Jump to content

Recommended Posts

Hi, I'm in the basic learning phase in PHP and ran into a problem two days ago...

 

I need to make a function that $_POST to MySQL.

I think i have the function working but i cant make the form call the function to submit the data to my Database!

 

This is the function (filename is test.php) :

 

<?php function addlunch() {
$sql="INSERT INTO $tbl_name(vecka, dag, lunch1, lunch2)VALUES('$_POST[vecka]','$_POST[dag]','$_POST[lunch1]','$_POST[lunch2]')";
$result=mysql_query($sql);

mysql_close();
} ?>

 

And now the problem is to call the function to this form:

 

<form action="test.php?addlunch" method="post" name="lunch">
  <input value="<?php echo ($veckonummer); ?>" name="vecka" type="text" /><br />
  <input name="dag" type="text" value="Måndag" /><br />
  <textarea name="lunch1" cols="40"></textarea><br />
  <textarea name="lunch2" cols="40"></textarea>
  <input type="submit" value="Skicka" /><input type="reset" value="Rensa" />
</form>

 

If anyone could take a look at it i would appreciate it!!

Thx!

Link to comment
https://forums.phpfreaks.com/topic/216098-calling-function-on-submit/
Share on other sites

Here you go:

 

<?php $host="localhost";
$username="XXX"; 
$password="XXX";
$db_name="XXX";
$tbl_name="lunch";

mysql_connect("$host", "$username", "$password")or die("cannot connect server "); 
mysql_select_db("$db_name")or die("cannot select DB");
$result = mysql_query("SELECT * FROM $tbl_name") or die("Can't  connect with table");

?>

I see what's going on. Change the query string to:

$sql="INSERT INTO $tbl_name(`vecka`, `dag`, `lunch1`, `lunch2`)VALUES('".$_POST['vecka']."','".$_POST['dag']."','".$_POST['lunch1']."','".$_POST['lunch2']."')";

Take good look at the quotes ` and '.

You will have to code the function call on the page reset, as the form cannot call a php function.

 

At the top of your page

 

test.php

if(isset($_GET['addlunch'])) {
addlunch();
}

 

of course you will have to change the form action so that the addlunch parameter is set>

<form action="test.php?addlunch=1" method="post" name="lunch">

 

After this, you will note that it still doesn't work, because your query doesn't have a table name.  Because, $tbl_name is out of scope.  Hard code it.

 

Once you fix this, you will find that because you have failed to use any database sanitation, and are also setting your caller in the URL that this script has great potential to be raped by script kiddies.

 

To fix, you need to at least run your form through mysql_real_escape_string(), and put you a hidden input into the form to trigger your database function.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.