-1

I have a simple form that send data to a server via POST message. However, i am getting the error of "Unable to execute query" whenever i click the submit button. Here is my implementation:

sample.html

<!DOCTYPE html>
<html>
<head>
<script>
        function pullMore(){
            var xmlhttp;
            if (window.XMLHttpRequest){ // code for IE7+, Firefox, Chrome,etc.
                xmlhttp = new XMLHttpRequest();
            }else{ // code for IE6, IE5
                xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
            }
            xmlhttp.onreadystatechange = function() {
                if (xmlhttp.readyState==4 && xmlhttp.status==200) {
                    document.getElementById("news_mesgs").innerHTML = xmlhttp.responseText;
                }
            }

            var name = document.getElementById("name");
            var email = document.getElementById("email");
            var comments = document.getElementById("comment");
            var parameters="name"+name.value+"&email="+email.value+"&comments="+comments.value;

            xmlhttp.open("POST", "reviews.php", true);
            xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
            xmlhttp.send(parameters);
        }
</script>
</head>
<body style="background-color : #e9e9e9;">
<div> Hello there </div>
<form>
    Name: <input type="text" id="name" name="name">
    Comment: <input type="text" id="comment" name="comment">
    Email: <input type="text" id="email" name="email">
    <input type="button" value="Submit" onclick="pullMore()">
</form>


<div id="news_mesgs"> come here </div>
</body>
</html>

reviews.php

mysql_connect($host,$username,$password);
mysql_select_db($database) or die( "Unable to select database");


$query = 'INSERT INTO Reviews (Name, Email, Review) VALUES ('.$_POST['name'].','.$_POST['email'].','.$_POST['comments'].');';
$result = mysql_query($query) or die( "Unable to execute query");

Update: For some reason $_POST["name"] is appearing empty. I tried to print var_dump($_POST); for some sample data and this is what i got: array(2) { ["email"]=> string(11) "abc@abc.com" ["comments"]=> string(5) "hello" } Unable to execute query

user3760741
  • 163
  • 1
  • 1
  • 10
  • Your query failed for some reason. But why it failed depends on what was posted for the value of `name`. Check your database logs. After you figure this out, clean up that gaping security hole. Someone could post a name of `Robert');drop table Reviews;--` and you would be sad. – Ray Toal Jun 22 '14 at 05:51
  • i tried to echo $_POST['name'] but it returns empty and then the usual error message (Unable to execute query) – user3760741 Jun 22 '14 at 06:01
  • your codes is vulnerable, **SQL INJECTION** – frogatto Jun 22 '14 at 06:44
  • You have an error in `var parameters`. You forgot to add `=` to `"name"+name.value`. It should be `"name="+name.value`. – Gil Jun 22 '14 at 06:46

1 Answers1

1

You are missing assignment operator. You are not sending name properly and thats why query fails.

Try using

var parameters="name="+name.value+"&email="+email.value+"&comments="+comments.value;

You are also missing quotes. Use

$query = 'INSERT INTO Reviews (Name, Email, Review) VALUES ("'.$_POST['name'].'","'.$_POST['email'].'","'.$_POST['comments'].'");';

Or a little bit better

$query = 'INSERT INTO Reviews (Name, Email, Review) VALUES ("'.mysql_escape_string($_POST['name']).'","'.mysql_escape_string($_POST['email']).'","'.mysql_escape_string($_POST['comments']).'");';

And don't just insert post variables into query. It's straight way to SQL injection.

Check How can I prevent SQL-injection in PHP?

Community
  • 1
  • 1
mleko
  • 11,650
  • 6
  • 50
  • 71
  • even after i change the javascript i am still getting unable to execute query – user3760741 Jun 22 '14 at 06:54
  • Try to `die(mysql_error())` instead of `die( "Unable to execute query")` and post result – mleko Jun 22 '14 at 06:56
  • this is the response when i entered Samplename in name field: Unknown column 'Samplename' in 'field list' – user3760741 Jun 22 '14 at 07:00
  • My Table Structure: CREATE TABLE IF NOT EXISTS `Reviews` ( `Name` varchar(30) NOT NULL, `Email` varchar(30) NOT NULL, `Review` text NOT NULL, PRIMARY KEY (`Email`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1; – user3760741 Jun 22 '14 at 07:01