-1

Why am I unable to enter data in to db?

<?php include ( './includes/header.php' ); 
$error = "";
if (@$_POST['send']) {
 $name = mysql_real_escape_string(strip_tags($_POST['name']));
 $email = mysql_real_escape_string(strip_tags($_POST['email']));
 $message = mysql_real_escape_string(strip_tags($_POST['message']));
 if ($name == "") {
  $error = "Name cannot be left empty.";
 }
 else if ($email == "") {
        $error = "Enter valid email id";
 }
 else if ($message == "") {
  $error = "Message cannot be left empty.";
 }
 else{
 //send message
 $sendmessage = mysql_query("INSERT INTO contact VALUES('','$name','$email','$message')",$db1) or die(mysql_error());
 $error = "Message sent!!";
    }
 }
?>
<meta property="og:title" content="Contact Us" />
<meta property="og:description" content="For any help, drop us a mail" />
<meta property="og:image" content="http://studyfoyer.org/images/contactus.jpg" />

<title>Contact Us</title>
</head>
<?php include('includes/navigation.php');?>


    <div class="container">   
        <div class="row">

            <form class="log-page" action="contact.php" method="POST">

                <h2 class="form-signin-heading">Get in touch</h2>   
                <div class="input-prepend">
                    <label for="InputUsername">Name</label>
                    <input type="text" class="form-control" name='name' placeholder="Name" required autofocus>
                </div>
                <div class="input-prepend">
                    <label for="InputEmail">Email</label>
                    <input type="email" class="form-control" name='email' placeholder="Email address" required>
                </div>
                <div class="input-prepend">
                    <label for="InputMessage">Message</label>
                    <textarea class="form-control" rows="3" name="message" placeholder="Your message" required></textarea>
                </div>
                <div class="controls form-inline">
                    <button class="btn btn-primary" name='send' type="submit">Send</button>
                </div>

                    <?php echo $error; ?>
                </div>
            </form>

        </div>
    </div>

Db connection is done through header.php I've two websites(both on localhost) using same db, for contact info. can this affect? As the code seems to run fine on other one.

Siddharth Patel
  • 193
  • 1
  • 2
  • 15
  • What error are you getting and is `$db1` properly initiated? Have you made sure the code makes it to the `else` condition? Furthermore, what have you already tried? Provide us with some more information. – pbond Nov 23 '13 at 19:15
  • there are no errors. $_POST is not working. I've used the code previously, and it work well – Siddharth Patel Nov 23 '13 at 19:20
  • 1
    What do you mean exactly by '`$_POST` is not working'? You mean the entire `if-block` doesn't execute in the first place because `$_POST` isn't set? If `$_POST` isn't set, make sure a form uses the `$_POST` method to pass data to this PHP script. PS why are you suppressing errors with `@`? Just use `isset` or `empty`. – pbond Nov 23 '13 at 19:22

1 Answers1

0

It should be if (isset($_POST['send'])) instead of if (@$_POST['send']). isset function will return true is $_POST['send'] is "set". Same files for db connection will not affect anything.

Your code is vulnerable to SQL injection. You must use prepared statements to safely sanitize user's input.

Shivam
  • 303
  • 4
  • 20
  • Thanks, but how come it worked previously? can you explain a bit in detail? – Siddharth Patel Nov 23 '13 at 19:23
  • Can you throw some light, how to enter it more safely? – Siddharth Patel Nov 23 '13 at 19:24
  • Siddharth, for sanitizing the user's input to safely store it in database you need to use prepared statements and parameterized queries. Refer to [this](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/) and [this](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers) link. If some answer helps you don't forget to upvote it :) – Shivam Nov 23 '13 at 19:30