-1

I have my index code which is basically the page that appear and if a user is public can so the cd database but not modify it, if they want to modify it they have to register or login if the already have an account. My problem is on my send code where the new details for the cd are not being inserted in the table although i am already logged in my account (the user table is created and the details for the users are inserted in the way they have to be). It's like it doesnt get the username and the artist i post. When i echo the variables to see their values i get undefine variables errors. Any help would be extremely appreciated.

index

<?php
include 'header.php';

if ( isset( $_SESSION[ 'username' ] ) ) {
    ?>
    <h2>New cd</h2>
    <form action="send.php" method="post">
        <div class="text">
            Artist <br/>
             <textarea name="artist"></textarea>
        <br/>
            Title <br/>
            <textarea name="title"></textarea>
        </div>
        <input type="submit" value="OK" class='submit' />
    </form>
    <?php
}
else {
?>
    <p>
        To modify the database, <a href="login.php">login</a>.
    </p>
    <p>
        To create a new account, <a href="register.php">register</a>.
    </p>
    <?php
}

?>

for some reason i cant upload the rest of this file but basically it shows the table with the details of the cds, if the user is logged in can see the usernames column too, if they are public then they can see only the cd artist and title columns.

send code

<?php
include 'prelude.php';

if ( isset( $_SESSION[ 'username' ] ) && isset( $_POST[ 'cdartist' ] )) {
    $cdartist = $_POST[ 'cdartist' ];
    $cdtitle= $_POST['cdtitle'];
    $userid=$_SESSION['userid'];

    $res=mysql_query(
        " SELECT * 
        FROM cds 
        WHERE cdartist='".$cdartist."' AND cdtitle='".$cdtitle."';"
    );
    if (mysql_num_rows($res)!=0){
        mysql_query(
            "DELETE FROM cds
            WHERE cdartist='".$cdartist."' AND cdtitle='".$cdtitle."' AND userid='".$userid."';");
        header  ('Location: index.php');
    }
    else{
        mysql_query(
            "INSERT INTO cds
            SET
                cdartist = '" . $cdartist . "',
                cdtitle = '". $cdtitle . "',
                userid = '" . $userid . "';"

        );
    }
    header( 'Location: index.php' );
}
else {
    ?> To have this right you need to login. <?php
}

?>

natan
  • 79
  • 9
  • 1
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Aug 31 '14 at 09:57
  • 1
    im new in this, so thanks for the advice – natan Aug 31 '14 at 10:02

1 Answers1

2
<textarea name="title"></textarea>

should be:

<textarea name="cdtitle"></textarea>

Likewise, the other textarea should be named cdartist and not only artist.

The name attribute in <input> and <textarea> define what name the field has. The data of the fields is then sent to the server with the corresponding name. So if you send data with name="title" but reference $_POST['cdtitle'] in PHP, the data won't be found because it's in $_POST['title'].

ljacqu
  • 2,132
  • 1
  • 17
  • 21