0

i am just leaning php. i started coding a commenting tool today. i dont know where i am going wrong.

i created a php form, database for it. well the connection is successfully created and i am also able to retrieve the data that is already in the database.

But when click submit button , the data in the form is not inserted into the database table. please help

php

<?php
include './misc.php';
$cxn= mysqli_connect($host,$user,$passwd,$db) or die("unable to connect to server");
?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
    <title>Home</title>

    <!-- Bootstrap -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
</head>
<body>
<form role="form" class="form form-default" action="./commentbox.php?value=1" method="POST">
<div class="container">
    <div class="row">
        <h2>Cutest Pic ever!<small>Comment your views below about this pic</small></h2>
    </div><br><br>
    <div class="row">
        <div class="col-xs-3"></div>
        <div class="col-xs-6 panel panel-success">
            <div class="panel-body">
                <img src="./pics/kitten.jpg" class="img-rounded">
            </div>
        </div>
        <div class="col-xs-3"></div>
    </div>
    <div class="row">
        <div class="col-xs-1"></div>

        <div class="col-xs-10 panel panel-success">

            <div class-"panel panel-heading"><br><br>
                <label for="fullname">Your NAME:</label>
                <?php echo("<input type='text' class='form-
                    control' placeholder='enter your full name.'
                     name='fullname' maxlength='20'>");?>
            </div>
            <div class="panel panel-body">
                <div class="col-xs-1"></div>
                <div class="col-xs-8">

                <?php 
                //comment box
                echo("<textarea rows='4' cols='50' name='commentbox' 
                    placeholder='enter your comment' maxlength='50'></textarea>");

                ?>

                </div>
                <div class="col-xs-2">
                    <?php
                    //comment submit button
                    echo("<button type='submit' name='submit' class='post btn btn-lg btn-success'>POST</button>");
                    ?>
                </div>
                <div class="col-xs-1"></div>
            </div>

        </div>

        <div class="col-xs-1"></div>
    </div>
    <div class="comdisplay row">

            <?php
            $sql="SELECT * from comment";

            if ($_GET['value']==1) 
            {

                $query="INSERT into comment('comname','comdesc') values('{$_POST['fullname']}','{$_POST['commentbox']}')";
                if (mysqli_query($cxn,$query)) 
                {
                    $result= mysqli_query($cxn,$sql) or die("couldnt ececute query");
                    while ($rows=mysqli_fetch_assoc($result)) 
                        {
                            extract($rows);
                            echo("<div class='comment panel panel-body panel-success'>");
                            echo("<p><b>".$comname."</b></p>
                            <p>".$comdesc."</p></div>");
                        }
                }
                else
                {
                    echo("Failed to add comment");
                }

            }
            $result= mysqli_query($cxn,$sql) or die("couldnt ececute query");
            $num= mysqli_num_rows($result);
            if ($num==0) 
            {
                echo("No comments have been posted yet!");
            }
            else
            {
                while ($rows=mysqli_fetch_assoc($result)) 
                        {
                            extract($rows);
                            echo("<div class='comment panel panel-body panel-success'>");
                            echo("<p><b>".$comname."</b></p>
                            <p>".$comdesc."</p></div>");
                        }
            }
            ?>
    </div> 
</div>
</form>
    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <!-- Include all compiled plugins (below), or include individual files as needed -->
    <script src="js/bootstrap.min.js"></script>
    <script type="text/javascript" src="comment.js"></script>
  </body>
</html>

Part where the form inserts the value into the database

    if ($_GET['value']==1) 
    {

        $query="INSERT into comment('comname','comdesc') values('{$_POST['fullname']}','{$_POST['commentbox']}')";
        if (mysqli_query($cxn,$query)) 
        {
            $result= mysqli_query($cxn,$sql) or die("couldnt ececute query");
            while ($rows=mysqli_fetch_assoc($result)) 
                {
                    extract($rows);
                    echo("<div class='comment panel panel-body panel-success'>");
                    echo("<p><b>".$comname."</b></p>
                    <p>".$comdesc."</p></div>");
                }
        }
        else
        {
            echo("Failed to add comment");
        }

    }
    $result= mysqli_query($cxn,$sql) or die("couldnt ececute query");
    $num= mysqli_num_rows($result);
    if ($num==0) 
    {
        echo("No comments have been posted yet!");
    }
    else
    {
        while ($rows=mysqli_fetch_assoc($result)) 
                {
                    extract($rows);
                    echo("<div class='comment panel panel-body panel-success'>");
                    echo("<p><b>".$comname."</b></p>
                    <p>".$comdesc."</p></div>");
                }
    }

please help

given below is the output link

Commenting tool

Vishnuprasad
  • 113
  • 7
  • 2
    Wrap off `quotes` from `table and column` name instead use `backtick` and your query is open for sql injection – Saty Jan 11 '16 at 10:00
  • 1
    use prepared Statements for preventing SQL injection – Jens Jan 11 '16 at 10:01
  • 1
    What's the error message? Try printing your SQL queries so you can see exactly what is being attempted. Oh, and you're also wide open to injection attacks. – Geoff Atkins Jan 11 '16 at 10:02
  • m sorry, i am just learning this stuff..just a beginner. so please help me out. i could use a detailed solution. thank you. – Vishnuprasad Jan 11 '16 at 10:03

1 Answers1

1

Good to know that you are learning.

So far your code is good just change the SQL

From

 $query="INSERT into comment('comname','comdesc') values('{$_POST['fullname']}','{$_POST['commentbox']}')";

To

$fullname = mysqli_real_escape_string($cxn , $_POST['fullname']);
$commentbox = mysqli_real_escape_string($cxn , $_POST['commentbox']);
 $query="INSERT into comment(comname,comdesc) values('{$fullname}','{$commentbox}')";

MySQL database table field names (comname, comdesc in your case) can be enclosed by backtick (`) to avoid collapse with reserved keywords.

Single qoutes are there for inserting values in the fields.

Also, please observe my code for mysql_real_escape_string().

Never trust on user inputs.

Filter them before use.

Pupil
  • 23,834
  • 6
  • 44
  • 66