1

I am building a simple blog system where I can post entries through a php page to the database in mysql. Whenever I post an entry it doesn't seem to appear on the database and I can't find the issue. Here is my php:

<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();

if(isset($_SESSION['username']))
{
    $username = ucfirst($_SESSION['username']);

    if($_POST['submit']) {
        $title = $_POST['title'];
        $subtitle = $_POST['subtitle'];
        $content = $_POST['content'];
        include_once("connection.php");
        $sql = "INSERT INTO blog (title, subtitle, content) VALUES ('$title', '$subtitle', '$content')";
        mysqli_query($dbCon, $sql);
        echo "Blog entry posted";
    }
}
else{
    header('Location: login.php');
    die();
}
?>

The title, subtitle and content tags are in a html below this and they take values which I intend to send to the database. This is the html:

<form method="post" action="admin.php">
Title:<input type="text" name="title" /><br />
Subtitle: <input type="text" name="subtitle" /><br />
Content:<textarea name="content"></textarea>
<input type="submit" name="submit" value="Post Blog Entry" />
</form>

And the connection to the database is:

<?php
$dbCon = mysqli_connect("localhost","root","","learnlearn");
if(mysqli_connect_errno())
{
echo "Failed to connect: " . mysqli_connect_error();
}
?>
sjagr
  • 15,983
  • 5
  • 40
  • 67
user2668069
  • 249
  • 1
  • 3
  • 7
  • First of all, try to debug: mysqli_query($dbCon, $sql)or die(mysqli_error($dbCon)); – Eimantas Gabrielius Jan 05 '15 at 16:28
  • 4
    You are vulnerable to [sql injection attacks](http://bobby-tables.com) are are simply ASSUMING the query succeeded. Never do that. Always assume failure, check for failure, and treat success as a pleasant surprise. – Marc B Jan 05 '15 at 16:28
  • 1
    Check `mysqli_error()` after the query. – Sirko Jan 05 '15 at 16:28
  • 1
    can you please add `or die(mysqli_error($dbCon))` to `mysqli_query($dbCon, $sql)` – Mramaa Jan 05 '15 at 16:28
  • What error do you get? Furthermore the `$query` is not safe for SQL injection. – Willem Van Onsem Jan 05 '15 at 16:29
  • I hope you're coding this for fun or furthering your programming skills. If you actually want a blogging platform, use Wordpress. – i-CONICA Jan 05 '15 at 16:31
  • 2
    Two things. Your code is dependant on whether the session is set, plus `if($_POST['submit'])` you should change that to `if(isset($_POST['submit']))` – Funk Forty Niner Jan 05 '15 at 16:32
  • @Mramaa this is the error I am getting 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's standard dummy text ever since the 1500s, when an unknown printer took a galle' at line 1' – user2668069 Jan 05 '15 at 16:33
  • You need to escape your data then. ^ `mysqli_real_escape_string()` will fix that. You're entering quotes. – Funk Forty Niner Jan 05 '15 at 16:33
  • what @Fred-ii- said use `mysqli_real_escape_string($dbCon,$string)` – Mramaa Jan 05 '15 at 16:34
  • ... or use prepared statements with bind placeholders. – spencer7593 Jan 05 '15 at 16:34
  • OH! I SEE THE PROBLEM IS WITH THE DUMMY TEXT I AM USING – user2668069 Jan 05 '15 at 16:34
  • 1
    Thanks guys, Y'all are fracking awesome – user2668069 Jan 05 '15 at 16:35
  • 1
    We know lol @user2668069 ;-) – Funk Forty Niner Jan 05 '15 at 16:35
  • The real problem is not the data, the problem is that your code is vulnerable to SQL Injection ala [Little Bobby Tables http://xkcd.com/327/](http://xkcd.com/327/). Skip W3Fools, and go straight to the OWASP project. [https://www.owasp.org/index.php/SQL_Injection](https://www.owasp.org/index.php/SQL_Injection) – spencer7593 Jan 05 '15 at 16:38

0 Answers0