CODEWITHSUNDEEP
phpmysql
DarkVeneno
DarkVeneno

Reputation: 99

PHP INSERT is not working for some unknown reason

I'm setting up a simple system that takes the user input in a new_post.php file in a form and sends that information using POST to index.php. index.php then receives that information, and, if it exists, it will post, otherwise, it won't. But it simply doesn't work! It gives some kind of "PHP Notice: Undefined index:" error thing in error_log.

I've tried checking the SQL, but it was fine, unless I didn't notice something. But here's some code, so you experts can help me:

INDEX.PHP:

if($_POST["title"] != null) {
if($_POST["author"] != null) {
if($_POST["content"] != null) {
$sql = "INSERT INTO posts (title, content, author) VALUES ('" . $_POST["title"] . "', '" . $_POST["content"] . "', '" . $_POST["author"] . "'');";
mysqli_query($connection, $sql);
}
}
}

NEW_POST.PHP:

<form action="index.php" style="font-size: 3vw; margin-left: 25%; margin-right: 25%; width: 50%;" method="POST">
Title:<br>
<input type="text" name="title" value="" style="font-size: 2vw;">
<br>
Your Name:<br>
<input type="text" name="author" value="" style="font-size: 2vw;">
<br>
Content<br>
<textarea type="text" name="content" value="" style="resize: none; font-size: 2vw;"></textarea>
<br>
<br><br>
<input type="submit" value="Submit">
</form>

I expected it to, if the user didn't fill the form, not say anything but also not post anything and redirect to index.php, and, if the form was actually filled correctly, it just posts it and redirects to the index.php page.

What actually happened is, independently of filling it correctly or not, it just doesn't post and redirects to the index.php file without the post appearing.

Upvotes: 0

Views: 81

Answers (2)

Dharman
Dharman

Reputation: 33238

Never ever allow user input directly in SQL query. This is how you get SQL injection. You should always use parameterized prepared statements. This will also ensure that you never run into a problem with mismatched quotes ever again. In prepared statements you do not need to quote or escape any input.

Besides you are not actually checking if the values are set in your script, which is why you see undefined errors. Use isset() to check that.

Here is the fixed code with prepared statements. 

if(isset($_POST["title"], $_POST["author"], $_POST["content"])){
    $stmt = $connection->prepare('INSERT INTO posts (title, content, author) VALUES (?,?,?)');
    $stmt->bind_param('sss', $_POST["title"], $_POST["author"], $_POST["content"]);
    $stmt->execute();
}

and as always remember to enable error reporting: How to get the error message in MySQLi?

Upvotes: 4

Tech Spot
Tech Spot

Reputation: 472

Replace 

$sql = "INSERT INTO posts (title, content, author) VALUES ('" . $_POST["title"] . "', '" . $_POST["content"] . "', '" . $_POST["author"] . "'');";

with 

$sql = "INSERT INTO posts (title, content, author) VALUES ('" . $_POST["title"] . "', '" . $_POST["content"] . "', '" . $_POST["author"] . "');";

You have an apostophe more

"'');";

Upvotes: 1

Related Questions