Insert mysql data via a php form on the same page?

Question

I am looking to insert the data from the php form in to the mysql database via the PHP code located on the same page.

<?php
if (isset($_POST['submit'])){
$con=mysqli_connect("localhost","root","********","*********");
$sql="INSERT INTO drafts (id, title, description, post, author, category, declined)
VALUES
('','$_POST[title]',$_POST[description],$_POST[post],$_POST[author],$_POST[category],0)";
echo "Droplet Successfully Added!";}
?>

<form action="create-post.php" method="post">
  Title: <br /><input type="text" name="title"><br /><br />
  Description: <br /><textarea name="description"></textarea><br /><br />
  Post: <br /><textarea name="post"></textarea><br /><br />
  Author: <br /><input type="text" name="author"><br /><br />
  Category: <br /><input type="text" name="category"><br /><br />
  <input class="btn btn-info" type="submit" value="Submit for review">
</form>

This will not work, as single quotes do not evaluate variables. Make sure to use string concatenation or double quotes (but *please*, scrub your data and use PDO/prepared statements instead). — Kevin Ji, Sep 08 '13 at 18:29

score -2 · Answer 1 · edited May 23 '17 at 10:31

Currently, when a user fills out the form above and clicks the submit button, the form data is sent for processing to a PHP file named create-post.php.

Now, if you leave the action attribute empty, the form will submit to itself:

<?php
if (isset($_POST['submit'])) {

    $con=mysqli_connect("localhost","root","********","*********");
    $sql="INSERT INTO drafts (id, title, description, post, author, category, declined)
    VALUES
    ('','$_POST[title]',$_POST[description],$_POST[post],$_POST[author],$_POST[category],0)";
    echo "Droplet Successfully Added!";

}
?>

<form action="" method="post">
    Title: <br /><input type="text" name="title"><br /><br />
    Description: <br /><textarea name="description"></textarea><br /><br />
    Post: <br /><textarea name="post"></textarea><br /><br />
    Author: <br /><input type="text" name="author"><br /><br />
    Category: <br /><input type="text" name="category"><br /><br />
    <input class="btn btn-info" type="submit" value="Submit for review">
</form>

When a user visits the page, $_POST['submit'] won't be set, and the statements inside the if block won't get executed and the form will be displayed. Once the form is filled out and the user clicks the submit button, the $_POST super-global array will be populated with the form inputs,the if condition will evaluate to TRUE and thus the statements will get executed.

Unrelated note: you're currently accepting user inputs and directly inserting it in your query. It's vulnerable to SQL injection. Never ever trust user inputs. See bobby-tables to understand more about SQL injection and how to prevent it.

score -2 · Answer 2 · answered Feb 22 '16 at 04:53

change <form action="create-post.php" method="post"> to <form action="" method="post"> for same page insert.
Correct the query like $sql="INSERT INTO drafts (title,description,post,author,category,declined) VALUES ('$_POST[title]', '$_POST[description]', '$_POST[post]', '$_POST[author]', '$_POST[category]', 0)";
Add this line $query = mysqli_query($con,$sql);

this three changes will do the work but its not the best practice, you are accepting direct input from user so vulnerable to SQL injection.

Insert mysql data via a php form on the same page?

2 Answers2