html form to mysql database

Question

hi so i have to make a blog and I'm having a bit of a problem of showing my entries onto the webpage.

<?xml version = "1.0" encoding = "utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns = "http://www.w3.org/1999/xhtml"> 
<head> <title> Add entry </title> 
</head> 
<body>

<form action = "text1.php" method = "post">

Title: <input type = "text" name = "title"><br>
Body: 
<textarea rows="10" cols="100" name="textblock"></textarea>
<input type = "submit" value = "Add Entry" />
</body> 
</html>

and my php code

<?php
$title = $_POST['title'];
$textblock = $_POST['textblock'];
$host   =   "xxxxxx"  ;
$user   =   "xxx"  ;
$pass   =   "xxx"  ;
$db   =   "xxx"  ;


// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die(mysql_error());

$query = "INSERT INTO yourMySQLTable (title, textblock) VALUES ('$title','$textblock')";

mysql_query($query) or die('Error, insert query failed');

?>

I want to display each entry, consisting of the title and the textblock on another webpage but for some reason the values are not going into the table. How do I input the values into the table and how do I display them on another webpage called viewblog.php?

Is this part of your actual code? `here$textblock = $_POST['textblock']; enter code here $host = "xxxxxx" ;` and is this your actual table's name `yourMySQLTable`? — Funk Forty Niner, Mar 22 '14 at 21:46
no sorry new to this forum and accidently left the enter code here part in, have fixed it now. — user3439272, Mar 22 '14 at 22:05
Your `yourMySQLTable` is the name of your table and both `title, textblock` columns exist? Plus, which version of PHP are you using and are you doing this on a hosted site or your own computer? — Funk Forty Niner, Mar 22 '14 at 22:07
[`Click here`](http://stackoverflow.com/a/22584326/) to consult the answer I've given you. That should get you started and using `mysqli_*` functions, along with a few tutorial sites you can visit which are well-written. Let me know how it goes. — Funk Forty Niner, Mar 22 '14 at 22:53

Aziz Saleh · Answer 1 · 2014-03-22T22:09:20.157

Use the following:

$host   =   "xxxxxx"  ;
$user   =   "xxx"  ;
$pass   =   "xxx"  ;
$db   =   "xxx"  ;


// Connect to server and select database.
mysql_connect($host, $username, $password)or die(mysql_error());
mysql_select_db($db)or die(mysql_error());

$title = mysql_real_escape_string($_POST['title']);
$textblock = mysql_real_escape_string($_POST['textblock']);

$query = "INSERT INTO tableName (title, textblock) VALUES ('$title','$textblock')";

mysql_query($query) or die(mysql_error());

To display them:

$query = "SELECT * FROM tableName";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res)) {
    echo $row['title'] . ' - ' . $row['textblock'] . '<br />';
}

Note how I am not using "" when using variables, that is not needed.
Note how I am using mysql_real_escape_string which will make it safe to insert to the DB.
Replaced all error messages with mysql_error() to show the actual errors if any.
Make sure you update tableName to the name of the table

so how would i display all the form entries on a webpage. these are blog entries and i want to display them all on a webpage? — user3439272, Mar 22 '14 at 22:11

score 0 · Answer 2 · answered Mar 22 '14 at 20:52

0

You should be using PDO for Database interactions, mysql_* functions are depcrecated and un-safe. PDO will sanitize your variables to prevent SQL Injection attacks.

http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059

answered Mar 22 '14 at 20:52

Lee Salminen

900
8
18

we have been instructed to use mysql by the lecturer :) – user3439272 Mar 22 '14 at 20:54
While this may be a good point, it actually doesn't provide answer to the question. – aksu Mar 22 '14 at 20:54
you seem to have some typos in your code posted above. For example, you have the word "here" next to $textblock. You also have "enter code here`" before $host. If you insist on using a mysql_* function (you should show off to your instructor by using PDO), then escape your variables with mysql_real_escape_string($title) so that it is safe to insert into the database. If you clean up your code above a bit, and provide us with syntax-free PHP, I'll be happy to help. – Lee Salminen Mar 22 '14 at 21:35
I don't want to sound like a dick, but your instructor's knowledge of PHP is very outdated if he's saying to use a mysql_* function. PDO is just a way of interacting with a MySQL database in programming. – Lee Salminen Mar 22 '14 at 21:37
@LeeSalminen I think he meant mysql and not mysql_* functions. Either way using mysql_ methods is not unsafe, but deprecated. PDO/MySQLI are just as unsafe as mysql_ methods if not used correctly. – Aziz Saleh Mar 22 '14 at 22:04
hi, so how would i print all the entries?? would i use a loop to display all the entries on the webpage? – user3439272 Mar 22 '14 at 22:07
@user3439272 I updated the answer. Relevant questions should be asked on that answer. – Aziz Saleh Mar 22 '14 at 22:09

score 0 · Answer 3 · answered Mar 22 '14 at 20:58

0

You have a "here" attached to your variable: here$textblock = $_POST['textblock'];

Also try this: $query = "INSERT INTO yourMySQLTable (title, textblock) VALUES ('" . $title . "','" . $textblock . "')";

answered Mar 22 '14 at 20:58

score 0 · Answer 4 · edited May 23 '17 at 12:11

0

Since other answers have been given in order to help you with your INSERT, I won't repeat it in this answer.

Edit: An INSERT method has been added below, using mysqli_* functions.

Mine consists of your second part:

"I want to display each entry, consisting of the title and the textblock on another webpage"

If you wish to show data from a DB table, you need to use a loop.

Here is a mysqli_* based version and a very basic method.

