I am trying to send data from form but its sending the name in stead of value of the input box. File is uploading properly and the input box name is uploading too but I need to put the values.
<form action="intern.php" enctype="multipart/form-data" method="post" autocomplete="off">
<h3 class="register-heading">Want to be a <strong>learner Bee</strong>?</h3>
<div class="row register-form">
<div class="col-md-6">
<div class="form-group">
<input type="text" class="form-control" name="iname" placeholder="Your Certificates name" value="" required />
</div>
<div class="form-group">
<input type="text" class="form-control" maxlength="14" minlength="10" name="icon" placeholder="Your 24/7 opened Phone Number" value="" required />
</div>
<div class="form-group">
<input type="text" class="form-control" name="ildegree" placeholder="University you are graduating from" value="" required />
</div>
<div class="form-group">
<textarea type="text" class="form-control" name="iaboutus" placeholder="What you know about us!" value="" required ></textarea>
</div>
<div class="form-group">
<textarea type="text" class="form-control" name="iaddress" placeholder="Your present address " value="" required ></textarea>
</div>
<div class="form-group" >
<label class="form-control" for="iapply"><input name="icvfile" style=" border: 0; clip: rect(1px, 1px, 1px, 1px); height: 1px; margin: -1px; overflow: hidden; padding: 0; position: absolute; width: 1px;" type="file" name="" id="iapply" accept=".doc, .docx, .pdf, .png, .jpg, . ppt, .pptx" required>Click here to upload your CV</label>
</div>
</div>
<div class="col-md-6">
<div class="form-group">
<input class="form-control" name="inname" placeholder="Nick Name you like to called by" value="" required />
</div>
<div class="form-group">
<input type="email" name="iemail" class="form-control" placeholder="Your own mostly used Electronic mail" value="" required />
</div>
<div class="form-group">
<select class="form-control" name="icontrib" required>
<option class="hidden" selected disabled>How you can contribute us?</option>
<option>Graphic Design</option>
<option>Sales</option>
<option>Creative Idea Generation</option>
</select>
</div>
<div class="form-group">
<textarea type="text" class="form-control" name="ixp" placeholder="Your past working experience in short" value="" required ></textarea>
</div>
<div class="form-group">
<textarea type="text" class="form-control" name="ifgoal" placeholder="Where you want to see yourself after 10 years!" value="" required ></textarea>
</div>
<input type="submit" class="btnRegister" name="isubmit" value="Submit"/>
</div>
</div>
</form>
Upper one is the form that I need to filled. Just stuck somewhere, cannot find out.
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
header("Location: https://teambbc.asia/error.html");
}
$sql = "INSERT INTO Intern (Name, Contact, University, AboutUs, Address, NickName, Email, Contribution, Experience, FutureGoal) VALUES ('iname', 'icon', 'ildegree', 'iaboutus', 'iaddress', 'inname', 'iemail', 'icontrib', 'ixp', 'ifgoal')";
//Filename upload
$user=$_POST['inname'];
$cont=$_POST['icon'];
//$filename=basename($_FILES["file"]["name"]);
$tmp=$_FILES["icvfile"]["tmp_name"];
$extension = explode("/", $_FILES["icvfile"]["type"]);
$name=$user.".".$extension[1];
move_uploaded_file($tmp, "recruitment_cv/" . $user. "-" .$cont .".".$extension[1]);
if (mysqli_query($conn, $sql)) {
header("Location: https://teambbc.asia/congratulations.html");
} else {
echo "Error: " . $sql . "" . mysqli_error($conn);
header("Location: https://teambbc.asia/error.html");
}
$conn->close();
}
My connnection with database is okey, I am not thinking about that one.
Your Problem:
You are inserting Strings [ref] rather than Variables [ref] in to your SQL.
See:
$sql = "INSERT INTO Intern (Name, Contact, University, .... )
VALUES ('iname', 'icon', 'ildegree', .... )";
The values in 'quotes' are MySQL string literals. These values are NOT PHP variables. So they will be the same, no matter what variable data you give to PHP.
