-3

I want the data inputed into the form by the user to be submitted to a database. But for some reason my code isn't working?

 <form action="newpostsubmit.php" method="post">
    <h2 class="form-signin-heading">New Post (beta)</h2>
     <div class="form-group">
     <label for="title">Title</label>
      <input type="text" class="form-control" name="title" id="title">
    </div>

    <br>

    <div class="form-group">
        <label for="post">Post</label>
         <textarea class="form-control" rows="5" name="post" id="post"></textarea>
    </div>

    <br>

<input type="submit">

  </form>

PHP submit

<?php
//Connecting to sql db.
$connect = mysqli_connect("localhost","root","pwd","db");

//Sending form data to sql db.
mysqli_query($connect,"INSERT INTO posts (title, post)
VALUES ('$_POST[title]', '$_POST[post]')";
?>
mattmill98
  • 11
  • 7

3 Answers3

2

First, your $_POST variables are incorrect as you're forgetting to quote the item like $_POST['title'].

Second, you really should use prepared statements. They'll make your code cleaner and have the added benefit of protecting you against SQL Injection Attacks..

You should also perform minimal error checking of your connection and your queries, it is likely that you're missing some information that will help you to be successful. The errors are already in your error log, but you can make them echo out to the screen.

//Connecting to sql db.
$connect = mysqli_connect("localhost","root","pwd","db");
if (!$connect) {
    echo "Connection failed: ". mysqli_connect_error();
    exit();
}

//Sending form data to sql db.
$stmt = mysqli_prepare($connect, "INSERT INTO `posts` (`title`, `post`) VALUES (?,?)");
mysqli_stmt_bind_param($stmt, 'ss', $_POST['title'], $_POST['post'] );

// execute prepared statement
mysqli_stmt_execute($stmt);

// was there a problem?
if(mysqli_stmt_error($stmt)) {
    echo "There was an error performing the query, " . mysqli_stmt_error($stmt);
}

There is a a lot going on here, but most notable is the prepare() where you use placeholders for your variables (?) and mysqli_stmt_bind_param() to bind your variables, as strings (s for each item) to the query.

Finally, check if there are any errors and echo those back to the screen with mysqli_stmt_error()

NOTE: Make sure to handle errors gracefully for your users, never displaying the actual problems to them which exposes your site to attacks. Echoing the information to the screen, as is being done here, is fine during the development stage.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
0

You need to clean your POSTed variables to prevent SQL injections and other errors, and then quote them properly (as strings) on inserting them into the db.

$cleanTitle = mysqli_real_escape_string($connect,$_POST['title'];
$cleanPost  = mysqli_real_escape_string($connect,$_POST['post'];

$sql = "INSERT INTO posts (title, post) VALUES ('$cleanTitle', '$cleanPost')";
$insert = mysqli_query($connect,$sql);

if(!$insert){
    echo 'ERROR :'.mysqli_error($connect);
}
MaggsWeb
  • 3,018
  • 1
  • 13
  • 23
0
   mysqli_query($connect,"INSERT INTO posts (title, post)
   VALUES ('".$_POST[title]."', '".$_POST[post]."')";

query should be like this. Hope this helps.

Harish Lalwani
  • 754
  • 5
  • 20