You need to check the return value of the mysql_query() call.
http://php.net/manual/en/function.mysql-query.php
$result = mysql_query($query);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
Right now, you'll never actually hit the error condition and won't actually see what (if any) error that MySQL is sending back to you.
Also, you probably want to escape the values you are plugging into the query instead of just doing normal string concatentation. If you don't, your app could be vulnerable to a SQL injection attack. Here is how to generate the query safely:
$query = sprintf("INSERT INTO staff (name, lastname, username, password, position, department, birthmonth, birthday, birthyear, location, phone, email, street, city, state, country, zip, tags, photo) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($name),
mysql_real_escape_string($lastname),
mysql_real_escape_string($username),
mysql_real_escape_string($password),
mysql_real_escape_string($position),
mysql_real_escape_string($department),
mysql_real_escape_string($birthmonth),
mysql_real_escape_string($birthday),
mysql_real_escape_string($birthyear),
mysql_real_escape_string($location),
mysql_real_escape_string($phone),
mysql_real_escape_string($email),
mysql_real_escape_string($street),
mysql_real_escape_string($city),
mysql_real_escape_string($state),
mysql_real_escape_string($country),
mysql_real_escape_string($zip),
mysql_real_escape_string($tags),
mysql_real_escape_string($photo));
EDIT: Just saw your comment to another answer. If you are already doing the escaping like:
$birthday = mysql_real_escape_string(trim($_POST['birthday']));
then you don't need to escape it when generating the query. It's probably better practice to do the escaping at the time you generate the query so it is clear that you aren't missing anything.
EDIT2: According to the docs, mysql_connect() should take the host, user, and password and then you need to do a mysql_select_db() call afterwards to pick the correct database.
http://www.php.net/manual/en/function.mysql-select-db.php
$dbc = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if (!$dbc) {
die('Could not connect: ' . mysql_error());
}
// make foo the current db
$db_selected = mysql_select_db(DB_NAME, $dbc);
if (!$db_selected) {
die ('Could not select database: ' . mysql_error());
}
(BTW, you should edit your question and put back the original text so it might be useful to others finding this topic later!)
