MYSQL PHP column empty

Question

I am creating a social website with PHP . The user has the option to post a status to their timeline .But when I try to post to my timeline I get the Post added to your timeline.echo statement but when I go to my database online the username column is filled out and the body is empty . Can someone help me ?

profile.php :

<form action="poststatus.php" method="post">
<textarea rows="3" cols="25" name="status" id="status">
</textarea>
<button id="bt4" type="submit" name="bts">Post status</button>
</form>

poststatus.php:

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

include("connect.php");
include("auth_login.php"); 

// just define at the top of the script index.php
$username = ''; 
 $username = $_SESSION['username'];

$body = ''; 

if(isset($_POST['bts'])) {

if (empty($_POST["status"])) {
    echo"You didn't enter anything . <a href= profile.php>Try again</a>";
    } else {

   $sql = "INSERT INTO posts (username, body ) VALUES ('" . $username . "', '" . $body . "')";

if(mysqli_query($conn, $sql)){                                  

echo"<a href= home.php>Post added to your timeline.</a>"; 
} else{
    echo "<br>error posting . <br> <a href= profile.php>Try again</a> " . 
mysqli_error($conn);
} 
 } 
}

are yiu sure yiu have a proper value in $username and $body ... try var:dump($username) before insert .. — ScaisEdge, May 20 '17 at 19:26
Because you're inserting an empty value. What did you think this line set the variable to?: `$body = '';` Also note that this code is *wide open* to **SQL injection** and you're allowing users to execute arbitrary code on your server. — David, May 20 '17 at 19:30
It's showing me this and I don't know what it means `C:\wamp\www\testwebsite\poststatus.php:14:string 'username264' (length=11) ` — , May 20 '17 at 19:30
@David I did this `$body= ''; $body= $_SESSION['body'];` but the same thing is happening — , May 20 '17 at 19:32
@mkd: Then it would seem that session value isn't set to anything. Where do you set it? And why would you want to insert a session value instead of what was posted from the form? — David, May 20 '17 at 19:36
In the poststatus.php file . I also get this `Notice: Undefined index: body` — , May 20 '17 at 19:37
@mkd: That session value isn't defined because you never defined it. Nor should you, that wouldn't really make sense. You already have another line of code looking in $_POST["status"], that seems like the value you're looking for. — David, May 20 '17 at 19:41

Artem Layko · Accepted Answer · 2017-05-20T19:50:29.907

1

You have not defined from where $body variable should get it's value, so your code should look like that:

profile.php :

<form action="poststatus.php" method="post">
<textarea rows="3" cols="25" name="status" id="status">
</textarea>
<button id="bt4" type="submit" name="bts">Post status</button>
</form>

poststatus.php:

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

include("connect.php");
include("auth_login.php"); 

// just define at the top of the script index.php
$username = ''; 
 $username = $_SESSION['username'];

$body = ''; 

if(isset($_POST['bts'])) {

if (empty($_POST["status"])) {
    echo"You didn't enter anything . <a href= profile.php>Try again</a>";
    } else {
   $body = $_POST["status"];
   $sql = "INSERT INTO posts (username, body ) VALUES ('" . $username . "', '" . $body . "')";

if(mysqli_query($conn, $sql)){                                  

echo"<a href= home.php>Post added to your timeline.</a>"; 
} else{
    echo "<br>error posting . <br> <a href= profile.php>Try again</a> " . 
mysqli_error($conn);
} 
 } 
}

Also you should not use clear myslq_query, cause it's dangerous for MySQL-injections, try rather PDO

edited May 20 '17 at 19:50

answered May 20 '17 at 19:45

Artem Layko

78
11

Note: This is still *wide open* to **SQL injection** and this should not be used in any live system. – David May 20 '17 at 19:47
Now i'm getting this else statement `You didn't enter anything . Try again` – May 20 '17 at 19:49
@David Yes, sure, i've mentioned that in edition. He should rather use PDO or at least `mysqli_real_escape_string` – Artem Layko May 20 '17 at 19:50
@mkd you should also change name of the field in HTML part – Artem Layko May 20 '17 at 19:51
Thanks it works I accepted as the answer . On what do I use `mysqli_real_escape_string` ? Like what string ? – May 20 '17 at 19:56
@mkd: This is a good place to start for preventing SQL injection: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – David May 20 '17 at 20:00
I don't understand it – May 20 '17 at 20:03
@mkd: If you have a specific example of something that isn't working in some way, that could make a good Stack Overflow question. "It didn't help" isn't really answerable. – David May 20 '17 at 20:03
Sorry I didn't mean to put it didn't help I meant to say it's to much to understand for me . If I post a question like this will you help me ? – May 20 '17 at 20:11
@mkd: Someone likely will, I may not see that question. One important thing however would be to specify what it is that isn't working as expected and how the question differs from simply "How do I prevent SQL injection", because anything which is already answered by that canonical question would likely be closed as a duplicate. – David May 20 '17 at 20:16

MYSQL PHP column empty

1 Answers1