, comment) 
values ('$_POST[F_NAME]', '$_POST[L_NAME]', '$_POST[email]', 
'$_POST[PHONE]', '$_POST[REMARK]')

Not only is that clearer and more robust, but it will mean that your code will not break if you add a later (optionally supplied) column to the table later on.
Aside - your comment about addslashes noted. If your PHP is configured with magic quotes on (it is that way by default) the you don't want to add slashes as you put things into the database. If it's configured with magic quotes off, it's important to add slashes and to do so before you release your page to the world or you'll be exposed to an injection attack.

[jswebdev]

Quote:

Originally Posted by grahame

it's important to add slashes and to do so before you release your page to the world or you'll be exposed to an injection attack.

hey, thanks for the reply! if you have time, please do elaborate a bit about how the slashes help to preven [MySQL] injection. i never heard it put that way before, but i don't doubt your accurate.

if i recall correctly, the error above was actually caused by this line

PHP: Select all

if ($_POST['EMAIL'] = "") 

, as you can see, it should have been

PHP: Select all

if ($_POST['email'] == "") ... 

btw, grahame, i never did get that 'heredoc' thing to work right, but i think i know why-- cause i didn't have it as the first column (the rule about it must be in the first column of the line). i'll try again some day for sure! that's one of my favorite tidbits i've 'learned' from a forum-- i put that in quotes cause i haven't got it right yet, but i'll get there! haven't really spent much time w/ it, to be honest.