Well, I might as well start of with the codes and such.

This is the form (index.php)
<?php
if (!isset($_POST['submit'])) {
?>
<form action="" method="post">
Valikorlia Username: <input type="text" name="username"><br><br>
Type of Approval: <select name="type">
<option value="magic">Magic</option>
<option value="weapon">Weapon/Artifact</option>
<option value="race">Race</option>
<option value="guild">Guild/Faction</option>
<option value="other">Other</option>
</select><br><br>
Approval Content (be descriptive): <textarea name="content" cols=40 rows=20></textarea><br><br>
<input type="submit" name="submit" value="Submit!">
</form>
<?php
} else {
$username = $_POST['username'];
$type = $_POST['type'];
$content = $_POST['content'];
mysql_query("INSERT INTO `pending` (username, type, content) VALUES ('$username', '$type', '$content')");
echo "Your approval has been sent to the RPAs! Please allow the RPAs to look over your request. To see your request's status, please click <a href=status.php>here</a> ";
}
?>

This is the file that displays the data inside the database (status.php)
<?php
$sql = "SELECT * FROM pending";
$query = mysql_query($sql);
while($row = mysql_fetch_array($query)) {
echo "<tr>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['type']."</td>";
echo "<td>".$row['content']."</td>";
echo "</tr>";
}
?>

And this is how my database is set up:

CREATE TABLE `pending` (
`username` varchar(255) NOT NULL,
`type` varchar(255) NOT NULL,
`content` longtext NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;


What's happening is that the "type" and "content" variables are being inserted in to the database, but the "username" field is not.

It all seems fine but could you put some echos to test it like :

$username = $_POST['username'];
$type = $_POST['type'];
$content = $_POST['content'];

echo 'Username : '.$username.'<br>';

You're getting a sql error because you have a column named "type" which is a reserved word. Put quotes around it and it'll work (`type`).

To extend verifications, you can always

replace this line:


if (!isset($_POST['submit'])) {

for:


$username = $_POST['username'];
$type = $_POST['type'];
$content = $_POST['content'];

$username = (isset($_POST['username'])) ? (stripslashes(trim($_POST['username']))) : NULL;
$type = (isset($_POST['type'])) ? (stripslashes(trim($_POST['type']))) : NULL;
$content = (isset($_POST['content'])) ? nl2br(stripslashes($_POST['content'])) : NULL;

if (is_null($user_name) || is_null($type) || is_null($content)) {
?>
<form action="" method="post">
Valikorlia Username: <input type="text" name="username"><br><br>
Type of Approval: <select name="type">
<option value="magic">Magic</option>
<option value="weapon">Weapon/Artifact</option>
<option value="race">Race</option>
<option value="guild">Guild/Faction</option>
<option value="other">Other</option>
</select><br><br>
Approval Content (be descriptive): <textarea name="content" cols=40 rows=20></textarea><br><br>
<input type="submit" name="submit" value="Submit!">
</form>
<?php

} else {

mysql_query("INSERT INTO `pending` (username, type, content) VALUES ('".$username."', '".$type."', '".$content."')");
echo "Your approval has been sent to the RPAs! Please allow the RPAs to look over your request.\n\n To see your request's status, please click <a href=\"status.php\">here</a> ";
}

;)

There are few flaws in this script:

1) User input is not checked and cleaned (in horizon's post, he also didn't sanitize users input). That leaves your script open to sql injection attacks.

2) There's no flood control. Someone can submit once, and then hit refresh million times, filling your database with duplicate records.

3) There's no error reporting in case sql query goes wrong (as it is, that's why the insert isn't working).

So to sum it up:


<?php

session_start();

if(isset($_POST['submit']))
{
if(isset($_SESSION['flood_protect']))
die("We're sorry for inconvenience, but it seems your request has already been submitted");

$username = mysql_escape_string(trim($_POST['username']));
$type = mysql_escape_string($_POST['type']);
$content = mysql_escape_string($_POST['content']); // you perform nl2br and similar functions when you pull the text out of the db, not when you insert it

if(empty($username))
$errors[] = 'Username was left blank, please fill it in';

if(empty($type))
$errors[] = 'Type field was left blank, please fill it in'; // this is supposed to be non-empty always but we're checking it

if(empty($content))
$errors[] = 'Approval Content was left blank, please fill it in';

if(!is_array($errors))
{
mysql_query("INSERT INTO `pending` (`username`, `type`, `content`) VALUES ('$username', '$type', '$content')") or die('An error occured: '. mysql_error());
echo "Your approval has been sent to the RPAs! Please allow the RPAs to look over your request. To see your request's status, please click <a href=status.php>here</a> ";

$_SESSION['flood_protect'] = 1;
}
else
{
echo '<p>Errors occured:</p>';

foreach($errors as $error_message)
{
echo "<p>$error_message</p>";
}
}
}
else
{
?>
<form action="" method="post">
Valikorlia Username: <input type="text" name="username"><br><br>
Type of Approval: <select name="type">
<option value="magic">Magic</option>
<option value="weapon">Weapon/Artifact</option>
<option value="race">Race</option>
<option value="guild">Guild/Faction</option>
<option value="other">Other</option>
</select><br><br>
Approval Content (be descriptive): <textarea name="content" cols=40 rows=20></textarea><br><br>
<input type="submit" name="submit" value="Submit!">
</form>
<?php
}
?>

Thanks, guys!

I should probably read up even more on MySQL.