unable to insert answer in database stored in textarea input using php

Question

This file contains the code for search form:

search.php

<?php
session_start();
?>
<html>
    <head>
        <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
    </head>
    <body>
        <?php
        echo"WELCOME ".strtoupper($_SESSION['user']);
        ?>
        <form method="get" action="searched.php">
            <label for="ques"></label>
            <input type="text" name="title" id="title" placeholder="Search...">
            <button type="submit" name="search"><i class="fa fa-search"></i></button>
        </form>
        <form method="post" action="question.php">
            <button type="submit" name="ask_ques">Ask a Question</button>
        </form>
    </body>
</html>

This file gets the input from search bar and displays the title with question and answer if any. It also contains a comment box to answer the question:

searched.php

<?php
session_start();
?>

<html>
    <head>
    </head>
    <body>
         <?php
            $conn=new mysqli("localhost","khushank","sethi","q&a");
            if($conn->connect_error){
                echo "unable to connect";
            }
            if($_SERVER['REQUEST_METHOD']=='GET'){
                if(isset($_GET['search'])){
                    $title=$_GET['title'];
                    $qsel=" SELECT title,qemail,ques FROM question WHERE title='$title' ";
                    if($qresult=$conn->query($qsel)){
                        if($qresult->num_rows==0){
                            header('location:question.php');
                        }
                        else{
                            while($qres=$qresult->fetch_assoc()){
                                echo "<strong>".ucfirst($qres['title'])."</strong><br><br>";
                                echo $qres['qemail'];
        ?> 
                                <textarea cols="65" id="qdes"><?php echo $qres['ques']; ?></textarea><br><br> 
        <?php  
                                $asel=" SELECT answer.aemail,answer.ans FROM question JOIN answer ON question.ques=answer.ques ";
                                if($aresult=$conn->query($asel)){
                                    if($aresult->num_rows>0){
                                        while($ares=$aresult->fetch_assoc()){
                                            echo"Answer:";
        ?>
                                            <textarea cols="65" id="ades"><?php echo $ares['ans']; ?></textarea><br><br>           
        <?php               
                                        }
                                    }
        ?>
                                    <form method="get" action="insertA.php?$ques='$qres['ques']'">
                                        <label for="ans"><?php 

                                            echo $_SESSION['user'];
                                        ?></label>
                                        <textarea cols="90" name="ans" placeholder="Your Answer"></textarea>
                                        <input type="submit" name="comment" value="submit">
                                    </form> 
        <?php              


                                }
                                else{
                                    echo "answer not selected";
                                }
                            } 
                        }  
                    }
                    else{
                        echo"not selected";    
                    }
                }
            }
            $conn->close();
        ?>           
    </body>
</html>

In this file answer is stored using GET method, but unable to get inserted into the database:

insert.php

<?php
require 'searched.php';
$conn=new mysqli("localhost","khushank","sethi","q&a");
if($conn->connect_error){
    echo "unable to connect";
}
echo"connected";
if($_SERVER['REQUEST_METHOD']=='GET'){
    if(isset($_GET['comment'])){
        $ans=mysql_real_escape_string($_GET['ans']);
        $username=$_SESSION['user'];
        //$ques=$_GET['$ques'];
        $insa=" INSERT INTO answer(aemail,ans) VALUES('$username','$ans') " ;
        if($conn->query($insa)){
            echo"inserted";
            echo"<script type='text/javascript'>".'alert("your answer is posted successfully");
            </script>';
        }
        else{
            echo"not inserted";
        }
    }
}
else{
    echo"1";
}
$conn->close();
?>

I'm unable to insert the values stored in $ans.

Your code is vulnerable to [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [mysqli](https://secure.php.net/manual/en/mysqli.prepare.php) or [PDO](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — , Jun 17 '18 at 09:04

score 0 · Accepted Answer · answered Jun 17 '18 at 08:19

0

the problem is you can not write php direct into html. watch your search.php form tag. use this.

<form method="get" action="insert.php?<?php echo "$ques='".$qres['ques']."'">

and one more thing your page name is just insert.php not insertA.php

answered Jun 17 '18 at 08:19

vivek modi

800
2
7
23

score 0 · Answer 2 · answered Jun 17 '18 at 10:17

Here is the corrected solution to your problem. Though I do not see your schema, it looks like it is a bit wrong since you are joining the table using question field which according to your question is likely of string datatype. So here is the proposed db structure:

Question table:

DROP TABLE IF EXISTS `question`;
CREATE TABLE IF NOT EXISTS `question` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `title` varchar(50) NOT NULL,
  `qemail` varchar(100) NOT NULL,
  `que` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
--
-- Dumping data for table `question`
--    
INSERT INTO `question` (`id`, `title`, `qemail`, `que`) VALUES
(1, 'Physics', 'thanga@gmail.com', 'This is the quesiotn');
COMMIT;

Answer Table:

CREATE TABLE IF NOT EXISTS `answer` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `questionid` int(11) NOT NULL,
  `aemail` varchar(100) NOT NULL,
  `ans` text NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=7 DEFAULT CHARSET=latin1;
--
-- Dumping data for table `answer`
--
INSERT INTO `answer` (`id`, `questionid`, `aemail`, `ans`) VALUES
(1, 1, 'thanga@gmail.com', 'My answer is here'),
(2, 1, 'Khuskant', 'The new answer');

We add the question id in the answer table as we need it for joining both tables. It means we relation using the question id.

