0

So I'm actually displaying the form itself via an include on another page that is already running a SQL query pulling from the same database. The query on that page displays fine, along with the html form itself. Where I'm going wrong is, I believe, in the form12.php file. Below are snippets of the html form & then the form12.php.

snippet of the form: 

<div>
 <h2>Enter a Pokemon:</h2>

 <form id="PokeEntryForm" action="form12.php" method="post">
    <fieldset>
         <p>
            <label for="unique_id">ID</label>
            <input id="unique_id" name="id" type="text" value="" />
         </p>
        <p>
            <label for="monster_name">Name</label>
            <input id="monster_name" name="name" type="text" value="" />
         </p>
         <p>
            <label for="onster_type_1">Type 1</label>
            <input id="monster_type_1" name="type_1" type="text" value="" />

The name of the table in the "pokemon" database that I want to insert the form data into is "monsters".

form12.php file:

<?php
require('mysqli_connect12.php'); 

if(isset($_POST['submit'])){

    $id = mysql_real_escape_string($_POST['id']);
    $name = mysql_real_escape_string($_POST['name']);
    $type_1 = mysql_real_escape_string($_POST['type_1']);
    $type_2 = mysql_real_escape_string($_POST['type_2']);
    $evolves = mysql_real_escape_string($_POST['evolves']);


mysql_query($dbc,"INSERT INTO monsters (poke_id, poke_name, poke_type_a, poke_type_b, evolution) VALUES ('$id', '$name', '$type_1', '$type_2', '$evolves')" 
or die(mysql_error());  
echo "Pokemon Inserted!";


echo 'Thank you for submitting a new pokemon!';
} 

?>
whxtn3y
  • 1
  • 2
    You should **stop** using the `mysql_*`-functions. They were deprecated back in PHP 5.5 and completely removed in PHP 7. Use PDO or Mysqli instead. – M. Eriksson May 16 '19 at 15:19
  • you're also open to SQL injection and should fix straight away – treyBake May 16 '19 at 15:20
  • Using `phpMyAdmin` That may explain a lot – RiggsFolly May 16 '19 at 15:20
  • also, phpMyAdmin is an interface - not a database – treyBake May 16 '19 at 15:20
  • Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly May 16 '19 at 15:20
  • 1
    `require('mysqli_connect12.php');` - Is your connection using `mysqli`? Then you have to use that API in the rest of your code as well. – M. Eriksson May 16 '19 at 15:21
  • Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[this happens](https://media.giphy.com/media/kg9t6wEQKV7u8/giphy.gif)** it is deprecated and has been for years and is gone for ever in PHP7.0+. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly May 16 '19 at 15:21
  • You don't show `'mysqli_connect12.php` but it says mysql**i**. – AbraCadaver May 16 '19 at 15:21

0 Answers0