2

I am building a webpage that inlcude entering data into a databse. I am successfully connecting to my database, and my insert query is working as far as it is adding rows into the database, but the form data is not getting pass across so the rows are being created ( I have seen them in phpmyadmin) but the data is empty.

I have two pages. One for displaying the form, and one that receive sthe form data and runs the sql query.

This is the data for the form webpage 

<body>


<form action="insert.php" method=”post”>

Venue:
<input type="text" name = "venue">
<br>
Date:
<input type="text" name = "date">
<br>
Time:
<input type="text" name = "time">
<br>
Postcode:
<input type="text" name = "postcode">
<br>

<input type="submit" Value = "submit" name= "submit">

</form>

This is the code that I am using for entering the data. I have not included the connection code for the database as I am not having a problem with this.

$venue = $_POST['venue'];
$date = $_POST['date'];
$time = $_POST['time'];
$postcode = $_POST['postcode'];

$query = "INSERT into `event`(`eventVenue`, `eventDate`, `eventTime`,
`EventPostCode`) VALUES (  '$venue', '$date','$time', '$postcode' )";  


mysqli_query($dbconn, $query);

<hr>

</body>

Db Connection:

$host="50.62.209.87"; // Host name 
$username="************"; // Mysql username 
$password="********"; // Mysql password 
$db_name="extras"; // Database name 
// Connect to server and select databse. 
$dbconn = mysqli_connect($host, $username, $password)or die("cannot connect"); 
mysqli_select_db($dbconn, $db_name)or die("cannot select DB");
Amir
  • 317
  • 5
  • 18
user3519506
  • 135
  • 1
  • 2
  • 11
  • Show your connection code. It is relevant here. – John Conde Feb 08 '15 at 16:50
  • 7
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Feb 08 '15 at 16:51
  • You should use **mysqli_real_escape_string($value);** for validation before use sql. – Mehmet Feb 08 '15 at 16:52
  • possible duplicate of [Good tutorial on how to update your Mysql database with a PHP form?](http://stackoverflow.com/questions/2466975/good-tutorial-on-how-to-update-your-mysql-database-with-a-php-form) – Sheepy Feb 08 '15 at 16:54
  • 1
    @Mehmet prepared queries are even better – John Conde Feb 08 '15 at 16:54
  • thanks for the input, I am aware of sql injection and will be looking at it after I have gpt oast this issue – user3519506 Feb 08 '15 at 16:55
  • $host="50.62.209.87"; // Host name $username="************"; // Mysql username $password="********"; // Mysql password $db_name="extras"; // Database name // Connect to server and select databse. $dbconn = mysqli_connect($host, $username, $password)or die("cannot connect"); mysqli_select_db($dbconn, $db_name)or die("cannot select DB"); this is my connecttion codw which is iin my file that attempts the insert – user3519506 Feb 08 '15 at 16:56
  • What does `mysqli_error()` say? – John Conde Feb 08 '15 at 16:56
  • Can you remove the quotes around the table name and actual column names ? `$query = "INSERT into event (eventVenue, eventDate, eventTime, EventPostCode) VALUES ( '$venue', '$date','$time', '$postcode' )";` – Kacy Feb 08 '15 at 16:58
  • @KacyRaye They're called "ticks" and are correct syntax (and even recommended) – John Conde Feb 08 '15 at 16:59
  • mysqli_error($dbconn); gave me nothing – user3519506 Feb 08 '15 at 17:00
  • I was taught to use bacticks for database identifying and straight ticks for data – user3519506 Feb 08 '15 at 17:01
  • @JohnConde My mistake. I haven't seen them used in a while so I forgot you could do that. – Kacy Feb 08 '15 at 17:05
  • @user3519506 There's something you're not telling or showing us because the problem isn't with this code. – Kacy Feb 08 '15 at 17:08
  • Why are there 2 html tags "

    " in the php area?

