Sending form before submit using PHP

Question

When I run that php in localhost (XAMPP)i get directly that error message before i press the submit button "bilgiler sisteme gönderilemedi"

So I can't send the information the my database.

<body>

<form  action="insert_pro.php" method="post" enctype="multipart/form-data">
    <div class="center_content">
      <div class="title_box">Insert New Product</div>
      <div class="prod_box_big">
        <div class="center_prod_box_big">
          <div class="product_img_big"> <!-- <a href="javascript:popImage('images/big_pic.jpg','Some Title')" title="header=[Zoom] body=[&nbsp;] fade=[on]"><img src="images/p3.jpg" alt="" border="0" /></a> -->

          </div>
          <div class="details_big_box">


          <!-- TITLE -->
            <div class="product_title_big" >Product Title :</div>
            <td><input type="text" name="title" required/></td>

            <!-- DESCRİPTİON -->
            <div class="product_title_big">Description : </div>
            <td><textarea name="descrip" cols="21" rows="5"/></textarea></td>

            <!-- PRICE -->
            <div class="product_title_big">Price :</div>
            <td><input type="text" name="price" required/></td>

            <!-- PHOTO -->
            <div class="product_title_big">Product Photo :</div>
            <td><input type="file" name="way" required/></td>

            <!-- NOTE -->
            <h1>IF YOU FINISHED FILLING INFORMATION OF THE PRODUCT CLICK ADD PRODUCT</h1>
            </div>

            <!-- BUTTON -->
            <input   type="submit" name="insert_post" value="ADD PRODUCT">

        </div>
      </div>
    </div>

</form>


</body>
</html>


<?php
$title=$_POST['title'];
$descrip=$_POST['descrip'];
$price=$_POST['price'];

if($price){//veri geldi ise sisteme giriyoruz
    //mysqle bağlanıyoruz
$ServerAd="localhost";//server ismini girin localde kurduysanız localhost girin.
$KAd="root";//kullanıcı adı
$KSifre="3306505";//kullanıcı şifresi
$VeriAd="shop";//veritabanı adı
$db=@mysql_connect($ServerAd,$KAd,$KSifre) or die(@mysql_err());//veri tabanına bağlanılıyor
$sec=@mysql_select_db($VeriAd);//veri tabanı seçiliyor
$ekle=mysql_query("insert into product (title,descrip,price) values ($title,$descrip,$price)");//veri tabanına veri giriliyor.
if($ekle)//veri girişi başarılı ise
echo "Sayın Yorumunuz sistemimize iletilmiştir.Teşekkürler";
else//veri girişi hatalı ise
echo "bilgiler sisteme gönderilemedi";
} ?>

(For info - according to Google Translate, "bilgiler sisteme gönderilemedi" simply means "information was not sent to the system") — DNA, Dec 21 '14 at 22:06
`($title,$descrip,$price)` those need to be quoted, when string values are passed. Add `or die(mysql_error())` to `mysql_query()` and you will see the errors thrown by MySQL. — Funk Forty Niner, Dec 21 '14 at 22:08
You have a syntax error in your query because you haven't wrapped your variables in apostrophes. This is yet another question where the OP hasn't bothered checking the return status properly and therefore doesn't know what's going on. — , Dec 21 '14 at 22:09
You have SQL injection vulnerabilities in this code, it would be a good idea to move to a newer database library, and use query parameterisation. In general it is a good idea to avoid the `@` error suppression operator too, since that might be hiding problems. — halfer, Dec 21 '14 at 22:20

score 3 · Answer 1 · edited May 23 '17 at 12:14

You need to quote string values. However, you're open to SQL injection, so I've made something up using mysqli with prepared statements.

Sidenote: Having added or die(mysql_error()) to mysql_query() would have signaled the syntax error.

<?php 
$link = new mysqli('localhost', 'root', 'password', 'db');
if ($link->connect_errno) {
    throw new Exception($link->connect_error, $link->connect_errno);
}

// Check that the expected value has been provided via a POST request
if (isset($_POST['insert_post'])) {


// now prepare an INSERT statement
if (!$stmt = $link->prepare('insert into product (title,descrip,price) VALUES (?,?,?)')) {
    throw new Exception($link->error, $link->errno);
}

// bind parameters
$stmt->bind_param('sss', $_POST['title'], $_POST['descrip'], $_POST['price']);

if (!$stmt->execute()) {
    throw new Exception($stmt->error, $stmt->errno);
    }

} // brace for (isset($_POST['insert_post']))

For more information on prepared statements:

Consult the manual on mysqli with prepared statements, or PDO with prepared statements.

N.B.:

If you're still keen on keeping your present MySQL API, then change it to:

VALUES ('".$title."','".$descrip."','".$price."')

and using **stripslashes() <=(consult sidenote) and mysql_real_escape_string().

I.e.:

$title = stripslashes($_POST['title']);
$title = mysql_real_escape_string($_POST['title']);

and doing the same for the others.

**Sidenote: The reason I used stripslashes() is the ability to add apostrophes in a name such as O'Neil for instance. Instead of it showing up in DB as O\'Neil.

It (stripslashes()) has nothing to do with preventing SQL injection, it's only an added option. mysql_real_escape_string() is what helps against injection, however using prepared statements is what should really be used instead; whether it be using mysqli_ or the PDO API.

Quoting Halfer:

As far as I know, you'd only need to use stripslashes() on a name containing an apostrophe if magic quotes had automatically escaped it. Since this is no longer available in PHP, I would no longer add such code. Escaping functions such as mysql_real_escape_string() will deal with "O'Neil" fine on their own.

Doesn't `stripslashes` go the wrong way to protect against SQL injection? Afaict it will take a backslashed string and remove the slashes, when in fact we want to add them. — halfer, Dec 21 '14 at 23:17
@halfer You're right, however why I always use `stripslashes()` (or add it in my answers) is the ability to add apostrophes in a name such as O'Neil for instance. Instead of it showing up in DB as O\'Neil. The `mysql_real_escape_string()` takes over for injection. Yet, prepared statements are the better way to go. Please correct me if I'm wrong on this, but this is my own experiences in dealing with apostrophes, *cheers* (I'll make an edit to that effect). — Funk Forty Niner, Dec 22 '14 at 01:41
As far as I know, you'd only need to use `stripslashes` on a name containing an apostrophe if [magic quotes](https://php.net/manual/en/security.magicquotes.php) had automatically escaped it. Since this is no longer available in PHP, I would no longer add such code. Escaping functions such as `mysql_real_escape_string()` will deal with "O'Neil" fine on their own. — halfer, Dec 22 '14 at 09:43
@halfer That's a good point. I have added that in an edit, quoting you. Thank you for that information. — Funk Forty Niner, Dec 22 '14 at 13:02

Sending form before submit using PHP

1 Answers1