0

I'm trying to create a simple interface to write values into a mySql database using js, php and html. When I hardcoded the value I wanted to write everything went fine, but now I want the retrieve the value from my input (.input) and use write that, and the value that gets written into my database is always %%. Can anyone please point out what I'm doing wrong? Thanks

$('#write').click(function() {
  writeTable();
})

// handles the click event, sends the query
function writeTable() {
  $.ajax({
    url: 'write.php',
    type: 'get', //data type post/get
    data: {
      name: $('input#input').val()
    },
    complete: function(response) {
      $('.output').html(response.responseText);
    },
    error: function() {
      $('.output').html('Bummer: there was an error!');
    }
  });
  return false;
}
.button {
  border: 1px solid black;
  width: 100px;
  display: inline-block;
}
.output {
  height: 400px;
  width: 400px;
  border: 1px solid black;
  overflow: auto;
}
<!doctype HTML>

<head>

  <meta charset="UTF-8">
  <link type="text/css" rel="stylesheet" href="index.css">

</head>

<body>

  <br>
  <form>File Name:
    <input type="text" name="input" placeholder="Type something">
  </form>
  <br>
  <div class="button" id="write">Write</div>
  <div class="button" id="search">Search</div>
  <br>
  <br>
  <div class="output"></div>

  <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
  <script src="index.js"></script>

</body>

php:

<?php
// Attempt MySQL server connection *
$link = mysqli_connect("localhost", "topdecka_admin", "kR4lJm1H4!", "topdecka_MTGO");

// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}

$data = "%".$_GET['name']."%"; //get data from javascript

// Attempt insert query execution
$sql = "INSERT INTO drafts (picks) VALUES ('$data')";

if(mysqli_query($link, $sql)){
    echo "Records added successfully.";
} else{
    echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}

// Close connection
mysqli_close($link);
?>
Miha Šušteršič
  • 9,742
  • 25
  • 92
  • 163
  • maybe i'm wrong but `input#input` means ` – Alex Mar 24 '15 at 15:09
  • Also your server side code is susceptible to [sql injection](http://en.wikipedia.org/wiki/SQL_injection). – Prusse Mar 24 '15 at 15:10
  • yeh, added id="input" to the input, and now it works. thanks – Miha Šušteršič Mar 24 '15 at 15:11
  • @Prusse can you please explain this for dummies, this is the first time I'm writing something like this – Miha Šušteršič Mar 24 '15 at 15:11
  • I did a quick google for it and it returned [this explanation about injection](https://www.acunetix.com/websitesecurity/sql-injection/) and [this post](http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059) that gives some hints on how to use PDO. Also I guess stackoverflow is full of question related to that. – Prusse Mar 24 '15 at 15:17
  • Stackoverflow question: [How does the SQL injection from the “Bobby Tables” XKCD comic work?](http://stackoverflow.com/q/332365/783219) (I like xkcd) – Prusse Mar 24 '15 at 15:20
  • @ Prusse after a bit of reading I've come up with `$data = mysqli_real_escape_string($link, $_GET['name']);`, don't really know how it works yet but I'll get it to. Seems about right? – Miha Šušteršič Mar 24 '15 at 15:55

2 Answers2

2

See these lines:

$data = "%".$_GET['name']."%"; //get data from javascript

Are you sure you want the "%" symbol before and after the get variable? Try this:

$data = $_GET['name']; //get data from javascript
NaijaProgrammer
  • 2,892
  • 2
  • 24
  • 33
1

It is a good practice to put a condition check before INSERT

$data = "%".$_GET['input']."%"; //get data from javascript 
if (empty($_GET['input'])) {
    echo 'name input cannot be blank';
}else {
$sql = "INSERT INTO drafts (picks) VALUES ('$data')"; }

Before the insert check what you are getting in $_GET['input']. Try to print $_GET['input'] first, put a condition check, if its null (as it is in your case), do not execute the INSERT statement

mysqlrockstar
  • 2,536
  • 1
  • 19
  • 36