     – Charles Forest Feb 08 '15 at 17:11
  • I literally have two files: one that has a web form and nothing else ont, and one that has php script that connects to the db and tried to insert the data from the webform on the other page. The action for the webfrom is set for the phpscript page. I have nothing else I can show you – user3519506 Feb 08 '15 at 17:11
  • The html tage are just bad copy and pasting onto here, they are on the end of the form file before the – user3519506 Feb 08 '15 at 17:12
  • By the way you are writing your connection, it seems that you are using a remote SQL server. Are you sure the ports are open? – Charles Forest Feb 08 '15 at 17:14
  • Yeah I am uploaded to a remote server, I am not sure, I am not experiennced in hp and sql so I am not sure what you mean. I am successfully reading data from the database via a php script so does this mean the port is open? – user3519506 Feb 08 '15 at 17:22
  • @user3519506 Yeah your ports are open then. Echo the data to make sure it's being returned from the $_POST array. – Kacy Feb 08 '15 at 17:24
  • Thankyou. I have tried echo $venue and echo $_POST['venue'] and niether seem to print anything on the screen. The values that are entered into the form are being attetched on the url of the insert php script – user3519506 Feb 08 '15 at 17:30
  • Sorted, it was basic HTML error, thankyou @JohnConde for your help – user3519506 Feb 08 '15 at 17:49
  • and @KacyRaye. it is much appreciated – user3519506 Feb 08 '15 at 17:50

5 Answers5

6

Check the double quotes of your method post. use this instead

method="post"
Mark Te
  • 162
  • 1
  • 1
  • 9
1

You have to fight the problem in steps:

  1. echo $_POST and see if each value is OK

  2. var_dump($query) and see if all is OK with apices and quotes etc...

  3. try without ` `

Shadow The GPT Wizard
  • 66,030
  • 26
  • 140
  • 208
Luca Olivieri
  • 303
  • 1
  • 8
  • Thankyou. I have tried echo $venue and echo $_POST['venue'] and niether seem to print anything on the screen. The values that are entered into the form are being attetched on the url – user3519506 Feb 08 '15 at 17:29
0

Using mysqli or PDO you can block sql injection like below, hope this will work for you. I used PDO.

$query = "INSERT INTO event (`eventVenue`, `eventDate`, `eventTime`,
`EventPostCode`) VALUES (  ':venue', ':date',':time', ':postcode' )";

$insert = $db -> prepare($query);
$insert -> execute(
 array(
    "venue" => $venue, "date" => $date, "time" => $time, "postcode" => $postcode)
  )
);
Rashad
  • 1,344
  • 2
  • 17
  • 33
0

Firstly, Ensure the connection by using that IP. And since it is from HTML form, I suggest you to use strip_tags and isset. It looks it's no use for it but it works as I try in my local server.

$venue = isset($_POST['venue']);
$venue = strip_tags($venue);
$date =  isset($_POST['date']);
$venue = strip_tags($date );
$time =  isset($_POST['time']);
$venue = strip_tags($time );
$postcode =  isset($_POST['postcode']);
$venue = strip_tags($postcode );

That's it. Besides, you should also consider the prevention how to handle sql injection as suggested.

Joe Kdw
  • 2,245
  • 1
  • 21
  • 38
  • $venue = isset($_POST['venue']); $venue = strip_tags($venue); echo $venue; I tried this but the echo still produced nothing – user3519506 Feb 08 '15 at 17:41
  • 2
    @JeanGkol This definitely does **not** work. `isset()` returns a boolean value. So you are changing the value of the `$_POST` variable to `true` or `false`. That is definitely *not* what they want. I don't know how you tested this but it clearly was an invalid test. – John Conde Feb 09 '15 at 00:22
0

It seems that elements are sent as the default form method GET due to the mistake in quotes as "Mark Te" answer. However, If you want to void this or if you planning to receive data from GET such as those in links parameters beside reciving it from a form's POST method.

<a href="insert.php?venue=lorem&date=2015-12-20&time=12">Get Result</a>

It is better to use $_REQUEST instead of $_POST.

SaidbakR
  • 13,303
  • 20
  • 101
  • 195