0

I am trying to make a site which users can upload phrases. Basically there is a text field and then it gets uploaded to the mysql database. Here is what I have tried so far.

HTML::

                    <form class="form-horizontal" action="drop.php" method="post">
<fieldset>

<!-- Form Name -->
<legend>Submit a Billboard</legend>

<!-- Text input-->
<div class="control-group">
  <label class="control-label" for="textinput">What will your Billboard Say?</label>
  <div class="controls">
    <input name="text" type="text" placeholder="What you going to say?" class="input-xlarge">
  </div>
</div>
<br>
<!-- Button -->
<div class="control-group">
  <div class="controls">
    <button id="singlebutton" name="singlebutton" class="btn btn-primary">Drop Your Billboard</button>
  </div>
</div>

</fieldset>
</form>

PHP::

    <?php
//Connecting to sql db.
$connect = mysqli_connect("localhost","mod","","bill");
//Sending form data to sql db.
mysqli_query($connect,"INSERT INTO submit (submission)
VALUES ('".$_POST['text']."')
?>
Improve this question
2
  • 1
    and the question/problem is? and code is in 2 seperate files or just one? I for one see one issue, but you need to tell us what's not working here. Plus, you may not be showing us everything there. That looks to be using JS/bootstrap but you didn't tell us that. Commented Aug 30, 2015 at 14:09
  • I'm not kicking for points here, but I'm not sure if you saw the answer I posted; there were a few more syntax errors and have been added to it. Therefore, you will need to reload my answer. Commented Aug 30, 2015 at 14:51

2 Answers 2

Reset to default
3

Besides your SQL injection, your button doesn't do anything really, not without any JS which if you're using, you haven't shown it. Therefore, this answer is based on what you posted

It would require an type="submit" in order for your button to fire up anything.

I'm taking a blind stab at this, but I'm prrrrretty sure that's what's "not" going on here.

Plus and more importantly (and not a blind stab), you're missing a closing bracket, a quote and semi-colon in: (a major syntax error)

mysqli_query($connect,"INSERT INTO submit (submission) 
VALUES ('".$_POST['text']."')
                             ^^^ missing bracket/quote/semi-colon

so do

mysqli_query($connect,"INSERT INTO submit (submission) 
VALUES ('".$_POST['text']."')");
                             ^^^ missing/added

Escape your data:

if(!empty($_POST['text'])){

    $text = mysqli_real_escape_string($connect, $_POST['text']);

    mysqli_query($connect,"INSERT INTO submit (submission) VALUES ('".$text."')");

}

However, you really should use a prepared statement for that SQL injection:

Check for errors.

Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code.

If your entire code is inside the same page, you will receive undefined index notice.

Error reporting will tell you that.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

As well as or die(mysqli_error($connect)) to mysqli_query().

If so, then you will need to use !empty() for the POST array.

You could have also used:

$connect = mysqli_connect("localhost","mod","","bill") 
                or die(mysqli_error($connect)); // check if successful or not

if(!empty($_POST['text'])){

    $text = mysqli_real_escape_string($connect, $_POST['text']);
    $query = "INSERT INTO submit (submission) VALUES ('".$text."')";

    $result = mysqli_query($connect, $query);

        if (!$result)
        {
            throw new Exception(mysqli_error($connect));
        }

    else{ echo "Success."; }

    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You can try isset() function to insert the input into your database.

if(isset($_POST['singlebutton']))


{
$text= $_POST['text'];

$query= $connect->prepare ( "INSERT INTO submit(submission) VALUES (?)");

$query -> bind_param("s",$text );

if ($query->execute())
    {
        echo"<center><strong>Text added! </strong></center>";
    } // display when text is added
        else{
            echo"Error in adding text!"; // display when there is error
        }
}
Improve this answer

5 Comments

Noble, but this will fail for 2 reasons. 1) incorrect connection variable. 2) check the query for something "too much".
Ahh did not see the connection variable haha. May I ask what do you mean by something "too much"? Just a few months old in learning Web programming!
Look at this one, very carefully "INSERT INTO submit(submission,) ;-)
Oh.. Got it! That was careless of me.
Ahhh good show ;-) well, the OP now has a choice. Personally though, I like to point out where errors were made, like many others. It just helps the person to know where they made the errors and to be more careful next time they code. I've upvoted yours for the prepared statement method.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.