getting data from a textarea into a database

Question

i am trying to get text from a text box into my database, but it wont go through. i have tried so many things please help!! the else statement always executes, because I get the message "no submission received on my webpage", which means the first if statement definitely executes.

`$query= 'INSERT INTO hamsasubmissions (secret,popularity) VALUES ("$_POST["newSecret"]",0)';` should be `$query= "INSERT INTO hamsasubmissions (secret,popularity) VALUES ('".$_POST['newSecret']."',0)";` But-[Little Bobby](http://bobby-tables.com/) says [you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/). Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). — GrumpyCrouton, Aug 13 '18 at 19:53
Well, really, it _should_ be parameterized/bound instead of injected like that. — Patrick Q, Aug 13 '18 at 19:55
I recommend reading the PHP documentation on [prepared statements.](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — Evan Edwards, Aug 13 '18 at 19:57

score 1 · Answer 1 · answered Aug 13 '18 at 19:53

1

As FirstOne said you need to name the input "submit".

<input class="input" type="submit" name="submit" value="شارك"/>

answered Aug 13 '18 at 19:53

Evan Edwards

182
11

thank you so much! someone else was handling the html so i thought it would be fine – Aug 13 '18 at 20:54

score 0 · Answer 2 · answered Aug 13 '18 at 20:00

Hello There are two problem's with your code ..

First one add name attr in your submit button because you are checking isset($_POST['submit'])

<input class="input" type="submit" name="submit" value="شارك"/>

Second Update Your $query with this

$query= "INSERT INTO hamsasubmissions (secret,popularity) VALUES ('".$_POST["newSecret"]."',0)";

score 0 · Answer 3 · answered Aug 13 '18 at 20:08

first of all you didn't give the submit button a name so you must name it 'submit' to match what you wrote in your code and also your SQL query seems to be incorrect, here's a snippet with the desired changes:

<form method="post" action="post.php">
        <textarea name="newSecret" id="help" class="textarea" rows="20" cols="100">
        </textarea>
        <input class="input" name="submit" type="submit" value="شارك"/>
        </form>

        <?php
        if(isset($_POST['submit'])) {
            // trim possible begining/ending whitespaces from the the textarea value. But you still need to escape it againt SQL injection !
            $newSecret = trim($_POST['newSecret']);
            if(isset($newSecret)[0]) {
                include "db_connect.php";
                $query= "INSERT INTO hamsasubmissions (secret,popularity) VALUES ('" . $newSecret . "', 0)";    

   if(!mysqli_query($mysqli,$query)){
                echo "no submission received";}
            else{echo "Secret submitted.";} 
            }
        } 
    ?>

getting data from a textarea into a database

3 Answers3