$_post does not carry the data input from an html text field

Question

Updated

This is the whole code. Still i do not have a value in the text field "user" but i have in all others. I print the values before adding them to the db ( deleted it from the original code already - i have all values instead the one in the user field )

This is a testing environment. What I have issues with, is the following:

the field "user" is a field containing text and for some reason the $_post do not contain it. all the others variables from the number fields are carried in $_post[field_name], but not the text field.

Do you have any idea how to fix this? I tried with using html special char, but still no results.

Thanks in advance for the help !

this is the html

<html><head><title>MySQL Table Viewer</title></head><body>

<form action="submit.php" method="POST">

Day: <input type="number" name="day"/> Month: <input type="number" name="mont"/> Year: <input        type="number" name="year"/>
<br> <br>
Start Hour:<br>
<input type="number" name="shour"/>
<br>
End Hour:<br>
<input type="number" name="ehour"/>

Agent: <input type="text" name="user" value=""/>

<input type="submit" class="button" name="submit" value="submit" />
</form>
</body></html>

this is the php

<html>
<body>
<?php


$day = mysql_real_escape_string($_POST['day']);
$mont= mysql_real_escape_string($_POST['mont']);
$year = mysql_real_escape_string($_POST['year']);
$shour = mysql_real_escape_string($_POST['shour']);
$ehour = mysql_real_escape_string($_POST['ehour']);
$user = mysql_real_escape_string($_POST['user']);


$con = mysql_connect("localhost","root","samokow");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("reservations", $con);


$sql="INSERT INTO reservations (day, mont, year, shour, ehour, user)
VALUES ('$day', '$mont','$year', '$shour','$ehour','$user')";


   if (!mysql_query($sql,$con))
{
 die('Error: ' . mysql_error());
 }
echo "Booking done." ;

mysql_close($con);
?>

</body>
</html>

try `print_r($_POST)` and check what variables have been post — krishna, Dec 16 '14 at 12:44
Using that code you are highly vulnerable to SQL injection attacks. You should never ever place user inputs into a query without proper escaping. Please read about prepared statements and your problem will be be gone. — feeela, Dec 16 '14 at 12:46
always use braces around variables like `'{$_POST[day]}'`. You are using mysql_* which is depreciated, use (mysqli_* or PDO) and using posted data directly to query which is highly dangerous, try prepared statements. — bansi, Dec 16 '14 at 12:46
@bansi This is not necessary. Only if you use variable variable-names. (e.g. `$this->{$_POST['day']}`) — feeela, Dec 16 '14 at 12:47
@feeela It is not necessary, but can save you from hours of hair pulling debug session later. — bansi, Dec 16 '14 at 12:49
my earlier comment had a bug it should be `'{$_POST['day']}'` — bansi, Dec 16 '14 at 12:52
can you post whole php code and html code, because somewhere it seems you had made mistake which is not shown in this code — krishna, Dec 16 '14 at 13:32
also post the result of `print_r($_POST)` to check whether all variables are passed correctly — krishna, Dec 16 '14 at 15:12

score 1 · Answer 1 · edited Dec 16 '14 at 13:18

1

You're quoting your $_POST[] you should do it like this:

$sql="INSERT INTO reservations (day, mont, year, shour, ehour, user) VALUES (".mysql_real_escape_string($_POST['day']).", ".mysql_real_escape_string($_POST['mont']).",".mysql_real_escape_string($_POST['year']).", ".mysql_real_escape_string($_POST['shour']).",".mysql_real_escape_string($_POST['shour']).",".mysql_real_escape_string($_POST['user'])."))";

this should work.

You don't have to qoute variables such as post in your query but instead use mysql_real_escape_string

EDIT:

Your year tag is invalid you end it with an $, and in your query you're getting shour 2 times

`Year: <input type="number" name"year"$`

Should be: Year: <input type="number" name="year">

$_POST[day]', '$_POST[mont]','$_POST[year]', '$_POST[shour]','$_POST[shour]'

shouldn't the second shour be ehour?

edited Dec 16 '14 at 13:18

krishna

4,069
2
29
56

answered Dec 16 '14 at 12:43

Stijn Bernards

1,091
11
29

This does not solve the issue. Also you dont advice to use outdated functions – krishna Dec 16 '14 at 13:00
@krishna How does this not solve the issue? the qouting of $_POST is definiatly the issue. And could you explain why I NEED to advice to use other functions if OP wants to use mysql thats fine with me. I don't need to say what others are already saying. OP is using the mysql_ functions so I will not advice him to change his whole code based on my answer. – Stijn Bernards Dec 16 '14 at 13:02
the sql query what he written will work fine when all variables are posted correctly. The error what he had is not due to quoting issue. FYI if there is error in quote it will not post any values.for OP some values have been displayed.And regarding mysql_ function its deprecated one, once you move on you cannot find servers supporting old functions. So you have to update yourself with time – krishna Dec 16 '14 at 13:07
@krishna Ah I didn't read that. Still you can't disapprove of someones answer because the functions are deprecated. Answers are meant to fit the question. – Stijn Bernards Dec 16 '14 at 13:10
I will support if it mentions it was good practice irrespective of functions deprecated.I would help in correcting it. The reason why disapprove is it was mentioned quoting was problem(which is not) – krishna Dec 16 '14 at 13:12
2

