0

I am trying to make a chat for my steam site, but anytime I try to post something it won't add it to my database. Here is the code I'm running: 

    <?php
                        //Connect to database
                        include ('steamauth/userInfo.php');
                        $link = mysqli_connect("*******", "********", "*******", "******") or die("Error" . $link->connect_error);
                        //Form var
                        $name = $steamprofile['personaname'];
                        @$text = $_POST["text"];
                        //Error messages
                        $notext = "<p><strong>Enter Text</strong></p>";

                        //On submit
                        if(@$_POST['submit']){
                            if(!$text){
                                @$errors .= $notext;
                            }else{
                                $text = filter_var($text, FILTER_SANITIZE_STRING);
                            }

                            if(@$errors){
                                echo "<div class='errors'> " . $errors ."</div>";
                            }else{
                                //No errors, prepare database
                                $tblname = "Messages";
                                $name = mysqli_real_escape_string($link, $name);
                                $text = mysqli_real_escape_string($link, $text);
                                //Insert into database
                                $sql = "INSERT INTO Messages (text, name) VALUES ('$text', '$name')";
                                mysqli_query($link, $sql);
                            }
                        }
                    ?>
<?php
                if(isset($_SESSION['steamid'])){
                echo "<div id='send'>
                    <form action='#' method='post'>
                        <input type='text' id='text' placeholder='Send Message ...' class='input' name='text'>
                        <input type='submit' id='submit' value=''>
                    </form>
                </div>";
                }else{
                    echo "<div class='error' id='chat_log_in'>Please Log In</br>to chat</div>";
                }
                ?>

I'd say there is something wrong with the $name variable. Can anyone tell me what I did wrong in here please.

Alex Howansky
  • 50,515
  • 8
  • 78
  • 98
Roman Procházka Jr.
  • 131
  • 4
  • 14
  • have you `var_dump()` the connection if its properly connected? also are you getting this value `$name = $steamprofile['personaname'];` by button click? – Shahroze Nawaz Aug 26 '17 at 11:51
  • No, $name is set in userinfo.php therefore the include() at the start, connection is fine because it worked before I set $name – Roman Procházka Jr. Aug 26 '17 at 12:07
  • You do not check for mysql errors, so cannot possibly know what has gone wrong... – Shadow Aug 26 '17 at 12:14
  • Ok let's keep it simple first check your mysqli connection if it's returning the correct object and then check if $name has some value. If it's working good then try this `var_dump(mysqli_query($link, $sql))` and see it's returning true or false? – Shahroze Nawaz Aug 26 '17 at 12:28
  • Don't rely on `mysqli_real_escape_string()` to prevent SQL injection, [it alone is not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Aug 26 '17 at 15:58

0 Answers0