0

I am trying to create a form that will take a title, block of text, student ID and add it to a database when the submit button is pressed.

The student_ID is kept the same for simplicity and will be changed later in the project.

The HTML and PHP are in the same file.

My code doesn't add anything to the database.

PHP 

<?php
  if($_POST["submit_button"]){

    //here is the title and text that will be added to the database by the user
    $title=$_POST["testimonial_title"];
    $text=$_POST["testimonial_text"];

    //create the sql statement 
    $sql="INSERT INTO testimonials 
    (testimonial_title, testimonial_text, student_ID)
    VALUES(
      '$title',
      '$text',
    1);"; //the student_ID is a foreign key and for simplicity I kept it at 1

    $result = mysqli_query($con,$sql);

    mysqli_close($con);
  }
?>

HTML

  <<!--Page Content-- >
  <h1 class="page-header">
    Learning Journals<small>- Admin</small>
  </h1>

  <h3> 
    Update Learning Journals Plans 
  </h3>

  <form name = "membership_form" 
    action = ""
    id = "contactForm"
    method = "post">

    <label>Learning Journals Title:</label><br/>
    <input type="text" name="testimonial_title" /><br/>
    <label>Learning Journal:</label><br/>
    <textarea rows="10" cols="100" name="testimonial_text" 
      maxlength="999" style="resize:none"></textarea>
    <button type="submit" name ="submit_button" class="btn btn-primary">
      Update
    </button>
  </form>
  <hr/>
</body>
</html>
jwpfox
  • 5,124
  • 11
  • 45
  • 42
Patrick O Reilly
  • 63
  • 1
  • 2
  • 9
  • Not getting any errors? – Phiter Dec 08 '16 at 21:29
  • Why are you giving everyone the same `student_ID`? I suspect that's a unique key, so you're getting an error because of the duplicate key. – Barmar Dec 08 '16 at 21:36
  • 1
    You should check for errors: `if (!$result) { die(mysqli_error($con)); }` – Barmar Dec 08 '16 at 21:36
  • You should also use a prepared query to protect against SQL injection. – Barmar Dec 08 '16 at 21:36
  • If the testimonial text contains an apostrophe, you'll get a syntax error because you haven't escaped the input. – Barmar Dec 08 '16 at 21:37
  • 1
    And, considering the OP's name is `O'Reilly`, there's an enhanced chance of an apostrophe in the test data. Prepared statements. *Prepared statement*. **Prepared statements** – O. Jones Dec 08 '16 at 21:51
  • https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Andy Lester Dec 11 '16 at 03:06

1 Answers1

0

You must specify in the action attribute the php file you are sending. And in your if statement you need to compare you are receiving data : 

if($_POST["testimonial_title"] &&  $text=$_POST["testimonial_text"])

Try to protect against SQL injection. Read about it.

In your sql variable you must have something like this once you have protected your variables: $sql= "INSERT INTO testimonials (testimonial_title, testimonial_text, student_ID) VALUES( "'.$title."', "'.$text."', 1)";

Because you have text not numbers.

Read this, there you could find how to insert and how to prevent sql injection:

PHP / MySQLi: How to prevent SQL injection on INSERT (code partially working)

Community
  • 1
  • 1
migueref
  • 302
  • 1
  • 7