Change search.php to this:

<?php
session_start();
$_SESSION['user']='Khuskant'
?>
<html>
    <head></head>
    <body>
        <?php
        echo"WELCOME ".strtoupper($_SESSION['user']);
        ?>
        <form method="get" action="searched.php">
            <label for="ques"></label>
            <input type="text" name="title" id="title" placeholder="Search...">
            <button type="submit" name="search" value="token"><i class="fa fa-search"></i></button>
        </form>
        <form method="post" action="question.php">
            <button type="submit" name="ask_ques">Ask a Question</button>
        </form>
    </body>
</html>

When you submit the above form, you either go to question.php or searched.php depending on the availability of the search term in the db. If you want match the search term with the exact data stored in the question table, the following code will do: searched.php

<?php
session_start();
require_once "dbconnect.php";
?>
<html>
    <head>
    </head>
    <body class="content">
         <?php            
            if($_SERVER['REQUEST_METHOD']=='GET'){
                if(isset($_GET['search'])){
                    $title= filter_var($_GET['title'],FILTER_SANITIZE_STRING);
                    $stmt = $conn->prepare("SELECT id, title, qemail, que 
                             FROM question WHERE title=?");
                    $stmt->bind_param("s", $title);
                    $stmt->execute();
                    $result = $stmt->get_result();  
                    if($result->num_rows==0){
                        header('location:question.php');
                    }else{
                        while ($qres = $result->fetch_array(MYSQLI_ASSOC)) {
                            echo "<strong>".ucfirst($qres['title'])."</strong><br><br>";
                            echo $qres['qemail']; ?>
                            <textarea cols="65" id="qdes"><?php echo $qres['que']; ?></textarea>
                        <?php 
                            $qid = $qres['id'];
                            $aresult = $conn->query("SELECT answer.aemail, answer.ans 
                                                    FROM question 
                                                    LEFT JOIN answer ON question.id=answer.questionid
                                                    WHERE question.id=$qid");                           
                            if($aresult->num_rows>0){
                                 while($ares = $aresult->fetch_assoc()){                                        
                                      echo"<br>Answer:"; ?>
                                  <textarea cols="65" id="ades"><?php echo $ares['ans']; ?></textarea><br><br>           
                            <?php } } ?>
                            <form method="get" action="insert.php">
                               <label for="ans"><?php echo $_SESSION['user'];?></label>
                                <textarea cols="90" name="ans" placeholder="Your Answer"></textarea>
                                <input type="hidden" name="qid" value="<?php echo $qid;?>">
                                <input type="submit" name="comment" value="submit">
                            </form>
                    <?php 
                    }
                }
            }
        } ?>       
    </body>
</html>

if you want a partial match, you have to change this part of the code:

$stmt = $conn->prepare("SELECT id, title, qemail, que 
                        FROM question WHERE title=?");
$stmt->bind_param("s", $title);

to

$stmt = $conn->prepare("SELECT id, title, qemail, que 
                        FROM question WHERE title LIKE ?");
$stmt->bind_param("s", $title."%");

Change the insert.php to:

<?php
session_start();
require 'dbconnect.php';
if($_SERVER['REQUEST_METHOD']=='GET'){
    if(isset($_GET['comment'])){
        $ans=filter_var($_GET['ans'], FILTER_SANITIZE_STRING);
        $qid=filter_var($_GET['qid'], FILTER_SANITIZE_NUMBER_INT);
        $username=$_SESSION['user'];
        $insa= $conn->prepare("INSERT INTO answer(questionid, aemail, ans) VALUES(?,?,?)");
        $insa->bind_param('iss', $qid, $username, $ans);
        $insa->execute();
        if($insa->affected_rows>0){
            echo $insa->affected_rows." rows inserted";
            exit;           
        } else{
            echo"not inserted";
            exit;
        }
    }
}
else{
    echo "1";
}
$conn->close();
?>

dbconnect.php

$conn = new mysqli("localhost", "user", "pass", "testdb");
if ($conn->connect_errno) {
    echo "Failed to connect to MySQL: " . $conn->connect_error;
}

Put them all in the same directory, it will works. Hope this helps you.

@KhushankSethi, if it helps, you can click the tick icon to accept that it helps you. We did that to get reputation here. — Mawia HL, Jun 17 '18 at 16:50

unable to insert answer in database stored in textarea input using php

2 Answers2