Steve_Berry Posted May 11, 2020 Share Posted May 11, 2020 Hello. I am using a form to send data to my database but when I submit the form, the data is not shown on the database. I am connected to the database so I don't think the problem lies there. Also, I have a redirect option via 'Location:' which also works. I am following online examples for the php. This is the PHP I am using: <?php include("dbcon/database-conn.php"); if (!empty($_POST)) #($_SERVER["REQUEST_METHOD"] == "POST") { $pagelinks = $_POST['pagelinks']; $title = $_POST['title']; $asideleft = $_POST['asideleft']; $body = $_POST['body']; $asideright = $_POST['asideright']; $sourceref = $_POST['sourceref']; $sourceimg = $_POST['sourceimg']; $q = "INSERT INTO pages (pagelinks) VALUES ('$_POST[pagelinks]')"; if ($_POST["add_record"]){ header('location:index.php'); exit(); } } ?> The form 'name' values match. As you can see I have tried two methods of 'Post' but neither seem to work. I would like to point out that this is an offline, local test and that I am aware that I am not using real_escape_strings, but I will, once I get the code to work. Also, I am aware of PDO, which I have tried but it is too complex, for me to solve right now. I am familiar with mysqli (including OOP), but am still learning.. I would be grateful if you can help solve my current issue. Thanks in advance for any help. Quote Link to comment Share on other sites More sharing options...
gw1500se Posted May 11, 2020 Share Posted May 11, 2020 First never, ever put web page data directly into a database. Always use prepared statements. Second, you didn't post the code where you are executing the query. Third make sure error reporting is turned on: error_reporting(E_ALL); 1 Quote Link to comment Share on other sites More sharing options...
benanamen Posted May 11, 2020 Share Posted May 11, 2020 You have absolutely no code that does anything with your query string. Start with this tutorial and then give it another try. https://phpdelusions.net/pdo 1 Quote Link to comment Share on other sites More sharing options...
Phi11W Posted May 12, 2020 Share Posted May 12, 2020 23 hours ago, Steve_Berry said: $q = "INSERT INTO pages (pagelinks) VALUES ('$_POST[pagelinks]')"; OK, you've created a PHP String variable that just happens to contain some text that your DBMS can make sense of (i.e. you've written some SQL). As others have said, it's very risky SQL, as it stands, but it's still SQL. But it's still only a String variable. You need to tell your database to do something with it (i.e. to execute it). Regards, Phill W. 1 Quote Link to comment Share on other sites More sharing options...
StevenOliver Posted May 12, 2020 Share Posted May 12, 2020 (edited) Easy. First, pause your page (make it private) because it is a security risk right now. 1.) Turn on error reporting in both PHP, and mySQL. 2.) Echo your query (echo "$q";) and directly try what's echoed in mySQL. 3.) When you get it working, sanitize, sanitize, and sanitize (at very minimum, do mysqli escape string functions). 4.) You have "if ($_POST["add_record"])", but how do you know if a record was actually inserted? You might want to do a quick mySQLi query to make sure a valid record was inserted. Always assume the worst, e.g. "people are trying to hack your website now," "nothing is getting inserted into mySQL," "my code is not doing what I want it to do," "we will be in lockdown forever LOL," and then you'll be good :-) Edited May 12, 2020 by StevenOliver Quote Link to comment Share on other sites More sharing options...
Steve_Berry Posted May 12, 2020 Author Share Posted May 12, 2020 Thanks all. Will take your advice and make changes. Quote Link to comment Share on other sites More sharing options...
gizmola Posted May 13, 2020 Share Posted May 13, 2020 On 5/12/2020 at 10:52 AM, Steve_Berry said: Thanks all. Will take your advice and make changes. Awesome. Also, to be clear, if you use prepared statements, you don't need to worry about escaping data, which also means you don't have to worry about SQL injections. You level right up Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.