0

I'm facing problem in inserting HTML label to database and found no way to do so. My code is as under

<html>
<body>
<form name = "myForm" >
<label name = 'q1'>Question 01: what Jorge do according to the story</label>
</form>
<?php
require "connection.php";
$qst = $_POST['q1'];
mysql_query("insert into xxx values('$qst')") or die(mysql_error);
?>

any help will be appreciated please.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Muhammad Awais
  • 15
  • 7
  • 2
    `` that isn't the way it's done. You need to use `input` and use a method, the right one. – Funk Forty Niner Oct 21 '14 at 14:39
  • 1
    Plus, you've tagged this as `javascript` and `ajax`, I see nothing of that here; removing. Edit: removed. See notes in revisions. – Funk Forty Niner Oct 21 '14 at 14:40
  • 1
    use mysql_real_escape_string() if you insist on using a deprecated driver.. or better, just switch to PDO.. what you're doing is not safe. – I wrestled a bear once. Oct 21 '14 at 14:41
  • 2
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Oct 21 '14 at 14:42
  • Looks like you need to read up on the basic mechanics of form posting in HTML/PHP. Then you need to read about SQL injection. Then you need to read the big red message at the top of every page in the PHP manual about using `mysql_*` functions. Then you need to read about `mysqli` and/or `PDO`. – Mike Brant Oct 21 '14 at 14:43
  • Labels are designed to describe, to the user, what they should put into a form control. Your usage of the element doesn't make any sense, you don't have a form control and there isn't any reason to put data you put into the form in the first place into the database from the form. – Quentin Oct 21 '14 at 14:43
  • 1
    FYI, default form submit method is `GET` unless otherwise specified. `$_POST` will be empty (i.e. `array()`)... – War10ck Oct 21 '14 at 14:47

3 Answers3

4

You have a slew of problems here. First let's talk about the things that are actually preventing this from working.

First, you need to set the method property of the <form> element to POST to have the form perform a POST action upon submittal instead of the default GET action.

<form name="myForm" method="post">

Note, that it is usually considered good form to also specify the action property of the form, though in this case the default behavior of posting to the currnet URI just happens to work for you.

Second, you need to actually create an input field in the form. This is where the data that is posted is input:

<label for="q1">Question 01: what Jorge do according to the story?</label>
<input type="text" name="q1" />

Third, You need a submit button to actually make the form POST:

<input name="submit" type="submit" value="submit" />

Now, let's talk about the stuff that should be fixed that doesn't actually prevent this from working, but just represents good programming practice.

First, you should not be using mysql_* functions. They are deprecated. I would suggest mysqli or PDO as widely used alternatives.

Second, you have a significant vulnerability to SQL injection. You should NEVER use user input data without validating and sanitizing it. This means you should probably check to see if a value was even POSTed (not an empty string) before trying to do the insert and then you need to escape the value before using it in SQL, or better yet, learn how to use parametrized prepared statements which prevents the need for input escaping.

Third, I would recommend getting in the habit of putting your code logic at the beginning of your script (before HTML) output. In your case this means moving the logic where you read in the PST content and perform the database insert before the HTML. WHy? Because this allow you to do things like conditionally print out error messages if the user did not provide input or to otherwise change the page in response to the POST. This also help build a good habit in that, when you start doing more complex things in PHP, you might need to do things like redirect users from one page to another, or totally separate out the logic form the display into separate files. This is not possible with code stuck at the end of the HTML output.

Mike Brant
  • 70,514
  • 10
  • 99
  • 103
1

$_POST variables do not correspond to label elements, they correspond to input elements. The key to your post array is the name of your input element.

<input type="text" name="mytext" />

After post will be $_POST['mytext']

However, you're vulnerable to SQL Injection. You should not be using mysql_query() but rather PDO or Mysqli with prepared statements, but if you insist on using it, escape it first with mysql_real_escape_string()

$qst = mysql_real_escape_string($_POST['q1']);
mysql_query("insert into xxx values('$qst')") or die(mysql_error);

Fred made a good point in the comments though. This bit of code is going to execute the first time you load the page before the form is submitted and throw an error (or warning) because $_POST['q1'] doesn't exist yet. You'll want to make sure it does exist before doing things with it.

if(!empty($_POST['q1'])){
    $qst = mysql_real_escape_string($_POST['q1']);
    mysql_query("insert into xxx values('$qst')") or die(mysql_error);
}

Further, you need to tell the form where to submit to and what method to use:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<label for = 'q1'>Question 01: what Jorge do according to the story</label>
<input type='text' name='q1' value='' />
</form>

BTW, label does not have a name attribute, it has a "for" attribute.

Also, <form> elements use "GET" by default and submit to the current page if an action is not set, so it's technically not necessary to even have the action set in this case, but it's good practice.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
I wrestled a bear once.
  • 22,983
  • 19
  • 69
  • 116
  • *"and what method to use"* - [`otherwise, form...`](http://stackoverflow.com/questions/26489378/how-can-i-insert-html-label-in-databse-using-php#comment41613094_26489378) ;) – Funk Forty Niner Oct 21 '14 at 14:49
  • *"you need to tell the form where to submit"* - Only if it's an external process, otherwise, form defaults to self if action is omitted. – Funk Forty Niner Oct 21 '14 at 14:51
  • I know Fred, tryin to help the noob. – I wrestled a bear once. Oct 21 '14 at 14:53
  • 1
    I know. It's usually best to include that extra information, should War10ck's comment be deleted etc. plus, I fixed a typo for your input. – Funk Forty Niner Oct 21 '14 at 14:55
  • I'll give you an added tip. If OP's error reporting is set/on, and code is run from inside the same file, it will throw an `Undefined index` warning on page initial page load. **Why** you ask? Ah, that my friend is because there would need to have a named submit button `name="submit"` (*which is missing, btw*) and using an `isset()` around the PHP and using a conditional statement. I did +1 already, but in doing that, you stand at getting more. Oh, plus checking if input is set and not empty helps too. – Funk Forty Niner Oct 21 '14 at 15:00
0

You need add input field for your form and change form sumbit method. By default it's "GET", so you can't have input value in $_POST.

Or you can get input value from $_GET.

    <html>
        <body>
        <form name = "myForm" method="post">
        <label for = 'inp'>Question 01: what Jorge do according to the story</label>
        <input type="text" name="q1" id="inp" />
        <input type="submit" value="Submit">
        </form>
        <?php
        require "connection.php";
        $qst = $_POST['q1'];
        mysql_query("insert into xxx values('$qst')") or die(mysql_error);
        ?>

And also you need to have sumbit input field to submit form or can sumbit it with js or on keyup enter key.

<input type="submit" value="Submit">
Felix
  • 351
  • 1
  • 9