you have error, it should `name="user"` and not `name"user"` – krishna Dec 16 '14 at 13:16
1

the op quoted his mysql values, that is something this answer lacks, maybe they store their values as varchars and not numbers and i am not sure if mysql will make the conversion...also you repeated shour in your sql (replace one with ehour) – Logan Murphy Dec 16 '14 at 13:19
Hi, thanks for the notes, those were typos , fixed, but does not solve the issue. Also, i echo the text field variable that i cannot see and it is empty before trying to insert it into the db. – Eva Dec 16 '14 at 13:27
@Eva Did you echo it like this: $_POST['user'] if so it's really strange that you got null as a response, try var_dump($_POST); and see if the user does exist – Stijn Bernards Dec 16 '14 at 13:30

Refilon · Answer 2 · 2014-12-16T14:10:12.880

I hope this code is for testing purposes only?

Paste all of this in the same page!

<form method="POST">
    Day: <input type="number" name="day" />
    Month: <input type="number" name="mont" />
    Year: <input type="number" name="year" />
    Start Hour: <input type="number" name="shour" />
    End Hour: <input type="number" name="ehour" />
    Agent: <input type="text" name="user" />
    <input type="submit" class="button" name="submit" value="submit" />
</form>

Before including the $_POST values in your database, you should use mysql_real_escape_string() Just like the others said.

ALSO, you will have to use mysqli or PDO because mysql_query() is deprecated.

if(isset($_POST['submit'])){
    $day = mysql_real_escape_string($_POST['day']);
    $mont= mysql_real_escape_string($_POST['mont']);
    $year = mysql_real_escape_string($_POST['year']);
    $shour = mysql_real_escape_string($_POST['shour']);
    $ehour = mysql_real_escape_string($_POST['ehour']);
    $user = mysql_real_escape_string($_POST['user']);

    $sql="INSERT INTO reservations (`day`, `mont`, `year`, `shour`, `ehour`, `user`) VALUES ('$day', '$mont','$year', '$shour','$shour','$user')";
}

Hi, thanks ! As stated, it is indeed for testing purposes, and i wrote it in order to avoid all the comments that i received anyway for how this is complete security violation and so on. Anyway, this did not help - still, i do not have value in the text field variable, but i have in the numerical ones. — Eva, Dec 16 '14 at 13:21
year one fixed long ago. i get the post values on the submit page. the script is on the submit page. everything is working, except the user field. — Eva, Dec 16 '14 at 13:32
you are still missing `=` in `name="year"`...but if this code doesn't work for you (which it does in php fiddle) then there is something the op is not telling us or the error they think they are having is not the error they actually are having — Logan Murphy, Dec 16 '14 at 13:46

I'm Geeker · Answer 3 · 2014-12-16T13:28:54.227

0

Try this :

$day = mysql_real_escape_string($_POST['day']);
$mont= mysql_real_escape_string($_POST['mont']);
$year = mysql_real_escape_string($_POST['year']);
$shour = mysql_real_escape_string($_POST['shour']);
$ehour = mysql_real_escape_string($_POST['ehour']);
$user = mysql_real_escape_string($_POST['user']);

$sql="INSERT INTO reservations (day, mont, year, shour, ehour, user) VALUES ('$day', '$mont','$year', '$shour','$shour','$user')";

edited Dec 16 '14 at 13:28

answered Dec 16 '14 at 12:46

I'm Geeker

4,601
5
22
41

You're not escaping your mysql_real_escape_string so it wouldn't work like that – Stijn Bernards Dec 16 '14 at 12:48
This does not solve the issue and it is incorrect. You cannot use `$_POST['variablename']` in a double quotes, it will cause error. Also you dont advice to use outdated functions – krishna Dec 16 '14 at 12:59

score 0 · Answer 4 · answered Dec 16 '14 at 12:49

0

I would recommend to provide a valueparameter in the input tag as well:

 .... Agent: <input type="text" name="user" value="">

some browsers are picky about that (MS IE ...?)

answered Dec 16 '14 at 12:49

Axel Amthor

10,980
1
25
44

score -1 · Answer 5 · answered Dec 16 '14 at 12:44

-1

you need to put the row in quotes like this:

  $_POST['user']

answered Dec 16 '14 at 12:44

Katyoshah

129
10

$_post does not carry the data input from an html text field

5 Answers5