Empty database records after a form submit

Question

I am trying to save a form data into my database but I get just empty records. I tryied many solutions but I really don't know where's the bug. I am getting crazy!

This is my form:

<head>

<form action="uploadall.php" method="post">
Name: <input type="text" name="name"><br>
Autore: <input type="text" name="author"><br>
Descrizione: <textarea id="editordescription" name="description" cols="45" rows="15">
        </textarea>
        <script>
            CKEDITOR.replace( 'editordescription' );
        </script>
<br>Misure: <input type="text" name="misure"><br>
Data: <input type="text" name="date"><br>
    <input type="hidden" name="status" value="Disattivo" size="20">

<input type="submit">
</form>

And this is my PHP script to save records:

     <?php

     // check if the form has been submitted. If it has, start to process the form and save it to the database
     if (isset($_POST['submit']))
     { 
     // get form data, making sure it is valid
     $name = mysqli_real_escape_string(htmlspecialchars($_POST['name']));
 $author = mysqli_real_escape_string(htmlspecialchars($_POST['author']));
  $description = mysqli_real_escape_string(htmlspecialchars($_POST['description']));
 $misure = mysqli_real_escape_string(htmlspecialchars($_POST['misure']));
 $date = mysqli_real_escape_string(htmlspecialchars($_POST['date']));
  $status = mysqli_real_escape_string(htmlspecialchars($_POST['status']));

     }


    $servername = "xxxxxxx";
    $username = "xxxxxxx";
    $password = "xxxxxxx";
    $dbname = "xxxxxxxxx";

    try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $sql = "INSERT INTO exposition (name, author, description, misure, date, status)
    VALUES ('$name', '$author', '$description', '$misure', '$date', '$status')";
    // use exec() because no results are returned
    $conn->exec($sql);
    echo "New record created successfully";
    }
catch(PDOException $e)
    {
    echo $sql . "<br>" . $e->getMessage();
    }

$conn = null;


    ?>

And this is what I get in my database at the moment:

Answer 1

First, you are mixing the mysql api's at somepoint you are using mysqli_* at some point u using mysql_* They don't mix. And mysql_* functions are depreciated they no longer supported by later versions of php. better use mysqli or pdo. this mysql_real_escape_string() or mysqlo_real_escape_string() is not safe enough to prevent you against sql injections. solution is simple better start using mysqli prepared statements or pdo prepared statements.

another error : <input type="text" name="name"> <input type="text" name="name"> these two inputs fields have the same name attribute php will only read one. and you will get an undefined index here $misure = $_POST['misure']; You need to activate error reporting while you are still developing so you can see your errors and notices:

add this at the top of every php page : ini_set('display_errors', 1); error_reporting(E_ALL);

also date date is a reserved word for mysql so you better use something else for your column name or add backslashes date

Oh and your code never execute here :

if (isset($_POST['submit']))
 { 
 // get form data, making sure it is valid
 $name = mysql_real_escape_string(htmlspecialchars($_POST['name']));
 $author = mysql_real_escape_string(htmlspecialchars($_POST['author']));
  $description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
 $misure = mysql_real_escape_string(htmlspecialchars($_POST['misure']));
 $date = mysql_real_escape_string(htmlspecialchars($_POST['date']));
  $status = mysql_real_escape_string(htmlspecialchars($_POST['status']));

 }

Why is that? because you do not have POST value with the submit attribute name. <input type="submit"> see? your submit does not have a name attribute. therefore. This means

all this :

VALUES ('$name', '$author', '$description', '$misure', '$date', '$status')"; These are all undefined variables. I'm surprised why doesn't your server tell you that, with that error reporting enable you will get all those.

This is what u need to do to solve that :

Your html side.

<form action="uploadall.php" method="post">
Name: <input type="text" name="name"><br>
Autore: <input type="text" name="author"><br>
Descrizione: <textarea id="editordescription" name="description" cols="45" rows="15">
        </textarea>
        <script>
            CKEDITOR.replace( 'editordescription' );
        </script>
<br>Misure: <input type="text" name="misure"><br>
Data: <input type="text" name="date"><br>
    <input type="hidden" name="status" value="Disattivo" size="20">

<input type="submit" name="submit">
</form>

uploadall.php

<?php

// check if the form has been submitted. If it has, start to process the form and save it to the database
if (isset($_POST['submit'])) {

    $servername = "xxxxxxx";
    $username   = "xxxxxxx";
    $password   = "xxxxxxx";
    $dbname     = "xxxxxxxxx";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }


    //check your inputs are set and validate,filter and sanitize
    $name        = $_POST['name'];
    $author      = $_POST['author'];
    $description = $_POST['description'];
    $misure      = $_POST['misure'];
    $date        = $_POST['date'];
    $status      = $_POST['status'];



    //prepare and bind
    $sql = $conn->prepare("INSERT INTO exposition (name, author, description, misure, date, status)
VALUES (?,?,?,?,?,?)");
    $sql->bind_param("ssssss", $name, $author, $description, $misure, $date);

    if ($sql->execute()) {

        echo "New record created successfully";

    } else {

        //you have an error
    }

    $conn->close();

}

?>

That's all good luck.

Update :

I corrected errors you told me and I am using PDO now but it still doesn't work

I read that from your comments above, but you not telling us what the errors are, but I believe they are the ones I highlighted above.

with PDO this is how u will achieve your goal :

<?php

    //connection
    $servername = 'XXXXXXXXXXXXX';
    $dbname     = 'XXXXXXXXXXXXX';
    $username   = 'XXXXXXXXXXXXXX';
    $password   = 'XXXXXXXXX';
    $charset    = 'utf8';

    $dsn = "mysql:host=$servername;dbname=$dbname;charset=$charset";
    $opt = [
            PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
            PDO::ATTR_EMULATE_PREPARES   => false,
            ];


    $dbh = new PDO($dsn, $username, $password, $opt);

// check if the form has been submitted. If it has, start to process the form and save it to the database
if (isset($_POST['submit'])) {




    //check your inputs are set and validate,filter and sanitize
    $name        = $_POST['name'];
    $author      = $_POST['author'];
    $description = $_POST['description'];
    $misure      = $_POST['misure'];
    $date        = $_POST['date'];
    $status      = $_POST['status'];

    //prepare and bind
    $stmt = $dbh->prepare("INSERT INTO exposition (name, author, description, misure, date, status)VALUES (?,?,?,?,?,?)");
    if ($stmt->execute(array($name,$author,$description,$misure,$date,$status))) {

        echo "New Record inserted success";
    }

}

?> 

Answer 2

Variable name problem E.g Name: <input name="name"> and : Misure: <input name="name">.This must be different.

Again, <input type="submit"> should be <input type="submit" name="submit">. Hope, it will be helpful.

Answer 3

The variables you are using inside your INSERT Query are out of scope from the first if block where you are getting the data from your form. If the variables are initialized before the first if block it might work. like below..

 $name = ""; $author = "";$description = "";$misure = "";$date = "";$status=";


if (isset($_POST['submit'])){ // as is}