0

I have a form that I can post. I also have a sql database that it has a successful connection with. However, when I close the page out, the user input disappears. How can I make the user input part of the page content,almost like a guestbook kind of idea?

<p onclick="myFunction()">Click here to share your personal testimony</p>
<div id="formwindow">
    <form action="http://needjesuskneadjesus.org/perstest.php" method="post">
        Name: <input type="text" name="name">
        <span class="error">* <?php echo $nameErr; ?></span>
        <br>
        Email: <input type="text" name="email">
        <span class="error">* <?php echo $emailErr; ?></span>
        <br>
        Personal Testimony:<br> <textarea name="personalTestimony" rows="10" cols="50"></textarea><br>
        <input type="Submit">
    </form>
</div>
<script>
    function myFunction() {
        document.getElementById("formwindow").style.display = "block";
    }
</script>
</br>
<?php
    echo "Name: " . $_POST['name'];
?>
</br>
<?php
    echo "Email: " . $_POST['email'];
?>
</br>
<?php
    echo "Personal Testimony: " . $_POST['personalTestimony'];
?>
</br>
/* Attempt MySQL server connection. 
    // Check connection
    if($link === false){
        die("ERROR: Could not connect. " . mysqli_connect_error());
    }
    // Escape user inputs for security
    $name = mysqli_real_escape_string($link, $_REQUEST['name']);
    $email = mysqli_real_escape_string($link, $_REQUEST['email']);
    $personalTestimony = mysqli_real_escape_string($link, 
    $_REQUEST['personalTestimony']);
    // attempt insert query execution
    $sql = "INSERT INTO personalTestimony (name, email, testimony) VALUES 
    ('$name', '$email', '$personalTestimony')";
    if(mysqli_query($link, $sql)){
        echo "Thanks for sharing your personal testimony.";
    } else{
        echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
    }
    // close connection
    mysqli_close($link);
*/
?>
Fred Gandt
  • 4,217
  • 2
  • 33
  • 41
Candy Smith
  • 19
  • 6
  • 1
    use cookies or session – Omi May 18 '17 at 22:24
  • you have to save the user input then put them again , one way to do this is by sessions. save them: `$_SESSION["name"] = $_POST['name']` then when building the page do : `echo "Name: ".$_SESSION['name'];` – Accountant م May 18 '17 at 22:25
  • 1
    Although not specifically asked about, take care to not echo unsanitary POST vars; use [`htmlentities()`](http://php.net/manual/en/function.htmlentities.php) at the very least. – Fred Gandt May 18 '17 at 22:33

1 Answers1

0

You can use PHP Sessions to store the users review, this will display the old one 

<?php
session_start();

$name;
$email;
$personalTestimony;

if($link === false){
    die('ERROR: Could not connect.' . mysqli_connect_error());
}



if (!isset($_POST['name']) && !isset($_POST['email']) && !isset($_POST['personalTestimony'])) {
    $name = $_POST['name']);
    $email = $_POST['email'];
    $personalTestimony = $_POST['personalTestimony']);


    // attempt insert query execution
    $sql = mysqli_prepare($link, "INSERT INTO personalTestimony (name, email, testimony) VALUES ('$name', '$email', '$personalTestimony'))";

    if(mysqli_query($link, $sql)){
        echo 'Thanks for sharing your personal testimony.';
    } else{
      echo 'ERROR: Could not able to execute $sql. ' . mysqli_error($link);
    }

} elseif (!empty($_SESSION['name']) || !empty($_SESSION['email']) || !empty($_SESSION['testimony'])) {
        $_SESSION['name'] = $name;
        $_SESSION['email'] = $email;
        $_SESSION['testimony'] = $personalTestimony;
    }

}

// close connection
mysqli_close($link);
?>

I replaced mysqli_real_escape_string to mysqli_prepare since it's less characters and provides more safety. You can read more about it here.

This will only work until ether the session expires (You can configure this here) or the client clears their cookies.

Community
  • 1
  • 1
Adam
  • 143
  • 3
  • 18
  • 1
    `!isset() && !empty()` ?! . that condition will NEVER EVER happen !!! . also what do you mean by using `htmlentities` on the statement object that is returned from using `mysqli_prepare` which is used with wrong paramters!. Fred Gandt means by using `htmlentities()` using it to put the user input into your outputted html like `echo "your name is " . htmlentities($_POST['name'])` . man, you should test your code before posing it in as an answer. BTW I didn't down-vote your answer – Accountant م May 18 '17 at 23:47
  • 1
    @Accountantم Thanks for pointing that out, I've always done !isset() and !empty() out of habit, oops. I should have tested but didn't want to miss more of Halt and Catch Fire. I've rectified those issues now though. – Adam May 19 '17 at 00:53