Form data sent via POST method gets empty

Question

I am posting the "user" variable to another page i.e. Survey.php as follows:

index.html

<form action="Survey.php" method="post" name="frm">
  <div><input type="text" name="user"></div>
  <div><input type="submit" value="Start" class="btn btn-primary btn-sm"></div>
</form>

I can access the "user" variable on Survey.php page on its first load. Now, because I have another form on this page as well, which posts data to itself.

Survey.php

$user = $_POST["user"];
echo 'this is '.$user;
$email = $_POST[email];
if($_SERVER['REQUEST_METHOD'] == 'POST'){
$sql = "INSERT INTO `test_db` (`user`, `email`) VALUES '$user', '$email');";
echo $sql;
}
<form action="survey.php" method="post">
  <div><input type="text" name="email"></div>
  <div><input type="submit" value="submit" class="btn btn-primary btn-sm"></div>
</form>

I am trying to send "user" and "email" together to the database now. What happens actually is that everytime I click on submit button of the survey.php page, the "user" variable gets empty.

It makes no sense to try and run `$user = $_POST["user"];` _before_ you've tested whether the request is a POST or not. In this version, that command will run even when you load the page the first time (which is always a GET). Move `$user = $_POST["user"]; echo 'this is '.$user; $email = $_POST[email];` inside the `if($_SERVER['REQUEST_METHOD'] == 'POST'){ ... }` block. — ADyson, Feb 23 '22 at 10:55
To make the user data persist in the second form though, you'll need to add it as a hidden field in the second form. Remember that HTTP requests and web applications are **stateless** by nature. Variables do not automatically persist from one request to another - you have to specifically write some code to make that happen. — ADyson, Feb 23 '22 at 10:56
**Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli / PDO. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. — ADyson, Feb 23 '22 at 10:57
See also this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. — ADyson, Feb 23 '22 at 10:57

score 1 · Answer 1 · answered Feb 23 '22 at 10:51

You have to test your posts DATA and user Sesssion. In your PHP code, you can have something like that

<?php
session_start();
if(isset($_POST['user']))
  $_SESSION['user'] = $_POST['user'];
if(isset($_POST['email']))
  $_SESSION['email'] = $_POST['email'];
if(isset($_SESSION['user']) AND isset($_SESSION['email'])){
   $sql = "INSERT INTO `test_db` (`user`, `email`) VALUES '$_SESSION['user']', '$_SESSION['email']');";
  echo $sql;
}

If you don't want to use sessions, you can play with your form like this :

$user = $_POST["user"];
echo 'this is '.$user;
$email = $_POST[email];
if($_SERVER['REQUEST_METHOD'] == 'POST'){
$sql = "INSERT INTO `test_db` (`user`, `email`) VALUES '$user', '$email');";
echo $sql;
}
<form action="survey.php" method="post">
  <div><input type="text" name="email"></div>
  <div><input type="submit" value="submit" class="btn btn-primary btn-sm"></div>
  <input type="hidden" name="user" value="<?php echo $user; ?>">
</form>

score 0 · Answer 2 · answered Feb 23 '22 at 10:47

You have $user and $email as variable then why are you putting them as strings? The below code should work -

$user = $_POST["user"];
echo 'this is '.$user;
$email = $_POST[email];
if($_SERVER['REQUEST_METHOD'] == 'POST'){
$sql = "INSERT INTO `test_db` (`user`, `email`) VALUES '" . $user . "', '" . $email . "');";
echo $sql;
}
<form action="survey.php" method="post">
  <div><input type="text" name="email"></div>
  <div><input type="submit" value="submit" class="btn btn-primary btn-sm"></div>
</form>

Form data sent via POST method gets empty

2 Answers2