why is null inserted in database?

Question

I am trying to create a form that user is choosing an option let's say that he will choose his name i used ajax to call another page , in this page i create the connection and inserting the answer the problem it's inserting null Code index.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>MyDataBase </title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.1/jquery.min.js">   </script>

 $(document).ready(function(){
$("#mysubmit").click( function (){
    $.ajax({
        url:"Final.php",
        type:"POST",
        success: function(success_array)
        {   
            alert(" Well Done ");
        },
        error: function(xhr, ajaxOptions, thrownError)
        {
            alert( " Didn't work ! ");
        }
    });
 });
   });

 </script>  
  </head>
  <form method="post" id = "myform">
  <input type="radio" name="kname" value="X1" />X1<br  />
  <input type="radio" name="kname" value="Y1" />Y1<br  />
  <input type="radio" name="kname" value="A1" />A1<br  />
  <input type="radio" name="kname" value="G1" />G1<br  />
  <input type="submit" onclick="save()"  id="mysubmit"/>
  </form>
  <body>
  </body>
  </html>

Final.php

            <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
        <html xmlns="http://www.w3.org/1999/xhtml">
        <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Thanks</title>
        </head>

        <body>
        <?php
        $con = mysqli_connect("localhost","root","xyz","test");
        mysqli_query($con,"INSERT INTO name values ('$_POST[kname]')");
        ?>
        </body>
        </html>

**warning** your code is vulnerable to sql injection attacks! — Daniel A. White, Jul 15 '13 at 22:37
@DanielA.White , it's nothing compared with the [question I just visited](http://stackoverflow.com/q/17664993/). Still this is vulnerable to SQL injection and should be fixed. — Francisco Presencia, Jul 15 '13 at 22:39
You have SQL injection vulnerability. So what debugging have you done to try to narrow this down? Have you considered trying to handle MySQL errors to see what the problem may be? — Mike Brant, Jul 15 '13 at 22:39

score 0 · Answer 1 · answered Jul 15 '13 at 22:37

0

You have to reference the kname via $_POST['kname'].

But please! always escape your values!

answered Jul 15 '13 at 22:37

Tobias Golbs

4,586
3
28
49

What do u mean by "reference the kname" sorry i am still new bie in this – Moustafa Ghoniem Jul 15 '13 at 23:02
You have to use quotes around `kname` because elsewise the compiler would consider `kname` a constant. – Tobias Golbs Jul 16 '13 at 06:14

Sean · Answer 2 · 2013-07-15T23:11:38.207

0

When submitting/posting via ajax you need to add your data. simplest is with serialize().

 var form = $('#myform');
 $.ajax({
    url:"Final.php",
    type:"POST",
    data: form.serialize(),
    ...

or you could get a single field -

   data: {kname: $('#id_of_your_radio').val()},

just make sure to sanitize the userdata before inserting into your db.

edited Jul 15 '13 at 23:11

answered Jul 15 '13 at 23:03

Sean

12,443
3
29
47

have you checked firebug (firefox) or developer console (chrome, etc) to see what is being posted for `kname`? – Sean Jul 15 '13 at 23:18
you have `onclick="save()"` in your submit button. Where is `save()` defined? I assume this is unneccessary as you are binding the `$("#mysubmit").click( function (){...});`. Try removing the `onclick="save()"`. – Sean Jul 16 '13 at 13:51

why is null inserted in database?

2 Answers2