0

I looked everywhere, but I didn't find answer. My code is something like this:

<form method="post" action="">
<input type="radio" name="ans" value="test">1
<input type="radio" name="ans" value="test2">2<br />
<select name="number">
    <option value="one" selected="selected">1</option>
    <option value="two">2</option>
</select>
<input type="submit" name="Write" value="Next" />
</form>
$ans = "BD";
if(isset($_POST['ans']))
{
    $ans = $_POST['ans'];
    echo "<hr /><form method='post' action=''>";
    switch($_POST['number'])
    {
        case "one" :
             echo "<textarea name='txt' rows='10' cols='150'>This is first test textarea</textarea>";
             break;
        case "two" :
             echo "<textarea name='txt' rows='10' cols='150'>This is second test textarea</textarea>";
             break;
    }
    echo "<br /><input type='submit' value='Send' /></form>";
}
if(isset($_POST['txt']))
{
    mysql_query("INSERT INTO `MyPrivate`.`TestPage` (`ans`, `number`, `text`) VALUES ('$ans', '$number', '" . $_POST['txt'] . "');");
}

I wanna to create register (or somethink like this), but in this code I have one problem. I wanna save this things to database, but 'ans' is everytime "BD". I just want to make: $ans = $_POST['ans']; but it didn't work. Can you tell me what I am doing wrong? And if you can write me answer to this problem. Sorry, but I am not english translator :)

Mahok
  • 13
  • 4
  • If you submit the second form, the POST values from the first form are no longer there. You need to save them (for example) in a SESSION variable. Additionally, your code is vulnerable to [SQL Injection](http://stackoverflow.com/q/60174/4193263). To fix this critical security hole, use Prepared Statements. – ByteHamster May 01 '15 at 20:29
  • Also could just put the first passed `POST` values into hidden fields with the same names for the second form to pass on second submit. Should use prepared statements and switch from `mysql_` to `mysqli_` or `PDO`. – chris85 May 01 '15 at 20:34
  • 1
    Thank you a lot! It worked for me. I will change my code to be invulnerable to SQL Injection. – Mahok May 01 '15 at 20:38

1 Answers1

1

This is HIGHLY INSECURE...RIPE FOR SQL INJECTION. Please sanitize data submitted by forms...using PDO->prepare or mysqli's prepare with parameterized values will do this for you.

That said, you need to make an 'ans' form field (hidden) for your second form submission, something like follows:

<form method="post" action="">
<input type="radio" name="ans" value="test">1
<input type="radio" name="ans" value="test2">2<br />
<select name="number">
    <option value="one" selected="selected">1</option>
    <option value="two">2</option>
</select>
<input type="submit" name="Write" value="Next" />
</form>
$ans = "BD";
if(isset($_POST['ans']))
{
    $ans = $_POST['ans'];
    echo "<hr /><form method='post' action=''>";
    echo "<input type='hidden' name='ans' value='{$ans}' />";
    switch($_POST['number'])
    {
        case "one" :
             echo "<textarea name='txt' rows='10' cols='150'>This is first test textarea</textarea>";
             break;
        case "two" :
             echo "<textarea name='txt' rows='10' cols='150'>This is second test textarea</textarea>";
             break;
    }
    echo "<br /><input type='submit' value='Send' /></form>";
}
if(isset($_POST['txt']))
{
    mysql_query("INSERT INTO `MyPrivate`.`TestPage` (`ans`, `number`, `text`) VALUES ('$ans', '$number', '" . $_POST['txt'] . "');");
}
Kevin Nelson
  • 7,613
  • 4
  • 31
  • 42