-1

During a test to see if my database would receive a username through a form field , the code would not work unless I echo'd out error messages. Why is this? My goal is to send the username through the form field , and retrieve the list of usernames on the same page below the form field.

My html for submitting usernames , 

    <section id="banner">
    <div class="content">
    <header>
        <h2>Add Usernames Here</h2>
        <form method="post">
        <br><input type="text" name="user_name"><br>
        <input type="submit" value="Submit"> 
        </form>
    </header>
    </div>

For displaying usernames:

<section id="five" class="wrapper style2 special fade">
<div class="container">
<header>
<h2>Added Usernames</h2>
<?php require 'post.php'; ?>                            
</header>
</div>
</section>

And my post.php code

<?php
//connection
$url = parse_url(getenv("CLEARDB_DATABASE_URL"));
$server = $url["host"];
$username = $url["user"];
$password = $url["pass"];
$db = substr($url["path"], 1);
$conn = new mysqli($server, $username, $password, $db);
//test connection
    if(!$conn)
    {
        echo 'not connected';
    }

    if(!mysqli_select_db($conn,'heroku_cd6b3866e127c21'))
    {
        echo 'database not selected';
    }
//insert username    
    $user_name = $_POST['user_name'];
    $sql = "INSERT INTO store (user_name) VALUES ('$user_name')";

//test query    
    if(!mysqli_query($conn,$sql))
    {
        echo 'not inserted';
    }
    else {
        echo 'inserted';
    }

//echo all usernames    
mysqli_select_db($db,$conn);
$sql2 = "SELECT * FROM  store";

$mydata = mysqli_query('$sql2,$conn');

while($record = mysqli_fetch_array($mydata)){
    echo "<br>";
    echo  $record['user_name'];
}
?>

This code works until I remove the if statements , checking for the connection.

Pacified
  • 175
  • 9

3 Answers3

2

This is simple example, only one page named index.php:

<form action="index.php" method="post">
    <br><input type="text" name="user_name">
    <br><input type="submit" value="Submit"> 
</form>

<?php
$username = $_POST["user_name"];
$link = mysqli_connect("127.0.0.1", "root", "", "db12");
mysqli_query($link, "INSERT INTO users (username) values ('$username')");


echo $username; 

$query = "SELECT username FROM users";

$result = mysqli_query($link, $query);
    /* fetch associative array */
    while ($row = mysqli_fetch_array($result)) {
        echo $row['username'] . "<br>";
    }


/* close connection */
mysqli_close($link);
?>

In production app always write separate page for insert, and always use prepare http://php.net/manual/en/mysqli.prepare.php

b2ok
  • 544
  • 6
  • 13
  • I'm using require , would I still need to use action= ' ' in the form field? Also the username is sent to the database without action , but it does not send upon removing my if statements – Pacified Aug 17 '17 at 19:06
  • Yes. Afther click on submit button, there is calling of page what will to do what we want to do. – b2ok Aug 17 '17 at 19:11
  • I don't want to be redirected to a blank page , I just want the page to reload and the username to appear in the list – Pacified Aug 17 '17 at 19:13
  • It is only example, you use same page where is form, of course. – b2ok Aug 17 '17 at 19:14
  • Even after doing this ( as well as changing all to mysqli) and changing the action to 'post.php' it doesn't send any information to the database. The page im testing : http://chatangu.tk/admin.php – Pacified Aug 17 '17 at 19:22
  • I'm working for all your mistake. Moment. – b2ok Aug 17 '17 at 19:25
1

You aren't running the query anywhere else except in those if statements.

Try adding $mysqli->query($sql) underneath your declaration of $sql

Blaise
  • 330
  • 1
  • 11
0

You still need to call these functions:

mysqli_select_db($conn,'heroku_cd6b3866e127c21')

and

mysqli_query($conn,$sql)

Even if they are wrapped in an if statement or not you still need to select the db and send it a query. But I wouldn't want to do it like this, I would look into PDO.

http://php.net/manual/en/book.pdo.php

These methods are known for having SQLi vulnerabilities.

Edit

Also this line has an error:

$mydata = mysqli_query('$sql2,$conn');

I assume it should be:

$mydata = mysqli_query($conn,$sql2);
Asleepace
  • 3,466
  • 2
  • 23
  • 36
  • I don't really have to worry too much about vulnerablities because i'm only storing names , not actual usernames people use to log in. I want to be able to add them and have users look at the available ones alphabetically. – Pacified Aug 17 '17 at 19:32
  • Ya it is just something to be aware of, if you use case doesn't directly take input from users then you might be ok for the most part, but this line to my hacker side looks nice and juicy: $user_name = $_POST['user_name']; $sql = "INSERT INTO store (user_name) VALUES ('$user_name')"; – Asleepace Aug 17 '17 at 19:37
  • http://prntscr.com/g9rrj3 any idea why its generating blanks? – Pacified Aug 17 '17 at 19:39
  • There could be a couple reasons, one is your not checking the data before inserting them into the db. Try adding something like if (!$_POST['user_name']) die('no username'); – Asleepace Aug 17 '17 at 19:42
  • Generally I would try and separate the logic of inserting and fetching data. Make two files, both can import the same DB, but one is specifically for posting to the DB and the other is specifically for fetching and displaying... – Asleepace Aug 17 '17 at 19:45