Pass form values from PHP file to another PHP file

Question

I make a pop-up form like this, in home.php :

<script src="js/submit.js"></script>

.........
.........
.........

<div id="abc">
<!-- Popup Div Starts Here -->

<div id="popupContact">
<!-- Form -->

<form action="#" id="form" method="post" name="form">

    <input id="month" name="month" placeholder="MONTH" type="text">
    <a href="javascript:%20check_empty()" id="submit">ADD</a>

</form>

</div>
<!-- Popup Div Ends Here -->
</div>

I fill the form. When I click 'ADD' button, it runs javascript function. The code in submit.js :

function check_empty() {
    if (document.getElementById('month').value == ""){
        alert("Fill column!");
    } else {
        document.getElementById('form').submit();   
        $.get("application/insertdata.php");
        return false;
    }
}

//Function To Display Popup
function div_show() {
document.getElementById('abc').style.display = "block";
}

//Function to Hide Popup
function div_hide(){
document.getElementById('abc').style.display = "none";
}

I want to run query in insertdata.php as below. It needs the value from 'month'.

<?php 
require("phpsqlajax_dbinfo.php");

$conn = mysqli_connect('localhost', $username, $password, $database);

if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
} 

$data = isset($_POST['month']);
$monthstring = mysqli_real_escape_string($conn, $data);

$sql = "INSERT INTO `databasea`.`tablea` (`MONTH`, `TEST`) VALUES ('". $monthstring ."', 'xxx');";

mysqli_query($conn, $sql);
mysqli_close($conn);
?>

The query run successfully, and row is added in my table. 'TEST' column is added with 'xxx'. But in 'MONTH' column, it generates no value, just empty.

So, how to get the 'month' value? Thank you.

First of all you need to study $.get function. See this link for $.get() https://api.jquery.com/jquery.get/ — Nikhil Vaghela, Jun 24 '16 at 12:57
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jun 24 '16 at 12:58
You are posting the form with: `document.getElementById('form').submit();` but you got no URL in the forms action, which means that it will post to itself. Then you do a `$.get` to the correct file... but `$.get` does a GET-request, not POST... and you're not sending any data. — M. Eriksson, Jun 24 '16 at 12:59
I'm guessing your `MONTH` field is a string, but your `$monthstring` variable is a boolean because it's defined as the escaped version of `$data = isset($_POST['month']);` which is a boolean — apokryfos, Jun 24 '16 at 13:01
thank you for comments, I'm still newbie. So how to fix this? — Graha Pramudita, Jun 24 '16 at 13:12
You need to get in the habit of [accepting answers](http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) which help you to solve your issues. You'll earn points and others will be encouraged to help you. — Jay Blanchard, Jun 24 '16 at 14:51

score 2 · Answer 1 · answered Jun 24 '16 at 12:57

2

Hi use $data = $_POST['month'];

isset will return true or false not value of month

answered Jun 24 '16 at 12:57

Passionate Coder

7,154
2
19
44

score 2 · Answer 2 · answered Jun 24 '16 at 12:57

2

Replace

$data = isset($_POST['month']);

by

if(isset($_POST['month'])) {
   $data=$_POST['month'];
}

answered Jun 24 '16 at 12:57

Adder

5,708
1
28
56

1

There are so many other things wrong with the code before things even get here. – Jay Blanchard Jun 24 '16 at 13:00

score 2 · Accepted Answer · edited May 23 '17 at 11:58

Since you're using JavaScript/jQuery there is no real need for inline code in your HTML, so let's start there by removing the inline JavaScript:

<script src="js/submit.js"></script>

.........
.........
.........

<form action="#" id="form" method="post" name="form">

<input id="month" name="month" placeholder="MONTH" type="text">
<a href="#" id="submit">ADD</a>

</form>

Much cleaner, no? You weren't passing any data in your function call which may have caused problems for you down the line.

Now a simpler setup in your JavaScript/jQuery in which we'll capture the click event and pass the data via $.post:

$('#submit').click(function(event) {
    event.preventDefault(); // prevent the default click action
    var month = $('#month').val();
    if('' == month) {
        alert('fill the column!');
    } else {
        $.post("application/insertdata.php", {month: month}); // notice how the data is passed
    }
});

So far, so good, the code is much tighter and more readable and it actually posts the data from the form to the AJAX call.

Finally the PHP, testing to see if the variable month is set properly:

<?php 
    require("phpsqlajax_dbinfo.php");

    $conn = mysqli_connect('localhost', $username, $password, $database);

    if (!$conn) {
        die("Connection failed: " . mysqli_connect_error());
    } 

    if(isset($_POST['month'])) {
        $data = $_POST['month'];
        $monthstring = mysqli_real_escape_string($conn, $data);
        $sql = "INSERT INTO `databasea`.`tablea` (`MONTH`, `TEST`) VALUES ('". $monthstring ."', 'xxx');";
        mysqli_query($conn, $sql);
    }

    mysqli_close($conn);
?>

NOTE: I am concerned that you might have more than one of these forms on your page and you may be duplicating ID's which will not work and the duplicate ID's will need to be removed. If this is the case the jQuery code I've written needs to be changed. Here is one way to do that:

$('a').click(function(event) {
    event.preventDefault(); // prevent the default click action
    var month = $(this).prev('input').val(); // get the input next to the link
    if('' == month) {
        alert('fill the column!');
    } else {
        $.post("application/insertdata.php", {month: month}); 
    }
});

As I stated in comments Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Changing to prepared statements will make your code cleaner and safer.

Just one small suggestion. Validate the `$_POST['month']` before you open the DB-connection. No need to open it if the variable isn't set. :) — M. Eriksson, Jun 24 '16 at 13:18
That's not a bad idea @MagnusEriksson, I was just trying not to modify the OP's code too much. — Jay Blanchard, Jun 24 '16 at 13:19
And `$sql` won't be set if the validation fails, but is used after. :) `mysqli_query($conn, $sql);` should be in the IF-statement. — M. Eriksson, Jun 24 '16 at 13:20
Good catch @MagnusEriksson, I changed the code a little to reflect that. — Jay Blanchard, Jun 24 '16 at 13:21
hi @JayBlanchard thank you. I tried your code, but when I click ADD button, my pop-up form doesn't show up now. (I have edited my full code above in home.php and submit.js, take a look) — Graha Pramudita, Jun 24 '16 at 13:42
I answered the question *as you had originally proposed it* @GrahaPramudita Your popups are not affected by your original code and will not be affected by the changes I have proposed here. What you're asking now is a completely different question. — Jay Blanchard, Jun 24 '16 at 13:49
oh @JayBlanchard i'm sorry. I mistyped my comment. Thank you, it works! — Graha Pramudita, Jun 24 '16 at 14:11

Pass form values from PHP file to another PHP file

3 Answers3