0

I've created this code in PHP which includes a form. In this form the user can insert an announcement. To save the datas into database I've created this submit button with the value POSTO.

But when I fill the form and click the submit button nothing happens and the data is not saved into the database. A lso if I put a wrong name of table it doesn't show error.

Here is my database: database

Here is the PHP code:

<html>
<head>
<title></title>
</head>
<body>
<?php
if( !($database=mysql_connect("localhost","root",""))||!(mysql_select_db("st_login",$database))  )
   print("Could not connect");


//postohen announcement
echo "Post announcement";
print("<form><p> <textarea  cols='40' rows='30'></textarea> </p>
  <input type='submit' name='njoftim' value='Posto'/></form>  ");


if(isset($_POST['njoftim'])){
$njoftim=$_POST['njoftim'];
  $query="INSERT INTO `njoftime` (njoftim) VALUES ('$njoftim')";
    if(!($result=mysql_query($query,$database)))
{
    print("Could not execute query");
    die (mysql_error());//ose error
}

   }

mysql_close($database);
?>
</body>
</html>
Remi Guan
  • 21,506
  • 17
  • 64
  • 87
Doen
  • 33
  • 7
  • Take a look at these: [`error_reporting(E_ALL);`](http://php.net/manual/en/function.error-reporting.php), [`ini_set('display_errors', 1);`](http://php.net/manual/en/function.ini-set.php), [`mysql_error`](http://php.net/manual/en/function.mysql-error.php). Also, `mysql_*` functions are deprecated since PHP 5.5 (and removed entirely in PHP 7) and you should [stop using them](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) if you can, [you are vulnerable to SQL-injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Qirel Jan 23 '16 at 12:48
  • 1
    Please don't use the deprecated mysql_* functions. Use mysqli or pdo. Btw, your code is wide open for SQL injections. Always sanitize your inputs. – M. Eriksson Jan 23 '16 at 12:49
  • 2
    A form, with no method specified, will default to GET. You need to add the action as `action='post'` in the form tag – Professor Abronsius Jan 23 '16 at 13:02
  • @RamRaider it's `method="post"`, `action` attribute specifies the place where input should be sent (the script path). – Kevin Kopf Jan 23 '16 at 13:34

1 Answers1

0

Directly to the problem: you must specify the post method in your form: <form method="POST">, otherwise your $_POST superglobal would not be populated with the form values. Either this, or use $_GET, but $_POST is better.

  • POST requests are never cached
  • POST requests do not remain in the browser history
  • POST requests cannot be bookmarked
  • POST requests have no restrictions on data length

while GET requests should only be used to retrieve data.

Also, please note, that the mysql extension is deprecated, use mysqli or PDO instead. It's safer.

And your code is also open to endless SQL injection possibilities - a way to DROP DATABASE for sure. So sanitize the input a user posts.

Kevin Kopf
  • 13,327
  • 14
  • 49
  • 66