<?php

// $db = new mysqli("host", "user", "pw", "db");

// CONNECT TO THE DATABASE

$DB_HOST = "xxx";
$DB_NAME = "xxx";
$DB_PASS = "xxx";
$DB_USER = "xxx";

$db = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($db->connect_errno > 0) {
  die('Connection failed [' . $db->connect_error . ']');
}

$result = $db->query("SELECT * FROM `yourMySQLTable`");

 while($row = $result->fetch_assoc()) {

   echo "<b>Title:</b> " . $row['title'] . " <b>Text:</b> " . $row['textblock'] . "<br>";

 }


mysqli_close($db);

?>

Here is an mysqli_* based and basic version to INSERT values into a DB.

<?php

DEFINE ('DB_USER', 'xxx');
DEFINE ('DB_PASSWORD', 'xxx');  
DEFINE ('DB_HOST', 'xxx');
DEFINE ('DB_NAME', 'xxx');

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) 
OR die("could not connect");

$title = mysqli_real_escape_string($dbc,$_POST['title']);
$textblock = mysqli_real_escape_string($dbc,$_POST['textblock']);

$query = ("INSERT INTO `yourMySQLTable` (`title`, `textblock`) 
VALUES ('$title','$textblock')";

 mysqli_query($dbc, $query);

if($query){
echo "SUCCESS!";
}

else {
echo "Sorry!";
}

?>

Sidenote: Your present code is open to SQL injection. Use mysqli_* functions. (which I recommend you use and with prepared statements, or PDO)

mysql_* functions are deprecated and will be removed from future PHP releases.

Here are a few tutorials on prepared statements that you can study and try:

Here are a few tutorials on PDO:

Footnotes:

You don't need the extra tags:

<?xml version = "1.0" encoding = "utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns = "http://www.w3.org/1999/xhtml">

Changing it to the following will suffice:

<!DOCTYPE html>

edited May 23 '17 at 12:11

Community

1
1

answered Mar 22 '14 at 22:14

Funk Forty Niner

74,450
15
68
141

My 2 cents: the above code is just as bad as using mysql_* functions. If you are going to leave mysql_* functions for mysqli/PDO, do it correctly (using prepared statements). – Aziz Saleh Mar 22 '14 at 23:21
@AzizSaleh Your 2 cents is appreciated and noted. However, I suggest you put in your own answer then if you feel this is just as bad as using `mysql_*` functions Whoever **+1** [`the answer`](http://stackoverflow.com/a/22584176/) using `mysql_*` functions, ought to have another +1 on your part then. This is a basic method using `mysqli_real_escape_string()`, and have put in enough additional information. I'm not paid per hour or per job on helping someone out. Now,if that isn't enough, then I'll just go back being a motorcycle mechanic ;-) – Funk Forty Niner Mar 22 '14 at 23:28
@AzizSaleh To add; if the OP doesn't understand how to do a simple INSERT using basic SQL, how can we expect him/her to understand how prepared statements and PDO work? It's like throwing a baby to the sharks and expect it to swim for its life and learn how to fight them off. A basic understanding of how functions work will eventually lead to higher learning. SQL is SQL, anything added after that, requires special attention. You know, and I know, but this doesn't necessarily mean the OP will know it in a matter of seconds. Think about it ;-) – Funk Forty Niner Mar 22 '14 at 23:35
@AzizSaleh Silly me, you put in that answer. Now, ain't that the pot calling the kettle black. That's an expression by the way, which means "practice what you preach". Next time you tell somebody to use prepared statements instead of `mysql_*` which is NOT what I used for your information, then don't put an answer using just that; `mysql_*` – Funk Forty Niner Mar 22 '14 at 23:51
I am totally fine with people using mysql_* functionality, if done correctly it is just as secure as PDO/MySQLi. To me the above code is pretty much the same as using mysql_* functionality because it does not add any value to it. Yes you posted tutorials and links, but I doubt that this new coder who can't write a simple retrieval function will read or even understand. We had a couple of major releases and many minor ones since the depreciate of these functions. I doubt that it will be removed any time soon. Plus there are libraries out there when it does to cover it. – Aziz Saleh Mar 23 '14 at 00:06
@AzizSaleh I agree, *however* when the time comes, and **it will** at some point or another, or the OP switches to another host (if hosted) and running PHP 5.5, then the `mysql_*` functions will have been deleted & rendered useless, in turn having to completely rewrite. I for one wouldn't want to go that route; not with the amount of websites I have to maintain. Most of the people on SO agree that using and pawning deprecated functions is bad and not recommended. If you don't want to hear it from me, then wait for the guys with **50K** rep points. They know more than many, that's for sure. ;-) – Funk Forty Niner Mar 23 '14 at 00:12
The current version of PHP is 5.5.9 which still has mysql_* functionality. I do agree that using mysql_* functions is not a good idea, not because it is deprecated but because other many internal reasons, for example the dropped support for LOAD DATA LOCAL INFILE handlers when using libmysql which was known for stability problems. My estimate is at least 5 years until mysql_* functionality is dropped. Even so you won't have to recode anything but use a PDO/MySQLI wrapper for mysql_* functions which I am pretty sure will grow in numbers. – Aziz Saleh Mar 23 '14 at 00:20
Your PHP has `mysql_*` functionality? I can't understand how that could be, what with PHP.net stating that those functions are to be deleted. @AzizSaleh Unless there's something I'm not grasping, plus it would prove beneficial for all if they gave us an actual timeframe. – Funk Forty Niner Mar 23 '14 at 02:05

html form to mysql database

4 Answers4