1

My mysql insert statement goes through when I manually insert it, however, the form will not post. Any help is appreciated.

The Form

<form method="post" action="">
     <h4>Title</h4>
    <input type="text" id="post_title" />
    <h4>Location</h4>
    <input type="text" id="post_location" />
    <h4>My Tale</h4>
    <textarea id="post_content" ></textarea>
    <input type="submit" value="Share"/><br />
</form>

The Form Processor

<pre>
if (isset($_GET['success']) === true) {
    echo 'Your journal entry has been added';   
} else {
    if (empty($_POST) === false && empty($errors) === true) {
        $post_data = array(
        'post_title'  => $_POST['post_title'],
        'post_location'  => $_POST['post_location'],
        'post_content'  => $_POST['post_content']
    );
    add_post($user_id, $post_data);
    header('Location: settings.php?success');
    exit();
} else if (empty($errors) === false) {
     echo output_errors($errors);
}
?>
</pre>

The Function that handles the post process

<pre>
function add_post($blog_author, $post_data) {
    $post = array();
    array_walk($post_data, 'array_sanitize');
    foreach($post_data as $field=>$data) {
         $post[] = '`' . $field . '` = \'' . $data . '\'';
    }
    mysql_query("INSERT INTO user_blog (`post_author`,`post_title`,`post_location`,`post_content`) VALUES ('$blog_author','post_title','post_location','post_content')");
}   
</pre>

There are no errors, which merely check for blank form fields. There seems to be an issue between the post and the function, but I can't pin down the issue.

Stoneflyx
  • 25
  • 6
  • 1
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Jan 03 '15 at 22:40

2 Answers2

0

No name attribute in textarea thus it will not fetch the content

Mramaa
  • 400
  • 2
  • 13
0

In add_post() $post is prepared but no used in the final call to mysql_query.

You prepare $post to be used in an INSERT INTO user_blog SET statement but you are using INSERT INTO user_blog () VALUES() for the final call.

Among the values only `$blog_author will be inserted, the remaining are string literals.

hultqvist
  • 17,451
  • 15
  • 64
  • 101