0

This sql function works on all my scripts except this one. Does anyone see what's wrong with it? The part that isn't working... is the part where it's supposed to insert the variable into a table. The include is for logging in the database, and that's all correct(I double checked).

<?php
session_start();

include_once 'dbh.php';

$confirm = $_POST['confirm'];
$check = $_SESSION['forum_name'];


if ($confirm == $check) {
  include_once 'dbh.php';

  $sql = "INSERT INTO forum_names (name) VALUES ('$forum_name');";
  $result = mysqli_query($conn, $sql);

  header("Location: ../redir.php?postsuccess=success");

} else {
  echo "Your names do not match" . " ";
  echo "<a href='../redir.php'>Click here to try again</a>";
}

?>

Alexander Rayner
  • 1
  • 1
  • 2
    Well, you never defined the variable `$forum_name`. More specifically, what exactly do you expect this to do and what is it actually doing? That is, how *specifically* is it failing? – David May 07 '18 at 15:16
  • 1
    In addition, though perhaps not an exact fix, you should look into using prepared statements in your PHP code. – Tim Biegeleisen May 07 '18 at 15:16
  • 1
    [Relevant xkcd](https://xkcd.com/327/). For the love of all that's holy, do NOT release this software until you've learned to use prepared statements. – RobIII May 07 '18 at 15:19
  • 1
    Brace yourself, `Use Prepared Statements because your Script isn't secure` comments incoming. – Toleo May 07 '18 at 15:19
  • 1
    SQL INJECTION ALERT, see above comment ^ – delboy1978uk May 07 '18 at 15:22
  • refer this https://stackoverflow.com/questions/459457/what-is-a-stored-procedure – Dilip May 07 '18 at 15:24

1 Answers1

0

$forum_name doesn't exist. Therefore, either replace it with $check, or replace $check with $forum_name.

I have zero idea how this could possibly work on other pages using that code.

delboy1978uk
  • 12,118
  • 2
  • 21
  • 39