Inserting form values with spaces into mysql 4.1

I'm trying to insert form data into a MySQL 4.1 DB. The problem I'm having is form fields that include spaces get truncated before insertion. The POST variables are complete, spaces and all. Just being cut off somewhere. For instance, "South Lake Tahoe" is inserted simply as "South". Zip codes and telephone numbers with dashes are also fine. The site I'm working on is hosted by Yahoo Small Business, and they're still using MySQL 4.1. I don't know if that is the problem, but I do know I never had issues doing this with MySQL 5+. The user fills out a form to add a new member. Upon Submit, the form data is POSTED to another page for processing:

$k = array();
$v = array();
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];

$result = mysql_query("SELECT * FROM members WHERE first_name='$first_name' AND last_name='$last_name'");
if(mysql_num_rows($result)>0){
    mysql_free_result($result);
    exit("Duplicate User in Database");
}
mysql_free_result($result);

array_pop($_POST);//Don't need the Submit val开发者_运维技巧ue

foreach($_POST as $key=>$value){
array_push($k, "$key");
array_push($v, "$value");
}

$fields = implode(", ", $k);
$values = array();
foreach($v as $key=>$value){
    array_push($values, '"'.$value.'"');
}
$values_string = implode(", ", $values);

$result = mysql_query("INSERT INTO members($fields) VALUES($values_string)");

I'm sure there are better ways of doing this, but I'm still on the way up the learning curve. Please point out any obvious flaws in my thinking. Any suggestions are greatly appreciated.

EDIT: The field types in MySQL are correct and long enough. For example, the field for City is set as VARCHAR(30).

Thanks much, Mark

This code is horrifically insecure - you're taking user-supplied values and plopping them directly into your SQL statements without any sanitization. You should call http://php.net/manual/en/function.mysql-real-escape-string.php on anything you insert into a query this way (parameterized queries with PDO are even better).

You also make some assumptions, such as $_POST always being ordered a certain way (is that guaranteed?) and that you have exactly as many elements in your form as you have fields in your table, and that they're named identically. The code as it's written is the kind of thing a lot of beginning programmers do - it feels efficient, right? But in the end it's a bad idea. Just be explicit and list out the fields - e.g.

$field1 = $_POST['field1'];
$field2 = $_POST['field2'];
$sql = "insert into mytable (field1, field2) values ('" . mysql_real_escape_string($field1) . "', '" . mysql_real_escape_string(field2) . "')";
mysql_query($sql);

I haven't touched on why stuff would cut off at the first space, as this would imply that your code as you have it presented is salvageable. It's not. I get the feeling that reworking it as I described above might make that problem go away.

<?php

// Remember to always escape user input before you use them in queries.
$first_name = mysql_real_escape_string($_POST['first_name']);
$last_name = mysql_real_escape_string($_POST['last_name']);

$result = mysql_query("SELECT * FROM members WHERE first_name='$first_name' AND last_name='$last_name'");
if (mysql_num_rows($result) > 0) {
    mysql_free_result($result);
    exit("Duplicate User in Database");
}
mysql_free_result($result);

// I removed your loop around $_POST as it was a security risk,
// and could also become non-working. (What would happen if the order
// of the $_POST keys were changed?)
// Also the code become clearer this way.

$result = mysql_query("INSERT INTO members(first_name, last_name) VALUES('$first_name', '$last_name')");