0

I have programmed a ticket system in PHP. All entries from the database are displayed, only the script tedit.inc.php, which is included in the index.php via include() command, does not enter the data into the database. All connection data are correct. Once the code:

<?php

if (!empty($form) && $form == "f3875T-x") {

echo <<<FORMULAR

Ticket erstellen
Titel:
<input type="text" name="Headline" size="50">

Beschreibung:


FORMULAR;
}

if (!empty($Headline) && !empty($Eintrag)) {

$Name = mysqli_real_escape_string($db, $Name);

$Headline = mysqli_real_escape_string($db, $Headline);

$Eintrag = mysqli_real_escape_string($db, $Eintrag);

$datum = date("d.m.Y, H:i") . " Uhr";

$sql = "INSERT INTO ts_sys " .

"VALUES ('', '$Name', '$Headline', '$datum', '$Eintrag')";

mysqli_query($db, $sql);

}

?>

I hope someone can help me. Also deleting the entries via PHP script works.

ADyson
  • 57,178
  • 14
  • 51
  • 63
GoodKing
  • 13
  • 2
  • [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) - hint: mysqli_real_escape_string isn't the correct solution. (It was, 20 years ago, but not since then.) – ADyson Apr 01 '22 at 15:44
  • If you're inserting dates in `d.m.Y H:i` format then I'd guess you're doing it wrong and storing the date in a varchar column. Or at least you're running the risk that mysql will get it wrong and think that the month is the day and vice versa (as per default US date format). Far more reliable to use a `datetime` column and insert in Y-m-d H:i format – ADyson Apr 01 '22 at 15:46

0 Answers0