-1

I'm trying to collect form data with html and php and it seems to work for everyone but iphone users, which provide blank data. Any help would be MUCH appreciated! I've copied the first two questions.

index.php

<form action="report.php" method="post" id="questions" target="_blank">
        <div class="form-group">
          <label for="q0101">What's your first name?</label>
          <br>
          <textarea id="q0101" name="q0101" required class="form-control" rows="1" 
                        placeholder="e.g.,  Chris"></textarea>
        </div>
        <div class="form-group">
          <label for="q0102">What's your last name?</label>
          <textarea id="q0102" name="q0102" required class="form-control" rows="1" 
                        placeholder="e.g., Richardson"></textarea>
        </div>

report.php:

<?php
  $hostname = "localhost";
  $username = "___";
  $password = "___";
  $dbname = "___";
  $conn = new mysqli( $hostname, $username, $password, $dbname );

  if ( $conn->connect_error ) {
    die( "Error: Failed to connect." );
  }
  $q0101 = mysqli_real_escape_string( $conn, $_POST[ 'q0101' ] );
  $q0102 = mysqli_real_escape_string( $conn, $_POST[ 'q0102' ] );
  
  $sql = "INSERT INTO ___ (first_name, last_name) VALUES (?,?);";

  $stmt = mysqli_stmt_init( $conn );
  if ( !mysqli_stmt_prepare( $stmt, $sql ) ) {
    echo "Error submitting responses";
  } else {
    mysqli_stmt_bind_param( $stmt, "ss", $q0101, $q0102 );
    mysqli_stmt_execute( $stmt );
    echo "Responses successfully submitted! <br/>";
    echo 'What is your first name? <br />';
    echo $q0101 . '<br />';
    echo 'What is your last name? <br />';
    echo $q0102 . '<br />';
   
  }

  $conn->close();

  ?>
Chris Richardson
  • 30
  • 6
  • Is this an API call or a webpage? Also, share more details about iPhone version and device – my_workbench Aug 06 '20 at 02:51
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 06 '20 at 11:57
  • Thanks for this. I'll be sure to implement the prepared statements. – Chris Richardson Aug 06 '20 at 18:15

1 Answers1

0

First of all, I would strongly recommend using prepared statements for this kind of data collection. Or you would be vulnerable to sql injection.

Here you can learn about them. https://www.php.net/manual/es/mysqli.quickstart.prepared-statements.php

About your question, I would consider adding a submit input. Otherwise you are subject to the browsers ability to submit the form on an enter or by the phone keyboard.

You could try printing the $_REQUEST value to determine whether the request is reaching the sever or not.

Finally, you could be using the object oriented mysqli version which is way cleaner.

Dharman
  • 30,962
  • 25
  • 85
  • 135
user3502640
  • 52
  • 4