Database not receiveing data

[Steve_Berry]

Hello.  I am using a form to send data to my database but when I submit the form, the data is not shown on the database.  I am connected to the database so I don't think the problem lies there. Also, I have a redirect option via 'Location:' which also works.

I am following online examples for the php.

This is the PHP I am using:

<?php

include("dbcon/database-conn.php");

if (!empty($_POST))

#($_SERVER["REQUEST_METHOD"] == "POST") 

{
	
	$pagelinks = $_POST['pagelinks'];
	$title = $_POST['title'];
	$asideleft = $_POST['asideleft'];
	$body = $_POST['body'];
	$asideright = $_POST['asideright'];
	$sourceref = $_POST['sourceref'];
	$sourceimg = $_POST['sourceimg'];
	
	$q = "INSERT INTO pages (pagelinks) VALUES ('$_POST[pagelinks]')";

	if ($_POST["add_record"]){
	  header('location:index.php');
	  exit(); 
	}

}
?>

The form 'name' values match.

As you can see I have tried two methods of 'Post' but neither seem to work.

I would like to point out that this is an offline, local test and that I am aware that I am not using real_escape_strings, but I will, once I get the code to work. Also, I am aware of PDO, which I have tried but it is too complex, for me to solve right now.  I am familiar with mysqli (including OOP), but am still learning.. I would be grateful if you can help solve my current issue.

Thanks in advance for any help.

[gw1500se]

First never, ever put web page data directly into a database. Always use prepared statements. Second, you didn't post the code where you are executing the query. Third make sure error reporting is turned on:

error_reporting(E_ALL);

 

[benanamen]

You have absolutely no code that does anything with your query string. Start with this tutorial and then give it another try.

https://phpdelusions.net/pdo

[Phi11W]

23 hours ago, Steve_Berry said:

$q = "INSERT INTO pages (pagelinks) VALUES ('$_POST[pagelinks]')";

OK, you've created a PHP String variable that just happens to contain some text that your DBMS can make sense of (i.e. you've written some SQL). 

As others have said, it's very risky SQL, as it stands, but it's still SQL. 

But it's still only a String variable.

You need to tell your database to do something with it (i.e. to execute it). 

Regards, 
   Phill  W. 

 

[StevenOliver]

Easy.

First, pause your page (make it private) because it is a security risk right now.

1.) Turn on error reporting in both PHP, and mySQL.
2.) Echo your query (echo "$q";) and directly try what's echoed in mySQL.
3.) When you get it working, sanitize, sanitize, and sanitize (at very minimum, do mysqli escape string functions).
4.) You have "if ($_POST["add_record"])", but how do you know if a record was actually inserted? You might want to do a quick mySQLi query to make sure a valid record was inserted. Always assume the worst, e.g. "people are trying to hack your website now," "nothing is getting inserted into mySQL," "my code is not doing what I want it to do," "we will be in lockdown forever LOL," and then you'll be good :-)

Edited May 12, 2020 by StevenOliver

[Steve_Berry]

Thanks all. Will take your advice and make changes.

[gizmola]

On 5/12/2020 at 10:52 AM, Steve_Berry said:

Thanks all. Will take your advice and make changes.

Awesome.  Also, to be clear, if you use prepared statements, you don't need to worry about escaping data, which also means you don't have to worry about SQL injections.  You level right up