0

Im trying to input data to an sql database through a html submit button however I cant quite get it to work. I've looked at the other answers on here and I cant seem to get them to work either. I'm fairly certain that I have the column names are correct. where am I going wrong and are there any better ways of approaching this problem?

   <?php
   include('session.php');
   if(isset($_POST['addHomework'])){
    $link = mysqli_connect('host','user','userpw','database');         
    $class =  mysqli_real_escape_string($link,$_POST['classDropdown']);
    $dueDate = date('y-m-d', strtotime($_POST['dueDate']));
    $title =  mysqli_real_escape_string($link, $_POST['homeworkTitle']);
    mysqli_query($link, "INSERT INTO events ('title', 'duedate', `event_id`)  VALUES('$title', '$dueDate', '')");
}
?>

and this iis my html 

<head>
<link type="text/css" href="css/ui-lightness/jquery-ui-1.9.1.custom.min.css" rel="stylesheet" />
<script src="https://code.jquery.com/jquery-1.10.2.js"></script>
  <title>The Memory Bank</title>
  <meta name="description" content="website description" />
  <meta name="keywords" content="website keywords, website keywords" />
  <meta http-equiv="content-type" content="text/html; charset=windows-1252" />
  <link rel="stylesheet" type="text/css" href="style.css" title="style" />
</head>

<body>
  <div id="main">
    <div id="header">
      <div id="logo">
        <div id="logo_text">
          <h1>The Memory Bank</h1>
        </div>
      </div>
      <div id="menubar">
        <ul id="menu">
          <li ><a href="teacherWelcome.php">Home</a></li>
          <li><a href="student.php">Classes</a></li>
          <li class="selected"><a href="homework.php">Homework</a></li>
          <li><a href="parent.php">Feedback</a></li>
          <li><a href="HoD.php">Head of Department</a></li>
          <li><a href="logout.php">Log Out</a></li>
        </ul>
      </div>
    </div>
    <aside>
      <div id="site_content">


<h1>Welcome
        <?php 
        echo $row['username'];
        ?>
        </h1>
    <form name ="addHomework" method="POST" action="homework.php">
       <p>Enter in a title for your homework:<br/>
       <input type="text" name ="homeworkTitle" value="" maxlength="45"></P>
       <p>Enter a duedate for your homework:<br/>
       <input type="date" name ="dueDate"  value="" maxlength="45"></P>
       <p>Select a Class:<br/>
        <select name="classDropdown">
            <?php
            include ('classlist.php');
                $classlist = new Classlist ();
                echo $classlist -> show();
            ?>
        </select>
        <p><input type="submit" name="commit" id="commit" value="Add Homework"/></p>
       </form>

      </div>
</aside>
</script>
</div>
    </div>

    </div>
    <div id="footer">
    </div>
  </div>
</body>
</html>
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Owen Baldwin
  • 1
  • 1
  • You have just published the credentials to your MySQL database and therefore have subjected yourself to the possibility of hacking. – Jay Blanchard Mar 14 '17 at 21:14
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 14 '17 at 21:14
  • theres no vulnerable info on my website its just a little project ive been playing around with – Owen Baldwin Mar 14 '17 at 21:16
  • Are you getting any errors? – Jay Blanchard Mar 14 '17 at 21:16
  • Your MySQL host, username and password were posted here. Shall I prove it to you? ¯\\_(ツ)_/¯ – Jay Blanchard Mar 14 '17 at 21:17
  • no errors the data is just not being inputted – Owen Baldwin Mar 14 '17 at 21:17
  • Have you checked your error logs? You're making an assumption the query is working. – Jay Blanchard Mar 14 '17 at 21:17
  • `$_POST['addHomework']` will never be set, because form names are not sent in the POST array. Therefore you never run your query. Test `isset($_POST['commit'])` because that is the button you click when you try to update the database. – Jay Blanchard Mar 14 '17 at 21:20
  • just tried nothing seemed to happen checking logs now – Owen Baldwin Mar 14 '17 at 21:24
  • Were you able to get this solved? – Jay Blanchard Mar 15 '17 at 11:42

1 Answers1

0

First, some warnings:

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Don't believe it?

$_POST['addHomework'] will never be set, because form names are not sent in the POST array. Therefore you never run your query. Test isset($_POST['commit']) because that is the button you click when you try to update the database:

if(isset($_POST['commit'])){
    // the rest of your code
Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119