0

Here is my HTML form for adding data into the table:

<div class="TTWForm-container">
<div id="form-title" class="form-title field"><h2>ახალი სტატია</h2></div>
<form enctype="multipart/form-data" action="index.php?link=addart" class="TTWForm ui-sortable-disabled" method="post"> 
<div id="field2-container" class="field f_100 ui-resizable-disabled ui-state-disabled">
<label for="title">სათაური</label>
<input name="title" id="title" required="required" type="text">
</div>
<div id="field10-container" class="field f_100 ui-resizable-disabled ui-state-disabled">
<label for="post">
სტატია
</label>
<textarea rows="15" cols="40" name="post" id="post" required="required"></textarea>
</div>
<div id="form-submit" class="field f_100 clearfix submit">
<input value="დამატება" type="submit" id="submit">
</div>
</form>
</div>

processing

if (isset($_POST['title'])) {$title = $_POST['title'];}
if (isset($_POST['post'])) {$post = $_POST['post'];}

<?php
if (isset($title) && isset($post))
{
/*can add post */
$insert = "INSERT INTO article ('title','post') VALUES ('$title','$post')";
$result = mysqli_query($connect,$insert);

if ($result == 'true') {echo "<p>post is added.</p>";}
else {echo "<p>post is not added.</p>";}
}
else
{
echo "<p>Fill all fields.</p>";
}
?>

After processing it always says that post is not added. Checking database and its true. Cant find the mistake. Please help. Thanks.

David
  • 23
  • 1
  • 7
  • seeing your label, i wonder what encoding type you try to save in your database. did you use the right encoding for your mysql table? – cari Jan 18 '15 at 16:52
  • Checking the error logs on your server might be a good start... – Jason Bassett Jan 18 '15 at 16:54
  • I use UTF8_general_ci for storing Georgian characters. Stored data is Georgian. – David Jan 18 '15 at 16:58
  • I use `error_reporting(E_ALL); ini_set("display_errors", 1);` at the begining of php file. and page diplays no error. – David Jan 18 '15 at 17:01
  • 1
    Do this `$result = mysqli_query($connect,$insert) or die(mysqli_error($connect));` and you will see SQL errors. I also don't see why you're using `if (isset($title) && isset($post))` you're already doing that. – Funk Forty Niner Jan 18 '15 at 17:02
  • Your code is vulnerable to SQL injections; you should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo Jan 18 '15 at 17:02
  • @Gumbo Not "yet" lol - When the code starts to work, yes ;-) – Funk Forty Niner Jan 18 '15 at 17:11
  • @Fred-ii- You’re already able to inject arbitrary SQL code, although you can’t do anything to make it valid. – Gumbo Jan 18 '15 at 17:13
  • @Gumbo I agree, but how would it make it past `('title','post')` if OP is treating those as strings instead of columns? – Funk Forty Niner Jan 18 '15 at 17:14
  • 1
    @Fred-ii- As I said, nothing you may inject would make it valid. So I should rather have use 'prone' instead of 'vulnerable'. ;-) – Gumbo Jan 18 '15 at 17:17
  • @Gumbo No argument there ;-) – Funk Forty Niner Jan 18 '15 at 17:18

3 Answers3

2

Here's a prepared statement for you. 

$link = new MySQLi('localhost','username','password','database');

if(isset($_POST['title'],$_POST['post'])&& $_POST['title'] !="" && $_POST['post'] !=""){
        $title = $_POST['title'];
        $post = $_POST['post'];
        if($query = $link->prepare('INSERT INTO article (title,post) VALUES(?,?)')){
            $query->bind_param('ss',$title,$post);
            $query->execute();
            $query->close();
            echo 'Success!';
        }else{
            echo 'Failure!';
        }
    }else{
        echo 'You missed a field!';
}
Jason Bassett
  • 1,281
  • 8
  • 19
1

Boolean Comparison

First, check your comparison. mysqli_query returns a boolean true or false, not a string 'true' or 'false.' Instead of:

if ($result == 'true')

use

if ($result == true)

or even:

if ($result)

Debug the Query

Next, check the query itself for errors. As Fred noted, you should mark your column names with back ticks instead of single quotes:

INSERT INTO article (`title`,`post`)

Consider logging the output of mysqli_error, or try echoing your query and run it manually against the database. You may find that they query has a hidden syntax or data error that is not obvious in the code.

Posted Values

Next, check the values that you are fetching from $_POST. Is $_POST['post'] set? Does it have a useful value?

Database Connection

Finally, check the database connection itself. Are you truly connected? Do you have debugging logging or output around the connection attempt?

Community
  • 1
  • 1
George Cummins
  • 28,485
  • 8
  • 71
  • 90
0

so just change:

else
{
echo "<p>post is not added</p>";
}

to:

else
{
echo "<p>MySQL error:".mysqli_error($connect)."</p>";
}
Alex
  • 16,739
  • 1
  • 28
  • 51
  • Log the errors, but don’t print them. This will most likely make it into production code and may reveal sensitive internal information only meant for the developer. – Gumbo Jan 18 '15 at 17:01
  • I think @David was asking about help how to debug his code and to find what is wrong. not about how to create good application. – Alex Jan 18 '15 at 17:05
  • I prefer to do one thing one step, if you don't - provide your answer, with all best prectice and bind params, bin result, go ahead. why do you prefer to comment my answer but not the original question? just flooding? – Alex Jan 18 '15 at 17:10
  • 1
    TBH, this is more fit to be a comment. Go over the OP's code again very carefully. There are more important mistakes made that need to be tended to. As stated under OP's question and a few of the answers given. – Funk Forty Niner Jan 18 '15 at 17:13
  • Thanks @KimAlexander. After using given instruction i found error. using single quotes was mistake here => `$insert = "INSERT INTO article ('title','post')...";` – David Jan 18 '15 at 17:15
  • comment is very difficult to read with fragment of code, so when I do reply with more then 10-20 characters of code I prefer to do Answer – Alex Jan 18 '15 at 17:17