PHP & MYSQL Blog system

Question

Hello guys i have problem with php code for blog... well i created mysql database and it's looks like this,

And everything works fine when i press submit button except that it doesn't want to insert into blog database the things i write into inputs....

Here is php code:

<?php
include 'dbconfig.php';

if(isset($_POST['submit'])){
$_title = $_POST['title'];
$_category = $_POST['category'];
$_content = $_POST['content'];

$sql = "INSERT INTO `blog`('title', 'category', 'content') VALUES ('$_title', '$_category', '$_content'))";
}else{
?>

<form action="post.php" method="post">
<p>Title: <input name="title" type="text" size="50"/></p>
<p>Category: <input name="category" type="text" size="50"/></p>
<p>Content: <textarea name="content" maxlength="50" placeholder="Content" type="text"></textarea></p>
<input type="submit" name="submit" value="Post"/>


</form>
<?php
}
?>

dbconfig.php looks like

<?php


    $db_host = "localhost";
    $db_name = "a3584167_test";
    $db_user = "a3584167_test";
    $db_pass = "test";

    try{

        $db_con = new PDO("mysql:host={$db_host};dbname={$db_name}",$db_user,$db_pass);
        $db_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    }
    catch(PDOException $e){
        echo $e->getMessage();
    }


?>

If you guys can share me your help option what should i fix in this code i would be very happy. Thanks for ur time.

"Everything works fine, but..." - so everything doesn't work fine then? ;-) Jokes aside, you don't actually execute the query. What API is inside `dbconfig.php`? — Qirel, Dec 15 '16 at 17:10
There are some things in there that could make your application get rekt. Never insert user input directly into your queries, clean them before. Also you didn't run the query you just built it. — Phiter, Dec 15 '16 at 17:13
@Qirel `setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); } catch(PDOException $e){ echo $e->getMessage(); } ?>` — Hartman, Dec 15 '16 at 17:14

score 4 · Accepted Answer · edited May 23 '17 at 11:45

4

You don't actually execute the query, so the solution is simple - just execute it.

From the comments, you're using PDO, so you'll just need

$db_con->query($sql);

That being said, that is very vulnerable to SQL injection, so I recommend you use a prepared statement instead, making your execution like this

$stmt = $db_con->prepare("INSERT INTO `blog`(`title`, `category`, `content`) VALUES (:title, :category, :content)");
$stmt->execute(array("title" => $_title, "category" => $_category, "content" => $_content));

References

edited May 23 '17 at 11:45

Community

1
1

answered Dec 15 '16 at 17:17

Qirel

25,449
7
45
62

`Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''title', 'category', 'content') VALUES ('233242342', '32423432', '324234')' at line 1' in /home/a3584167/public_html/post.php:92 Stack trace: #0 /home/a3584167/public_html/post.php(92): PDOStatement->execute(Array) #1 {main} thrown in /home/a3584167/public_html/post.php on line 92` and i add like u said – Hartman Dec 15 '16 at 17:24
Ah, I blindly copied your query above, which used quotes `'` around the columns in the query - that should be backticks `\`` instead. Fixed it now. You can also just leave the ticks out, as none of those names are keywords/reserved. – Qirel Dec 15 '16 at 17:26
@Oirel ye ye i saw that and i fixed it before but still says... `Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1065 Query was empty' in /home/a3584167/public_html/post.php:85 Stack trace: #0 /home/a3584167/public_html/post.php(85): PDO->query('') #1 {main} thrown in /home/a3584167/public_html/post.php on line 85` – Hartman Dec 15 '16 at 17:36
You don't need `query()` when you're using `prepare()`. So I recommend you just put the second part of my answer (prepare/execute) instead of anything `query()`. – Qirel Dec 15 '16 at 17:37
Okey fixed that and again next error `Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''title', 'category', 'content') VALUES ('3423424', '324234234', '2342343242')' at line 1' in /home/a3584167/public_html/post.php:92 Stack trace: #0 /home/a3584167/public_html/post.php(92): PDOStatement->execute(Array) #1 {main} thrown in /home/a3584167/public_html/post.php on line 92` – Hartman Dec 15 '16 at 17:40
1

That's the exact same as the first comment you posted - which I already explained: drop the quotes around column names. I fixed my answer with that silly mistake, so you can just use that. – Qirel Dec 15 '16 at 17:41
oh haha i forgot that one :D well now it's working thank you so much for your help and time :) – Hartman Dec 15 '16 at 17:43
Happy to have helped! – Qirel Dec 15 '16 at 17:44

PHP & MYSQL Blog system

1 Answers1

References