How can I insert a Data inputted in a textbox from an onclick Alert input event into DataBase

Question

UI

code for the PHP Submit Script

if (isset($_POST['rejectreason'])){
$Note = $_POST['rejection_reason'];
$whyreject = 'Rejection_Reason-'.$Note;

 $sql = "UPDATE requestitem SET requestitem_UsefulNote='$whyreject' ";
 $query = $dbh->prepare($sql);
 if ($query->execute()){
      $success="Rejection Confirmed Successfully and Reason Sent.";          
}else {
      $error="Sorry, Rejection Failed, Try again Later.";
      }
}

code for the cancel button

 <input type="hidden" id="rjctrsn-data" href="" name="rejection_reason">

Show the JS code which generates the alert. It should just be a case of writing to the `value` of the hidden field with the result of the alert command? Have you tried anything? — ADyson, Jul 20 '23 at 07:05
**Warning:** Your code is vulnerable to SQL Injection attacks. You should use prepared statements **with parameters** to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli / PDO. **Never** insert unparameterised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. — ADyson, Jul 20 '23 at 07:06
https://phpdelusions.net/ also contains good examples of correct usage of prepared statements and parameters using mysqli or PDO. See also: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. You seem to have got halfway there (using prepared statements) but forgot to finish the job (using parameters). — ADyson, Jul 20 '23 at 07:07
Isn't your query going to update _all_ the rows in your database? You need a WHERE clause to update just the one(s) you want to. — droopsnoot, Jul 20 '23 at 07:07
`$_POST['rejectreason']` and `$_POST['rejection_reason']` Are those two different fields or is that a typo? — brombeer, Jul 20 '23 at 07:37

score 1 · Answer 1 · answered Jul 20 '23 at 07:13

Trigger the onclick alert input event and get the user input

<form action="submit_script.php" method="post">
  <button type="button" onclick="showRejectionReasonAlert()">Reject</button>
</form>



<script>
function showRejectionReasonAlert() {
  var rejectionReason = prompt("Please enter the rejection reason:");
  if (rejectionReason != null) {
    document.getElementById("rjctrsn-data").value = rejectionReason;
    document.getElementById("yourFormId").submit();
  }
}
</script>

Ensure to properly set up your database connection before executing the SQL.

<?php

if (isset($_POST['rejection_reason']) && !empty($_POST['rejection_reason'])) {
    $Note = $_POST['rejection_reason'];
    $whyreject = 'Rejection_Reason-' . $Note;

    $sql = "UPDATE requestitem SET requestitem_UsefulNote=:whyreject";
    $query = $dbh->prepare($sql);
    $query->bindParam(':whyreject', $whyreject);

    if ($query->execute()) {
        $success = "Rejection Confirmed Successfully and Reason Sent.";
    } else {
        $error = "Sorry, Rejection Failed, Try again Later.";
    }
}

Still didn't work for me please below is the full code if you code kindly asssit me further — ICTM, Jul 21 '23 at 14:49

How can I insert a Data inputted in a textbox from an onclick Alert input event into DataBase

1 Answers1