HTML Quickform & SQL Statement

programming
1

I have been using HTML Quickform as part of the build for my CMS system. I currently have it set up like this and it works fine :

	<?
	

	
	$sqlCat = mysql_query("SELECT id, name FROM webcategory WHERE display = 'Yes'");
	  
	while ($row = mysql_fetch_array($sqlCat)) {
			$web_categories[$row[0]] = $row[1];
		}
	
	
	require_once "HTML/QuickForm.php";
	$form = new HTML_QuickForm('add', 'post', $_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING']);
	
	  $form->addElement('text', 'name', 'Title :', 'style="width: 470px;" class=warn');
	  $form->addElement('select','category','Category : ', $web_categories); 
	  $form->addElement('textarea', 'text', 'Content :','style="width: 470px;" rows="20" class=warn');
	  $form->addElement('advcheckbox','display','Display:', 'Display this page', null,'Yes');  
      $form->addElement('submit', 'Submit', 'Add Webpage', 'button');
	  
	  $form->setDefaults(array('display' => Yes));
	 
	  $form->addRule('name', 'A name is required', 'required'); 
	  $form->addRule('text', 'Some text is required', 'required');
      $form->applyFilter('text', 'trim');
	  
       if ($form->validate()) {
	   
          $form->freeze();
      }
      $form->display();
	
	 echo $back ; ?>
	<?
	// display add form
	
	}
	 
	elseif(!$_POST['name']) { 
            echo "<p class=\"errorMessage\">You must enter a title into the input field...<a href=\"".$_SERVER['PHP_SELF']."\">try again.</a>  !</p>"; 
   
        } 
	 
	 else { //add form is being sent
	 
   //Insert the values into the correct database with the right fields
   $result=MYSQL_QUERY("INSERT INTO `webpages` (`name`, `text`, `display`, `category`)".
      "VALUES ('".strip_tags($_POST['name'])."', '".strip_tags($_POST['text'])."', '".strip_tags($_POST['display'])."', '".strip_tags($_POST['category'])."')"); 
	  
	  
	echo "<p class=\"add\">You successfully added a $page...<a href=\"".$_SERVER['PHP_SELF']."\">go back to the list.</a>";// in php you escape " characters with the backslash, 
	
	}	
}

However, I have been told that it would be more secure if I put my INSERT and UPDATE statements after the form freeze like this example below. This doesn’t insert the properties into the database.

	
	<?
	

	
	$sqlCat = mysql_query("SELECT id, name FROM webcategory WHERE display = 'Yes'");
	  
	while ($row = mysql_fetch_array($sqlCat)) {
			$web_categories[$row[0]] = $row[1];
		}
	
	
	require_once "HTML/QuickForm.php";
	$form = new HTML_QuickForm('add', 'post', $_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING']);
	
	  $form->addElement('text', 'name', 'Title :', 'style="width: 470px;" class=warn');
	  $form->addElement('select','category','Category : ', $web_categories); 
	  $form->addElement('textarea', 'text', 'Content :','style="width: 470px;" rows="20" class=warn');
	  $form->addElement('advcheckbox','display','Display:', 'Display this page', null,'Yes');  
      $form->addElement('submit', 'Submit', 'Add Webpage', 'button');
	  
	  $form->setDefaults(array('display' => Yes));
	 
	  $form->addRule('name', 'A name is required', 'required'); 
	  $form->addRule('text', 'Some text is required', 'required');
	  
	  
       if ($form->validate()) {	
          $form->freeze();
		  
		  
		   //Insert the values into the correct database with the right fields
				   $result=MYSQL_QUERY("INSERT INTO `webpages` (`name`, `text`, `display`, `category`)"."VALUES ('".strip_tags($_POST['name'])."', '".		strip_tags($_POST['text'])."', '".strip_tags($_POST['display'])."', '".strip_tags($_POST['category'])."')"); 
		 
		  
      }
      $form->display();
	
	 echo $back ; ?>

Can anyone tell me what I am doing wrong please ?