2

So, I'm trying to push a comment to my database (icposts, below), and I'm not getting any results. I can pull and display the comments I directly insert into the database table fine, but when I try to send a comment from the html form, it doesn't seem to work at all.

<?php

$connect=mysqli_connect("localhost","root","");
$database=mysqli_select_db("icposts");


$username=$_POST['poster'];
$title=$_POST['postTitle'];
$body=$_POST['postText'];
$date=$_POST['currentDate'];
$submit=$_POST['submit'];

if($submit)
{
        $query=mysql_query("INSERT INTO 'posts'('id', 'username', 'title', 'body', 'date') VALUES ('','$username','$title','$body','$date')");

}
?>

Here's the form's html, for reference:

<form name="input" action="comments.php" method="POST">
 Username: <input id = "poster" type="text" name="poster"value="Guest" /><br>
 Tite: <input id = "postTitle" type="text" name="postTitle" /><br>
 Comment: <br> <textarea id = "postText"  name = "postText"rows="4" cols="50"></textarea>
 <input id = "submit" name = "submit" type="submit" value="Submit" />
 <input id = "currentDate" name = "currentDate" type = "hidden" value = "" />
</form>
I've been looking at various examples, and I don't see anything wrong with what I've got there, when I compare it to what other people have posted online.
Grice
  • 1,345
  • 11
  • 24
Shane Allen
  • 23
  • 2

2 Answers2

2

First, you need to pass connection to $database=mysqli_select_db("icposts");.

Then you're starting to mix MySQL APIs with mysql_query. They just don't intermix.

$database=mysqli_select_db($connect,"icposts");

then you're using the wrong identifiers for your table and columns, being quotes.

Either use ticks, or remove them (quotes) and also pass connection to the query:

$query=mysqli_query($connect,"INSERT INTO `posts` (`id`, `username`, `title`, `body`, `date`)

 VALUES ('','$username','$title','$body','$date')");

Also add or die(mysqli_error($connection)) to mysqli_query() to check for DB errors, which is the reason why you are not getting errors; you're not checking for them. Error reporting is another you should look into.

Example:

if (!mysqli_query($connection,"INSERT INTO `posts` (`id`, `username`, `title`, `body`, `date`)
     VALUES ('','$username','$title','$body','$date')");
)
  {
  echo("Error description: " . mysqli_error($connection));
  }
else{
    echo "Success!";
}

You can also use all 4 parameters instead:

$connect=mysqli_connect("localhost", "root", "", "icposts");

You may also want to replace if($submit) with

if(isset($_POST['submit']))

You can then get rid of $submit=$_POST['submit'];. It's best to use isset().

Nota: You will need to make sure that your currentDate column allows for blank data, otherwise you will need to give it some form of value.

Another note about the "id" column. If it is an auto_increment, you can just omit it from the query.

The database will increase on its own.

Sidenote:

Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

In the meantime till you get into using prepared statements, change your code using:

$username = stripslashes($_POST['poster']);
$username = mysqli_real_escape_string($connection, $_POST['poster']);

and do the same for all your variables.

Here is a prepared statements primer:

<?php
$link = new mysqli('localhost', 'root', '', 'database');
if ($link->connect_errno) {
    throw new Exception($link->connect_error, $link->connect_errno);
}

// Check that the expected value has been provided via a POST request
if (!isset($_POST['input1'])) {
    throw new Exception('Missing POST request parameter [input1]');
}

// now prepare an INSERT statement
if (!$stmt = $link->prepare('INSERT INTO `your_table` (`name`) VALUES (?)')) {
    throw new Exception($link->error, $link->errno);
}

// bind parameters
$stmt->bind_param('s', $_POST['input1']);

if (!$stmt->execute()) {
    throw new Exception($stmt->error, $stmt->errno);
}
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Thanks for the help! I'm doing this for an assignment, and it doesn't require that the pages be secure, but I'll keep in mind SQL injection in my future projects. – Shane Allen Dec 03 '14 at 21:09
  • You're welcome Shane, glad to have helped. Remember to mark it as solved, *cheers* – Funk Forty Niner Dec 03 '14 at 21:11
0
$connect=mysqli_connect("localhost","root","");

Should be (the select db can simply be removed)

$connect=mysqli_connect("localhost","root","", "icposts");

And

$query=mysql_query("INSERT INTO 'posts'('id', 'username', 'title', 'body', 'date') VALUES ('','$username','$title','$body','$date')");

Should be

$query=mysqli_query("INSERT INTO 'posts'('id', 'username', 'title', 'body', 'date') VALUES ('','$username','$title','$body','$date')", $database);

Please do keep in mind that this is a really bad aprouch, also looking at your query it seems like the id is an auto incremented column. If that's the case, you don't even have to write it in the query itself.

You might wanna look further into Parameterizing queries. This is a nice post for that. How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Jordy
  • 948
  • 2
  • 9
  • 28
  • Thanks for the help, I'll keep security in mind for my future projects, but for now, this doesn't have to be secure for me at the moment. – Shane Allen Dec 03 '14 at 21:11