0

I vould like to send the div content in a form. But do not works! Can you please help me to find the missing part? The information sent in the db table is missing "empty space".

HTML

<form class="myform" action="file.php" method="POST">

   <div  id="mydiv">

        <p>Marco</p>

   </div>
   <input  type="hidden" name="dataInput" id="myinput">
   <button class="mybutton" type="submit">send</button>
</form>

JAVASCRIPT

let myForm = document.querySelector(".myform");

myForm.addEventListener("submit", function(x){
    
   x.preventDefault();
   let myInput = document.getElementById("myinput");
   let myDiv = document.getElementById("mydiv");
   
   myInput.value  =  myDiv.innerHTML;

   myForm.submit();
});

PHP file.php

  $info= $_POST['dataInput'];

  $data="INSERT INTO friends (
         friend) VALUES(
         '$info');";
  $results = mysqli_query($conn, $data);
brombeer
  • 8,716
  • 5
  • 21
  • 27
Andrei
  • 21
  • 5
  • This is very unsecure. Bear in mind that users can simply edit the `
    ` contents in their browser before submitting, which leaves you wide open to attack. You need to be very careful what you put into your database and where it comes from. That being said, the code you displayed works for me (though I didn't run the query, simply printed out what `$data` was. Did you make sure your table name/field names are correct and that the connection is functioning properly? Try printing out the `$data` string and see what it says.
     – Kaboodleschmitt Oct 18 '21 at 17:32
  • So you mean it inserts an empty space into the database instead of the HTML? – ADyson Oct 18 '21 at 17:48
  • 2
    P.s. you need to urgently read https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php and adjust your code accordingly to remove the SQL injection threat – ADyson Oct 18 '21 at 17:56
  • You will also need to sanitise this HTML before you re-display it anywhere else (after you get it back from the database) to remove anything like script, object, frame or embed tags, or anything else which could inject malicious or unwanted and interactive content into your site – ADyson Oct 18 '21 at 17:58
  • @Kaboodleschmitt thank you for your reply, but do not works, the value in the db is null. It is a lite versione of code, the secure parts are not posted. – Andrei Oct 18 '21 at 18:08
  • @ADyson the value is null. – Andrei Oct 18 '21 at 18:08
  • 2
    Did you try echoing out the value of `$data` in PHP as I suggested? Also, did you make sure the javascript is running after the page contents have loaded (something like this: https://stackoverflow.com/a/25984032/4035392)? – Kaboodleschmitt Oct 18 '21 at 18:10
  • @ADyson thank you for the SQL injection, this is a lite version without the security parts, otherwise it will be more dificult to explain. – Andrei Oct 18 '21 at 18:10
  • Check your browser's network tool while the form is being submitted (make sure the Preserve Log box is ticked) and see what the browser is actually sending to the server in the request – ADyson Oct 18 '21 at 18:10
  • 1
    `this is a lite version without the security parts, otherwise it will be more dificult to explain`...but maybe what you're doing somewhere in the real code is having an effect on the end result. We need to see a [mre] of your issue otherwise we can't be sure what the real issue is. Prepared statement code isn't hard to understand – ADyson Oct 18 '21 at 18:12
  • @Kaboodleschmitt, minimised works! I need to have a better look on the main project and understand what blocks the information pass trought! Thank you guys for your time, hope the information posted will help others guys that need this type of solution. – Andrei Oct 18 '21 at 18:30
  • @ADyson It works, seams you are right, the security part stop the information pass trought! Thank you! – Andrei Oct 18 '21 at 18:31
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Oct 18 '21 at 18:36
  • Maybe you are stripping HTML tags/content somewhere In this "security" code. If so it's probably unnecessary - that's something you would normally do at output time rather than input time, and even then you would only strip the tags in a context where they would actually represent a threat. – ADyson Oct 18 '21 at 18:38

0 Answers0