Trying to mysqli_query to INSERT INTO my database. Not receiving errors

Question

I'm trying to make a very basic form that inserts into my database. I've worked through countless hours working on this. I feel I understand each line of code. I can't imagine what the problem is. I'm not receiving any errors, although I haven't set up error checks in my code yet. Hopefully my problem is simple and obvious.

Here is my connect.php file. $con is my connection to a new mysqli. talk is my database.

<?php
$con= new mysqli("localhost","root","","talk");

if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>

Here is the relevant form part of my html. title and content and the two pieces of information I'm trying to insert into my database. I include the connect.php. The textarea should be linked to the form through the form="talkform". This form uses action="process.php", which I'll cover next.

<?php
include 'connect.php';
?>

<center>
<h1>/talk/</h1>

<form method="post" action="process.php" id="talkform">
    <input type="text" name="title"/><br><br>
    <textarea form="talkform" rows="10" cols="80" name="content"></textarea><br>
    <input type="submit" value="talk" />
 </form>

And here is my process.php. I included connect.php in this file as well. Not sure if that's redundant and causing problems, but I don't think so. I also used this $_SERVER['REQUEST_METHOD'] bit you see, which I picked up from a tutorial. Not sure if there's a better way of accomplishing that. I put everything into variables. When I was working through errors, it was all on the mysqli_query line. I have the strongest suspicion that's the culprit.

 <?php

include 'connect.php';

 if($_SERVER['REQUEST_METHOD'] = 'POST')
{

$title = $_POST['title'];
$content = $_POST['content'];
$operation = "INSERT INTO
                main(title, content)
            VALUES($title, $content);";

$result = mysqli_query($con, $operation);     
}
    ?>

I hope that I didn't leave anything out. I've been struggling with getting a database working for over a week. It's been a painful process, and although I'm learning a lot, I'm not getting anything to work. Please help, and thank you.

Answer 1

use == operator to compare

 if($_SERVER['REQUEST_METHOD'] == 'POST')

and quote your query variable

$operation = "INSERT INTO main(title, content) VALUES('$title', '$content');";

so code looks like with escape string

if($_SERVER['REQUEST_METHOD'] == 'POST') {
   $title = mysqli_real_escape_string($_POST['title']);
   $content = mysqli_real_escape_string($_POST['content']);
   $operation = "INSERT INTO main(title, content) VALUES('$title', '$content');";
   $result = mysqli_query($con, $operation);     
 }

Also better to use check for post values exist or not with empty() or isset()

Answer 2

Line 4: if($_SERVER['REQUEST_METHOD'] == 'POST')

Better is check out directly if form was sent using if (isset($_POST['title'])).

When you call mysqli_error() you´ll find our you try to insert strings without quotes (and you don´t escape inputs - look for SQl injection).

$operation = "INSERT INTO main(title, content) VALUES('" . mysqli_real_escape_string($con, $title) . "', '" . mysqli_real_escape_string($con, $content) . "')";

Answer 3

1. You're not checking for errors after your mysqli_query call, of course you won't see any.
2. You're vulnerable to SQL injection. Use mysqli's prepared query syntax to avoid that. See How can I prevent SQL injection in PHP?.
3. Your immediate problem is that your query reads ... VALUES(foobar, baz), which is invalid. You're missing quotes around the values. However, if you properly use prepared statements, that will become a non-issue, so ignore that.