-1

I know there are lot's of questions like this on stackoverflow but none have sold my problem.

I am working on a events calendar and I am currently building an add event page. When the page is submitted no error is shown but the form information is not uploaded to the data base and I'm not sure why as I've checked the syntax and can't see any errors in it.

*addes loginform.php and core.php on request to show where $_SESSION['user_id']. comes from Code: loginform.php

<?php
    $con = mysql_connect("localhost","pytsuemg_brodie","brodie");
    $db = mysql_select_db("pytsuemg_brodie");

    if (isset($_POST['username'])&&isset($_POST['password'])) {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $password_hash =md5($password);

        if (!empty($username)&&!empty($password)) {
            $query="SELECT `AccountID` FROM `Parent` WHERE `Username`='$username' AND `Password`='$password_hash'";

            if ($query_run = mysql_query($query)) {
                $query_num_rows = mysql_num_rows($query_run);

                if ($query_num_rows==0) {
                    echo 'Invalid username/password combination';
                } else
                if ($query_num_rows==1) {
                    $user_id = mysql_result($query_run,0,'AccountID');
                    $_SESSION['user_id']=$user_id;

                    header('Location: profilepage.php');
                }

            }

        } else {
            echo 'You must supply a username and password.';
        }

    }

    ?>
<form action="login.php" method="POST">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit" value="Log In">
</form>

core.php 

<?php
    ob_start();
    session_start();
    $current_file = $_SERVER['SCRIPT_NAME'];
    function loggedin() {

        if (isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])) {
            return true;
        } else {
            return false;
        }

    }


    ?>

addevent.php

 require 'core.php';
    $con=mysqli_connect("localhost","pytsuemg_brodie","brodie","pytsuemg_brodie");
    if (isset($_POST['DateStart'])&&isset($_POST['DateEnd'])&&isset($_POST['TimeStart'])&&isset($_POST['TimeEnd'])&&isset($_POST['EventType'])&&isset($_POST['Description'])&&isset($_POST['Children'])&&isset($_POST['Location'])&&isset($_POST['MealsGiven'])){

    $DateStart = $_POST['DateStart'];
    $DateEnd = $_POST['DateEnd'];
    $TimeStart = $_POST['TimeStart'];
    $TimeEnd = $_POST['TimeEnd'];
    $EventType = $_POST['EventType'];
    $Description = $_POST['Description'];
    $Children = $_POST['Children'];
    $Location = $_POST['Location'];
    $MealsGiven = $_POST['MealsGiven'];

    if (!empty($DateStart)&&!empty($DateEnd)&&!empty($TimeStart)&&!empty($TimeEnd)&&!empty($EventType)&&!empty($Description)&&!empty($Children)&&!empty($Location)&&!empty($MealsGiven)){



    $sql = "INSERT INTO Events (DateStart, DateEnd, TimeStart, TimeEnd, Location, EventType, MealsGiven, description,Children, AccountID) VALUES(
     '$DateStart','$DateEnd','$TimeStart','$TimeEnd','$Location','$EventType','$MealsGiven','$Description','$Children','".$_SESSION['user_id']."')";

     mysqli_query($con, $sql);

     /* commit transaction */
    if (!mysqli_commit($con)) {
        print("Transaction commit failed\n");
        exit();
    }
    } else {
                    echo'All fields are required';
                }
    }
    /* close connection */

    mysqli_close($con);
    ?>
    <br>

    <form action="addevent.php" method="post">
     <p> Date:<label for="from"> From</label>
    <input type="text" id="from" name="DateStart">
    <label for="to">to</label>
    <input type="text" id="to" name="DateEnd"></p>
      <p>Start Time:<input type="text" name="TimeStart" /></p>
      <p>End Time:<input type="text" name="TimeEnd" /></p>
      <p>Event Type :
        <select name="EventType">
    <option value="Change over">Changeover</option>
    <option value="Parents Evening">Parents Evening</option>
    <option value="After School Activity">After School Activity</option>
    <option value="Weekend Activity">Weekend Activity</option>
    <option value="Holiday">Holiday</option>
        </select> </p>

    <p>Description (max 100 Characters) <br><textarea rows="2" cols="50" maxlength="100" name="Description"></textarea></p>
    <p>Children Involved: <br><textarea rows="1" cols="50" maxlength="32" name="children"></textarea></p>
      <p>Location: <input type="text" name="Location" /></p> 
      <p>Meals Given: <select name="MealsGiven">
    <option value="Yes">Yes</option>
    <option value="No">No</option>
    </select></p>



        <p><input type="submit" value="Submit"/></p>
    </form>
user3393477
  • 3
  • 4
  • I don't see a reference to `$_SESSION['user_id']` nor is `session_start();` shown in your code. If the reference is empty, your whole query will fail. Either make a reference to it, or remove it. – Funk Forty Niner Mar 07 '14 at 16:22
  • it's in core.php. I use that $_SESSION['user_id'] in other pages and it works fine – user3393477 Mar 07 '14 at 16:23
  • What exactly is in `core.php`? – Funk Forty Niner Mar 07 '14 at 16:23
  • 1
    Please do a google search of "sql injection" to see why what you're doing is very very bad. – Patrick Q Mar 07 '14 at 16:23
  • This `name="children"` and `$_POST['Children']` are not the same. That is "one" mistake I found. You need to change it to `name="Children"` --- POST variables are case-sensitive. Therefore, go over your entire code to verify that letter-case is respected. That alone will break your query. Same thing goes for `description` and the references to it; there are probably more, yet I've given you the "right time of day" *as it were*. ;-) – Funk Forty Niner Mar 07 '14 at 16:26
  • 2
    You are **wide open** to SQL injection attacks, and **you will be hacked** if you haven't been already. Use prepared/parameterized queries with PDO or similar to avoid this problem entirely. – Brad Mar 07 '14 at 16:28
  • I'd sure love to post an answer, but I'll let either you fix it (from my said commments), (you learn more when you fix your own errors) or wait for answers to pop up. – Funk Forty Niner Mar 07 '14 at 16:29
  • oh god the mistake was just in children not being a capital letter sorry for the question I thought I had checked it all before posting – user3393477 Mar 07 '14 at 16:30
  • Ah great, glad to hear it :) @user3393477 – Funk Forty Niner Mar 07 '14 at 16:30
  • Let's close this question and click the White checkmark till it turns Green and read what I posted in the answer given below. @user3393477 There's some important information that you need to be aware of. – Funk Forty Niner Mar 07 '14 at 16:42

1 Answers1

0

This name="children" and $_POST['Children'] are not the same.

You need to change it to name="Children"

POST variables are case-sensitive.

Do look into Brad's comment (to be taken very seriously) it's well worth the effort.

This article is a good read.

I noticed that you are storing passwords with md5() (as per your loginform.php file) which is considered "too fast". This is no longer considered safe to use. Consider using some of the latest in password storage technology such as PHP's password_hash() function (if on PHP 5.5) or crypt()

Your loginform.php file uses mysql_* functions, while your addevent.php is using mysqli_* functions. I suggest that you use the same SQL functions for all your files, being mysqli_* with prepared statements or PDO.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141