0

I am just wondering where my mistake was , and if it is a simple fix or if it will be a bit harder to fix. You guys don't have to write the answers for me, just point me in the right direction and I think I should be fine, because I've been looking at this for half an hour now , and I can't seem to figure out where my mistake was.. Inserting comments is working wonderfully, I'm just having issues with getting them, and posting them on my page(?)

  // INSERTING COMMENTS INTO THE DATABASE
    <?php
    function setComments($conn) {
            if (isset($_POST['commentSubmit'])) {
              $author = $_POST['cauthor'];
              $date = $_POST['date'];
              $message = $_POST['message'];

              $sql = "INSERT INTO comments (c_author, c_date, c_message)
                      VALUES ('$author', '$date', '$message')";
                  $result = mysqli_query($conn, $sql);
            }
    } ?>

       // GETTING COMMENTS FROM THE DATABSE
    <?php
        function getComments($conn) {
                $sql = "SELECT * FROM comments";
                $result = mysqli_query($conn, $sql);
                $row = $result->fetch_assoc();
                echo "$row['c_message']";
        }
    ?>
Deeze
  • 1
  • 3
  • 2
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Dec 27 '16 at 18:21
  • @tadman thank you for pointing this out, I will get it fixed :D – Deeze Dec 27 '16 at 18:23
  • You're mixing and matching object-oriented and procedural style. Ideally you switch over to using object-oriented exclusively, it's much less verbose, less cluttered and harder to get wrong. You should also [enable error reporting](http://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) to see if any of your queries failed. Right now you have no way of knowing if any of this code worked, or if you're even connected to the database in the first place. If you get a good result from executing your query it probably succeeded, so be sure to test that. – tadman Dec 27 '16 at 18:24

0 Answers0