PHP form adding new database row

Question

I have the following code:

I have added new row to database called "titlu" , but when i submit form, that row get nothing. I'm so confused. Can someone explain me what is wrong?

if(isset($_POST['submit'])) {
    // Get POST variables, assing to regular variables
    $question_number    = $_POST['question_number'];
   $question_text = $_POST['question_text'];
    $correct_choice     = $_POST['correct_choice'];
    // choices array
    $choices = [];
    $choices[1] = $_POST['choice1'];
    $choices[2] = $_POST['choice2'];
    $choices[3] = $_POST['choice3'];
    $choices[1] = $_POST['titlu1'];
    $choices[2] = $_POST['titlu2'];
    $choices[3] = $_POST['titlu3'];


    // Insert question
    $query = "INSERT INTO `questions` (question_number, question) VALUES('$question_number','$question')";

    $insert_row = $mysqli->query($query) or die($mysqli->error.__LINE__);

    if($insert_row){
        foreach($choices as $choice => $value)
  {
           if($value != ''){
               if($correct_choice == $choice) {
                   $is_correct = 1;
               } else {
                   $is_correct = 0;
               }
               $query = "INSERT INTO `choices`(question_number, is_correct, choice, titlu)VALUES('$question_number', '$is_correct', '$value', '$value')";

               $insert_row = $mysqli->query($query) or die($mysqli->error.__LINE__);

               if($insert_row) {
                   continue;
               } else {
                   die('Error : ('.$mysqli->errno.') ' . $mysqli->error);
               }
           } 
        }
        $msg = "Questions has been added";
    }
}

I think here is the problem:

if($insert_row){
    foreach($choices as $choice => $value)

Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. — John Conde, Feb 18 '19 at 20:03
That page will be hidden. Will be safe. Will be only for me. Thank you for suggestion :) — David Claudiu, Feb 18 '19 at 20:05
You should write safe code even if you think you'll be the only one ever using it. Your question text might have a `'` in it, for example, which will break your script even with normal, non-malicious submissions. That said, I don't see where you define `$question`, and `$question_text` appears to be unused. — ceejayoz, Feb 18 '19 at 20:08
You are not printing the message at the end of the script. Have you checked DB if rows are inserted? — Andrii Filenko, Feb 18 '19 at 20:15
Yes. All rows are inserted, but what when i write on input form text for "titlu" row, there is nothing added — David Claudiu, Feb 18 '19 at 20:18

Brandon · Accepted Answer · 2019-02-18T20:37:38.543

2

When you INSERT INTO questions you are inserting the value of an undefined variable $question instead of what I assume you are trying to insert $question_text

Your query should look like this.

INSERT INTO `questions` (question_number, question) VALUES('$question_number','$question_text')

EDIT:

Maybe what you want to do is set up $choices so that the keys for each value to be "titlu"

$choices[$_POST['titlu1']] = $_POST['choice1'];
...

Then you can set your second query to be

INSERT INTO `choices`(question_number, is_correct, choice, titlu) VALUES('$question_number', '$is_correct', '$value', '$choice')

or something like that.

edited Feb 18 '19 at 20:37

answered Feb 18 '19 at 20:16

Brandon

323
2
12

Thank you man. I edited. My problem is that: "choice" and "titlu" rows, are filled with same text, even i put different one. Now i see database row "choice" will fill with "titlu" texts – David Claudiu Feb 18 '19 at 20:23
@DavidClaudiu If this answer helped you please accept it by clicking the checkmark underneath the downvote button – Brandon Feb 18 '19 at 20:53
Wow. Sorry man. I just saw that you edited your post with new informations. Sorry for last message. I'll accept answer . Have a nice day – David Claudiu Feb 18 '19 at 22:04

PHP form adding new database row

1 Answers1