Jump to content

Database not receiveing data


Steve_Berry

Recommended Posts

Hello.  I am using a form to send data to my database but when I submit the form, the data is not shown on the database.  I am connected to the database so I don't think the problem lies there. Also, I have a redirect option via 'Location:' which also works.

I am following online examples for the php.

This is the PHP I am using:

<?php

include("dbcon/database-conn.php");

if (!empty($_POST))

#($_SERVER["REQUEST_METHOD"] == "POST") 

{
	
	$pagelinks = $_POST['pagelinks'];
	$title = $_POST['title'];
	$asideleft = $_POST['asideleft'];
	$body = $_POST['body'];
	$asideright = $_POST['asideright'];
	$sourceref = $_POST['sourceref'];
	$sourceimg = $_POST['sourceimg'];
	
	$q = "INSERT INTO pages (pagelinks) VALUES ('$_POST[pagelinks]')";

	if ($_POST["add_record"]){
	  header('location:index.php');
	  exit(); 
	}

}
?>

The form 'name' values match.

As you can see I have tried two methods of 'Post' but neither seem to work.

I would like to point out that this is an offline, local test and that I am aware that I am not using real_escape_strings, but I will, once I get the code to work. Also, I am aware of PDO, which I have tried but it is too complex, for me to solve right now.  I am familiar with mysqli (including OOP), but am still learning.. I would be grateful if you can help solve my current issue.

Thanks in advance for any help.

Link to comment
Share on other sites

23 hours ago, Steve_Berry said:

$q = "INSERT INTO pages (pagelinks) VALUES ('$_POST[pagelinks]')";

OK, you've created a PHP String variable that just happens to contain some text that your DBMS can make sense of (i.e. you've written some SQL). 

As others have said, it's very risky SQL, as it stands, but it's still SQL. 

But it's still only a String variable.

You need to tell your database to do something with it (i.e. to execute it). 

Regards, 
   Phill  W. 

 

  • Like 1
Link to comment
Share on other sites

Easy.

First, pause your page (make it private) because it is a security risk right now.

1.) Turn on error reporting in both PHP, and mySQL.
2.) Echo your query (echo "$q";) and directly try what's echoed in mySQL.
3.) When you get it working, sanitize, sanitize, and sanitize (at very minimum, do mysqli escape string functions).
4.) You have "if ($_POST["add_record"])", but how do you know if a record was actually inserted? You might want to do a quick mySQLi query to make sure a valid record was inserted. Always assume the worst, e.g. "people are trying to hack your website now," "nothing is getting inserted into mySQL," "my code is not doing what I want it to do," "we will be in lockdown forever LOL," and then you'll be good :-)

Edited by StevenOliver
Link to comment
Share on other sites

On 5/12/2020 at 10:52 AM, Steve_Berry said:

Thanks all. Will take your advice and make changes.

Awesome.  Also, to be clear, if you use prepared statements, you don't need to worry about escaping data, which also means you don't have to worry about SQL injections.  You level right up ;)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.