0

HTML

            <form action="inc/q/prof.php?pID=<?php echo $the_pID; ?>" method="post">            
            <select id="courseInfoDD" name="courseInfoDD" tabindex="1"><?php while($row3 = $sth3->fetch(PDO::FETCH_ASSOC)) {
                  echo "<option>".$row3['prefix']." ".$row3['code']."</option>"; }echo "</select>"; ?>
            <input type="text" id="addComment" name="addComment" tabindex="3" value="Enter comment" />
        <input type="hidden" name="pID" value="<?php echo $the_pID; ?>">
        <input type="submit" name="submit" id="submit" />
        </form>

PHP 

$connect = mysql_connect("##", $username, $password) or die ("Error , check your server connection.");
mysql_select_db("###");

//Get data in local variable
if(!empty($_POST['courseInfoDD']))
    $course_info=mysql_real_escape_string($_POST['courseInfoDD']);
if(!empty($_POST['addComment']))
    $course_info=mysql_real_escape_string($_POST['addComment']);
if(!empty($_POST['pID']))
    $the_pID=mysql_real_escape_string($_POST['pID']);

print_r($_POST);
echo $the_pID;

// check for null values
if (isset($_POST['submit'])) {
$query="INSERT INTO Comment (info, pID, cID) values('$the_comment','$the_pID','$course_info')";
mysql_query($query)  or die(mysql_error());
echo "Your message has been received";
}
else if(!isset($_POST['submit'])){echo "No blank entries";}
else{echo "Error!";}

?> ?>

Table

commId    int(11)
info      text
date      timestamp
reported  char(1)
degree    char(1)
pID       int(11)
cID       int(11)

It gives me "Error!" now, I try the db credentials and they are fine... ?? And the r_post() is still giving an error of Array()

Why isn't Array() accepting values? Anyone???

Improve this question
2
  • You should check if the $_POST variables are actually set before checking their value. Commented May 1, 2011 at 21:44
  • I don't think it's a problem with the SQL, at least not so far. The error being returned is his own default message for when the inputs aren't set? Commented May 1, 2011 at 21:44

6 Answers 6

Reset to default
3

Like @user551841 said, you will want to limit your possibility of sql injection with his code. You are seeing that error because you're code told it to echo that error if nothing was entered, which is the case upon first page load. You shouldn't need that until submit is done.

Edit: Sorry, I was assuming you are directly entering the page which needs the $_POST data without going through the form submit.

You also should do something along the lines of if(!isset($variable)) before trying to assign it to something less your server will spit out error of undefined variables.

if(!empty($_POST['courseInfoDD']))
    $course_info=mysql_real_escape_string($_POST['courseInfoDD']);

do that to all of them.

Then you can check

if (!isset($user_submitted) && !isset($the_comment) && !isset($course_info) && !isset($the_pID) ){
echo "All fields must be entered, hit back button and re-enter information";
}
else{
$query="INSERT INTO Comment (info, pID, cID) values('$the_comment','$the_pID','$course_info')";
mysql_query($query)  or die(mysql_error());
echo "Your message has been received";
}
Improve this answer
Sign up to request clarification or add additional context in comments.

42 Comments

How do I implement an on-submit type function into my script? Can you please show me?
give your submit button a name and check for that to be submitted is one simple way ;). If you go directly to that page, there will be nothing and no error to show, if you click the submit, then the submit button value will follow.
Oh you already have one, you shouldn't really use the "or" but the double pipe (||). But I am betting that you should use && (and) rather than the "or" for your logic
Please see updated code... still giving that error.. despite removing that if empty condition
Please see updated, this still gives that un-desired error as stated above
|
0

Check that the hidden field "pID" has a value set from value=<?php echo $the_pID; ?>

Improve this answer

2 Comments

I actually ran his code and it failed but now checking back it was a mistype on my part. Removing it now
This error about no pID specified comes from onsubmission the pID is lost in the url, see the post above.
0

Make sure that your data is valid before checking it.

For instance do 

print_r($_POST);

and check if the keys and their data match up.

Also, as a side note, NEVER do what you're doing with :

$query="INSERT INTO Comment (info, pID, cID) values('$the_comment','$the_pID','$course_info')";

This is how mysql injection happens, either use prepared statements or

$course_info= mysql_real_escape_string($_POST['courseInfoDD']);
Improve this answer

4 Comments

Where do I put print_R($POST) ?
If I do thiss after defining the (3) variables it outputs: " Array ( )"
anywhere in the PHP (preferably before the if statement..)
Does Array() mean its empty??
0

To answer to your question what is wrong here
you've got a huge gaping SQL-injection hole!!

Change this code

//Get data in local variable
$course_info=$_POST['courseInfoDD'];
$the_comment=$_POST['addComment'];
$the_pID=$_POST['pID'];

To this

//Get data in local variable
$course_info = mysql_real_escape_string($_POST['courseInfoDD']);
$the_comment = mysql_real_escape_string($_POST['addComment']);
$the_pID = mysql_real_escape_string($_POST['pID']);

See: How does the SQL injection from the "Bobby Tables" XKCD comic work?

For more info on SQL-injection.

Improve this answer

4 Comments

I'm happy to see that. Did you know about this issue before?
I did know about it, but ive had so much trouble with this before just trying to get a lame comment into a db, that i would add that after this. Can you help with the above updated code? Its still giving me that error onload.
@user, sorry don't see it now, but it's late here. BTW if you post SQL-injectable code on SO, you will only get comments on that. If you want sensible answers do not post SQL-injectable code, people are allergic to that and will find it hard to look past it.
Johan - everyone else seems to be trying to help, but i will try to remember that.
0

i would change this line

if (isset($_POST['submit'])) {

to 

if ($_POST) {

the sumbit button field will not always be posted, for example if you press return on keyboard instead of clicking on the submit button with the mouse.

Improve this answer

Comments

0

Cleaner:

$submit = isset($_POST['submit']) ? true : false;
$comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
if ($submit && $comment) {
  $query = 'INSERT INTO comments (comment) values("' . mysql_real_escape_string($comment) . '")';
  //...
}

As you can see I place the escaping inside the query. And this is a good idea because sometimes you loose track of the complete code and this won't happen inside a query.

Improve this answer

1 Comment

What would I need to get rid of in order to usee this?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.