0

Ok so this is pretty basic but its driving me nuts 

<div class="heading"><h2>Make a post<h2></div>
            <form action="post.php" method="POST">
            <div class="head"><h3>Title</h3></div>
                <textarea name="title" rows="2" cols="45"></textarea>
            <div class="desc"><h3>Content</h3></div>
                <textarea name="description" rows="15" cols="45"></textarea><br>
            <input type="submit" value="Submit">
            <p id="error_p"><?php echo (!empty($_SESSION['post_message']))? $_SESSION['post_message']:""; ?></p>
            </form>

html part

if(!empty($_POST['title']) && !empty($_POST['description']))
{


    $title=$_POST['title'];
    $description=$_POST['description'];
    $user_id=$_COOKIE['user_id'];


    $query="INSERT INTO posts (title,description,user_id)
    VALUES('".$title."','".$description."','".$user_id."');";
    $result=mysqli_query($conn,$query);
    if($result)
    {
        $_SESSION['post_message']="Posting succ";
        header('Location: profile.php');
    }
    else
    {
        $_SESSION['post_message']="something gone wrong";
        header('Location: profile.php');
    }

}

php part

i just cant find the problem, i have been getting "something gone wrong" error no matter what i do.

Qirel
  • 25,449
  • 7
  • 45
  • 62
Hikikomori
  • 1
  • 2
    Don't redirect, and replace `something went wrong` with the real error. http://php.net/manual/en/mysqli.error.php You also are open to SQL injections. – user3783243 May 23 '18 at 20:04
  • 1
    First, why are you storing the **error message** in the `$_SESSION` info? Second, please be aware that your code is **vulnerable** to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**prepared statements**](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) to prevent this. Also ensure that your database user only has the [**required privileges**](https://en.wikipedia.org/wiki/Principle_of_least_privilege). You can refer to [**this post**](http://stackoverflow.com/questions/60174) for further information on how to prevent SQL injection in PHP. – Obsidian Age May 23 '18 at 20:06
  • 1
    Probably the description contains a quote character. If you use prepared statements this wouldn't be a problem. Take a look at `echo $query;` – Barmar May 23 '18 at 20:17
  • You must use prepared statements. `$query="INSERT INTO posts (title,description,user_id) VALUES('".$title."','".$description."','".$user_id."');";` You have an extra semicolon at the end of values bracket `$query="INSERT INTO posts (title,description,user_id) VALUES('".$title."','".$description."','".$user_id."')";` – Akash Apr 12 '19 at 18:37

0 Answers0