PHP get Textbox value for a function

Question

i'm trying to transmit a textbox value to a function using the $_GET method and then adding it to an mysql database via query. I've searched multiple similar questions and edited my previous attempts accordingly but happen to not find the error in my current code. The file is database.php on which i want to add a value to a mysql database on button click. I suspect the error to be in the if($_GET) clause as an echo for $ep in the function or even in the if-part does not return anything and as such, only an empty entry with its UID is added into the database no matter what i input into the textfield before hitting the "Insert EP" button. Maybe im just missing or fail to see something trivial.

    <title> Database </title>
    <body>
    <form action="database.php">
        <input type="text" name="setEp" id="ep" value="" />
        <input type="submit" class="button" name="setEp" value="Insert EP" />

    </form>
    </body>
    <?php
    //Getting the content of the textbox 
    if($_GET){
        if(isset($_GET['setEp'])){
            $ep = isset($_GET['ep']);
            setEp($ep);  //calling the desired function with the retrieved variable
         }
    }    
    //The function declaration
    function setEp($ep){
        //DB connection
    $db_host = "127.0.0.1:6543";
    $db_username = "root";
    $db_pass = "root";
    $db_name = "endpoints";
    $conn = mysql_connect("$db_host","$db_username","$db_pass") or die ("Could not connect to MySQL");

        //Table "enpoint" consists only of names and autoincrement UID
        $ep = mysql_real_escape_string($ep);
        $query = "INSERT INTO endpoint (name) VALUES ('$ep')";
        mysql_query($query);

        echo " SetEP called"; //echo function to see if it was called
        echo "$ep"; // this will never create an input no matter what i did
    ?>

If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jul 08 '15 at 16:41
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Jul 08 '15 at 16:41
`$ep` is a Boolean based on the way that you're setting it (`$ep = isset($_GET['ep']);`), not the value of the textbox. — Jay Blanchard, Jul 08 '15 at 16:42
thank you for your input. i know about the vulnerability of this, i plan to implement a regex to only allow certain characters to avoid SQL injection although this app will probably never make it to a online version, but thanks for the consideration. about the PDO : i already implemented a PDO version but got caught up in `Access denied` problems although the old functions work fine with the same connection parameters. — Singulare, Jul 08 '15 at 17:09

score 1 · Accepted Answer · edited May 23 '17 at 11:58

You're looking in the wrong place for the value of the textbox as setEp is the name of the textbox and you really should rename your submit button because that will cause some major problems. Names should be unique. Once done then you can call the function, after checking if things are set, like this -

setEp($_GET['setEp']);

Your script is at risk for SQL Injection Attacks. If you can, you should stop using mysql_* functions. They are no longer maintained and are officially deprecated. Learn about prepared statements instead, and consider using PDO, it's really not hard.

In addition you should add error checking, such as or die(mysql_error()) to your queries.

You'd likely be better off connecting to the database in a separate function and then passing the connection information to the query function. That way you do not connect each time you call the function. It'll make your code cleaner and possibly eliminate some issues with multiple connections.

you are absolute right. having both the textfield and the submit button with the same name was the error. After altering the textfield name to some other name i was able to retrieve the information of the textfield. — Singulare, Jul 08 '15 at 19:55

score -1 · Answer 2 · edited Jul 08 '15 at 16:57

-1

$ep = isset($_GET['ep']); this will return true as that is the return value from an isset statement, if you have verified that $_GET['ep'] holds the desired value just do:

$ep = $_GET['ep'];

Its best to use an input filter to get this data, as this could be vulnerable to various attacks.

http://php.net/manual/en/function.filter-input.php

Hope this helps.

edited Jul 08 '15 at 16:57

Jay Blanchard

34,243
16
77
119

answered Jul 08 '15 at 16:48

Abdul Wahhab Qureshi

189
3

I changed $ep accordingly and now i get at function call the following error : `Notice: Undefined index: ep` – Singulare Jul 08 '15 at 17:06

Petko Kostov · Answer 3 · 2015-07-08T17:20:57.447

-1

The mistake is here:

$ep = isset($_GET['setEp']);

isset return bolean. Maybe you should do $ep = mysql_real_escape_string($_GET['ep']); to prevent sql injections AND get the value of the $_GET variable.

edited Jul 08 '15 at 17:20

answered Jul 08 '15 at 16:49

Petko Kostov

367
1
9

throws the same error `Undefined index: ep` error as with @Abdul answer. I really dont know why the function seems to fail to recognize the id of the textbox – Singulare Jul 08 '15 at 17:15
It must be 'setEp'. Make it $_GET['setEp'] and try again please. You should not have two name="setEp" in you form. Change one of them to something different. – Petko Kostov Jul 08 '15 at 17:19

PHP get Textbox value for a function

3 Answers3