-1

I have an input form with a prepaired statement that should input into sql and print the input but all I get is a blank page with the input php address. Have i missed something? I have changed the code to below but all that appears is NULL. The date field is sql type date and the string i entered into it to test is "2008-11-11", without the quotes of course. 

        <?php
function shutdown(){
  var_dump(error_get_last());
}

register_shutdown_function('shutdown');
session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
include("dbconfig.php");
$errorvar = "";
if (isset($_POST['submit'])) {
    if (empty($_POST['Title']) || empty($_POST["Date"]) || empty($_POST["Country"]) || empty($_POST["bloguser"]) || empty($_POST["Blogentry"])) {
        $errorvar = "You dun gooffed";
        echo $errorvar;
    } else {
        //defining and injection protecting data
        $title = $_POST['Title'];
        $date = $_POST['Date'];
        $country = $_POST['Country'];
        $bloguser = $_POST['bloguser'];
        $blogentry = $_POST['Blogentry'];

    $stmt = $mysqli->prepare("INSERT INTO blogs (BlogName,blogDate,country,bloguser,Blogdata) VALUES (?,?,?,?,?)"); 

        $stmt->bind_param('sssss', $title, $date, $country, $bloguser, $blogentry);

        if ($stmt->execute()) {
            echo "New records created successfully";
            printf("%d Row inserted.\n", $stmt->affected_rows);
            header("location:index.php");
        } else {
        header("location:index.php");
            echo $conn->error;
        }
        $stmt->close();
        $conn->close();
        header("location:index.php");
    }
}
?>

The html form is below

   <fieldset style="width:45%"><legend>Blog data entry</legend>
        <form name="Blogentry" action="Inputform.php" method="POST">
            <label for="Title">Title: </label>
            <input type="text" name="Title" value="" size="40"/><br>
            <label for="Date">Date: </label>
            <input type="text" name="Date" value="" size="40"/><br>
            <label for="Country">Country: </label>
            <input type="text" name="Country" value="" size="40"/><br>
            <label for="bloguser">User: </label>
            <input type="text" name="bloguser" value="" size="40"/><br>
            <label for="Blogentry">Blog: </label>
            <textarea name="Blogentry" rows="4" cols="20">
            </textarea><br>
            <input id="button" type="submit" name="submitblog" value="submit-blog">
        </form>
            </fieldset>
    </body>
</html>
user1305085
  • 39
  • 2
  • 7
  • mysqli_real_escape_string will return empty if mysqli connection is not valid, and the ways you using the prepared statement is incorrect – Eng Cy Jun 07 '17 at 09:28
  • Can we take a look at the form? – Arthur Jun 07 '17 at 09:29
  • Possible duplicate of [PHP's white screen of death](https://stackoverflow.com/questions/1475297/phps-white-screen-of-death) – CBroe Jun 07 '17 at 09:31

2 Answers2

0

enable error reporting : add on top of your script

error_reporting(E_ALL);
ini_set('display_errors', 1);

and then use prepared statements proper. As far as your script there no parameters that you are binding,

<?php
session_start();
include("dbconfig.php");
$errorvar = "";
if (isset($_POST['submit'])) {
    if (empty($_POST['Title']) || empty($_POST["Date"]) || empty($_POST["Country"]) || empty($_POST["bloguser"]) || empty($_POST["Blogentry"])) {
        $errorvar = "You dun gooffed";
        echo $errorvar;
    } else {
        //defining and injection protecting data
        $title     = $_POST['Title'];
        $date      = $_POST['Date'];
        $country   = $_POST['Country'];
        $bloguser  = $_POST['bloguser'];
        $blogentry = $_POST['Blogentry'];

        $stmt = $conn->prepare("INSERT INTO blogs (BlogName,blogDate,country,bloguser,Blogdata) VALUES (?,?,?,?,?)");

        $stmt->bind_param("sssss", $title, $date, $country, $bloguser, $blogentry);

        if ($stmt->execute()) {
            echo "New records created successfully";
            printf("%d Row inserted.\n", $stmt->affected_rows);
            header("location:index.php");

        } else {

            echo $conn->error;
        }
        $stmt->close();
        $conn->close();
    }
}
?>
Masivuye Cokile
  • 4,754
  • 3
  • 19
  • 34
0

you don't need to escape anything since you are using bind so drop the mysqli_real_escape

you have errors in your query as I point out in the code below

    $stmt = $mysqli->prepare("INSERT INTO blogs (BlogName,blogDate,country,bloguser,Blogdata) VALUES (?,?,?,?,?)"); 
    // question marks will be replaced with data - use question marks!
        $stmt->bind_param('sssss', $title, $date, $country, $bloguser, $blogentry); 
    // number of bound parameters should match number and order of question marks

        $stmt->execute();
George Dryser
  • 322
  • 1
  • 7