3

I have a page called service.php that uses a modal window to open a form. The action on the form was service.php.

<div class="modal hide fade" id="myServiceModal" tabindex="-1" role="dialog" aria-labelleby="myModalLabel" aria-hidden="true">
   <div class="modal-header">
      <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
      <h3 id="myModalLabel">Service Failure Form</h3>
   </div>
   <div class="modal-body">
   <p>
     <form class="well-small" action="service.php" method="POST" id="serviceModalForm" name="serviceModalForm">
        <label>Container Selected</label>
        <input type="text" name="containerNumber" id="containerNumber" />
        <label>Bol Selected</label>
        <input type="text" name="bolNumber" id="bolNumber" />
        <input type="submit" id="modal-form-submit" name="submit" class="btn btn-success btn-small" href="#" value="Save" />

<?php

$bol = $_POST['bolNumber'];                     
$container = $_POST['containerNumber'];

if(isset($_POST['submit'])){
     $sql_query_string = 
           "INSERT INTO import_view_svc_fail (bol, container_num) VALUES 
                                             ('$bol', '$container');";
 if(mysql_query($sql_query_string)){
    echo ("<script language='javascript'>
            window.alert('Added New Service Failure')
            </script>");
}
?>
      </form>

This form worked, and it saved to the appropriate table.

Here is my problem: I had to move that form to another page, called dispatch.php. All I did was copy the code, and put it on dispatch.php.

I changed the action of the form to dispatch.php, and that's where I think the problem starts. When I change the action back to service.php, it works for whatever reason.

When I remove the form completely from service.php, the form on dispatch.php no longer works.

I've tried everything to make this work. I removed all of the code from service.php. I even removed the whole file from the folder.

Any insight would be helpful.

HoodCoderMan
  • 103
  • 7
  • 26
  • you should take a minute to read about [sql injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1)... – gloomy.penguin Nov 04 '13 at 17:24
  • 1
    You should look into either MySQLi or PDO with prepared statements to help prevent mysql injection. Do you have the code form the dispatch version? –  Nov 04 '13 at 17:26
  • 1
    Be aware of sql injections, sir.. Anyway: how could this work? your sql string is just a string, you're not querying it... Are you actually doing the query somewhere else or what? – briosheje Nov 04 '13 at 17:27
  • You have `action="service.php"` and your query on the same page. Shouldn't you be doing `action=""` ? You should be seperating your form and MySQL. What do you have for code inside `service.php` ? – Funk Forty Niner Nov 04 '13 at 17:27
  • Added the querying code. – HoodCoderMan Nov 04 '13 at 17:33
  • remove the semi colon in your query that is inside the quotes – Jim Nov 04 '13 at 17:33
  • @JohnBeasley Is your posted code in two seperate files? Your code is all in one bundle and no indication is given if they are. – Funk Forty Niner Nov 04 '13 at 17:36
  • Plus as Jim pointed out, I was going to say the same thing. Change `('$bol', '$container');";` to `('$bol', '$container')";` – Funk Forty Niner Nov 04 '13 at 17:36
  • The code for the serviceForm was on 2 pages, but I've since removed the code from service.php. Now it's only dispatch.php that has the code. – HoodCoderMan Nov 04 '13 at 17:37
  • I've removed the extra ; – HoodCoderMan Nov 04 '13 at 17:37
  • @Fred - the code on the dispatch.php is exactly the same. – HoodCoderMan Nov 04 '13 at 17:39
  • @JohnBeasley I'm confused as to why you have your action pointing to `service.php` and you have your PHP wrapped inside `
    ` it doesn't make sense.     – Funk Forty Niner Nov 04 '13 at 17:39
  • @Fred - in the dispatch.php, should I just take the action out? – HoodCoderMan Nov 04 '13 at 17:41
  • @Fred - Oh shnap!!! When I removed the action from the form on the dispatch.php, it worked! – HoodCoderMan Nov 04 '13 at 17:43
  • @JohnBeasley To tell you the truth, I'm not entirely sure, because of the modal. If it works for you, then leave it the way it is. If not, you can set your action to `action=""` this has the same affect to using `self` – Funk Forty Niner Nov 04 '13 at 17:44
  • 2
    @JohnBeasley I had a feeling about that. Glad it worked out. But why did you accept the other answer? Was that a problem also? – Funk Forty Niner Nov 04 '13 at 17:45
  • @Fred-ii- I was wondering that, too. I thought the issue was about submitting the form to the right place and grabbing `$_POST` values... I am surprised a question about forgetting to actually run the query or connect to the database received so many upvotes. – gloomy.penguin Nov 04 '13 at 18:59
  • 1
    @gloomy.penguin I thought the same thing, why so many upvotes. – Funk Forty Niner Nov 04 '13 at 19:05

2 Answers2

0

You tell the script what to do but you don't tell it to do it.

In order to excecute a your SLQ-query you have to use mysql_query($sql_query_string);

You will also want to connect to your database. Take a look at http://php.net/manual/de/function.mysql-connect.php for more information.

Christine
  • 125
  • 8
0

so.. you change the action in service.php:

<form class="well-small" action="dispatch.php" method="POST" id="serviceModalForm" name="serviceModalForm">

Move to dispatch.php

<?php

if(isset($_POST['submit'])) 
{
     $bol = (isset($_POST['bolNumber'])) ? $_POST['bolNumber'] : ''; 

     $container = (isset($_POST['containerNumber'])) ? $_POST['containerNumber'] : '';         

     if (!empty($bol) && !empty($container))
     {
         $sql_query_string = 
               "INSERT INTO import_view_svc_fail (bol, container_num) VALUES 
                                                ('$bol', '$container');";
         // run the query here

         print "<br/><br/>".$sql_query_string."<br/><br/>";
     }
     else { print "<br/><br/>empty values;<br/>"; } 
}
else { print "<br/><br/>\$_POST info not received;<br/>"; }  

?>

prints (after submit): 

INSERT INTO import_view_svc_fail (bol, container_num) VALUES ('input one value', 'input two value');

you probably should check and make sure you got all your post values inside the if(isset($_POST['submit'])) statement, too. or re-work the logic as a whole... it depends if you want to allow blank values, too.

Also, read up on sql injection and why you should learn to use mysqli_ or pdo.

Community
  • 1
  • 1
gloomy.penguin
  • 5,833
  • 6
  • 33
  • 59
  • Yes, thank you. I have taken steps to prevent sql injections. For instance: mysql_real_escape_string(stripslashes($container)); – HoodCoderMan Nov 04 '13 at 17:48
  • oh, no... that's not really enough, though – gloomy.penguin Nov 04 '13 at 17:48
  • [read this](http://stackoverflow.com/questions/2353666/php-is-mysql-real-escape-string-sufficient-for-cleaning-user-input) or [this](http://stackoverflow.com/a/110576/623952).. even the [php documentation for mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php) says that it isn't enough... – gloomy.penguin Nov 04 '13 at 17:49