0

I have tried to post values into database, it worked in database like a new row added, but not the values. First of all, I have put HTML like this:

<form action="config/testimonyAction.php">
    <p> <input type="text" name="name" placeholder="name" /> </p>
    <p> <input type="text" name="testimony" placeholder="testimony" /> </p>
    <p> <input type="submit" value="SEND"> </p>
</form>

And the action will go to testimonyAction.php. The following code are below:

<?php
include ('dbconnect.php');
$name = $_POST['name'];
$testimony = $_POST['testimony'];
$sql = "INSERT INTO testimonial (name, testimonial) VALUES ('$name', '$testimony')";
if (mysqli_query($mysqli, $sql)) {
        header('Location: http://www.test.com/');
        exit;
    }
    else
    {
        echo "Error: " . $sql . "<br>" . mysqli_error($sql);
    }
mysqli_close($mysqli);
?>

In the end, it confused me. It should be working but the values that we input doesn't appear in database? Any idea?

smallcaterpillar
  • 35
  • 1
  • 6

2 Answers2

1

The default behavior of a form is to submit it as a GET request. You should set the method as POST to achieve what you want.

<form method="POST" action="config/testimonyAction.php">
    <p> <input type="text" name="name" placeholder="name" /> </p>
    <p> <input type="text" name="testimony" placeholder="testimony" /> </p>
    <p> <input type="submit" value="SEND"> </p>
</form>
jrarama
  • 904
  • 7
  • 8
0

I think you need to specify the method of the form...

<form action="config/testimonyAction.php" method="POST">

It is also good etiquette to escape your variables as mentioned in another answer.

$sql = "INSERT INTO testimonial (name, testimonial) VALUES ('".$name."', '".$testimony."')";
craig1231
  • 3,769
  • 4
  • 31
  • 34
  • That is not the proper way to escape the variables. Maybe you just want to make it easily readable. Escaping is a way to prevent SQL injection attacks. http://stackoverflow.com/questions/13199095/escaping-variables – jrarama Jan 23 '15 at 08:44