Solution Basics:
To fix this, you need to understand that when you submit a form the superglobals $_POST/$_GET and $_REQUEST are populated with the form data.
Example:
HTML:
<form action="intern.php" enctype="multipart/form-data" method="post" autocomplete="off">
<input type="text" class="form-control" name="iname" placeholder="Your Certificates name" value="" required />
<input type='submit' value='Button to submit the form'>
</form>
PHP:
if(!empty($_POST['iname'])){
print_r($_POST['iname']); // This will output the value entered into the form for the iname form element.
}
So Applying This To Your SQL:
You need to at a very basic level turn your strings into variables:
$sql = "INSERT INTO Intern (Name, Contact, University, .... )
VALUES ('".$_POST['iname']."', '".$_POST['icon']."', '".$_POST['ildegree']."', .... )";
BUT:
THIS IS DEEPLY INSECURE.
YOU MUST NEVER, EVER TRUST USER SUBMITTED DATA. EVER.
Reference and Reference
So how should you save this data safely, to your SQL table?
By using Prepared Statements; either PDO or MySQLi.
My example here will use Object Orientated MySQLi Prepared Statements:
$sql = "INSERT INTO Intern (Name, Contact, University) VALUES (?,?,?)";
$insert = $conn->prepare($sql);
/***
* See https://www.php.net/manual/en/mysqli-stmt.bind-param.php
* You can add multiple values at once:
***/
$insert->bind_param("sss", $_POST['iname'],$_POST['icon'],$_POST['ildegree']);
$insert->execute();
This will insert the data (example only three bits of data but you should get the idea), safely and easily into your database.
There is a lot I have missed out for simplicity and verboseness, so you should read up on how to use PDO/MySQLi proficiently.
NOTES:
One ? in the SQL string for each placeholder.
One value letter in the bind_param for each placeholder value. The value, and the corresponding value letter (i,s,d,b) MUST match the SQL column type (you can't insert string-type (s) values into integer-type columns (INT, TINYINT, etc.).
In MySQLi order is important, the first ? will relate to the first bind_param value (in the example codeblock above, $_POST['iname']).
Qualifier:
Some of your MySQL PHP code uses procedural interactions, and functions - and some of your MySQL PHP code uses Object Orientated interactions and functions. These CAN NOT BE MIXED and will result in errors and inconsistencies for you.
ALWAYS USE OBJECT ORIENTATED PHP/MYSQL INTERACTIONS Reference and Reference
Objct orientated interactions use the -> syntax.
You have:
if ($conn->connect_error) {
error_log("Connection failed: " . $conn->connect_error);
header("Location: https://teambbc.asia/error.html");
}
This is Object Orientated. This is best.
But:
mysqli_query($conn, $sql);
This is Procedural. This is not best. The OO version of this line would be $var = $conn->query($sql).
Bonus advice:
Do not use die to output error messages to the screen, error messages should always be output to the error log file.
When using header("Location: ... "); you must always put die() or exit afterwards:
Example:
if ($conn->connect_error) {
error_log("Connection failed: " . $conn->connect_error);
header("Location: https://teambbc.asia/error.html");
exit;
}
Good luck!
You should assign data to variables firstly. After that, you can insert to db.
function make_secured($x)
{
$variable = strip_tags(mysql_real_escape_string(trim($x)));
return $x;
}
$_POST = make_secured($_POST);
$name = $_POST['iname'];
$contact = $_POST['icon'];
$sql = "INSERT INTO Intern (Name, Contact) VALUES ('$name', '$contact')";
make_secured() function does checking all sql injection attacks in the POST.
Related
I am trying to get two datetime-local fields from a HTML form and insert them in a SQL database and they're not getting inserted.
user-stardate and user-enddate are the datetime-local fields, and I cannot get neither user-totalhours which is the difference between enddate - startdate.
<form role="form" action="sendFdata.php" method="POST">
<div class="row">
<input type="text" name="username">
<input type="text" name="user-role">
</div>
<div class="row">
<input type="text" name="user-pm">
<select name="user-project">
<option>Text1</option>
<option>Text2</option>
<option>Text3</option>
</select>
</div>
<div class="row">
<input type="text" name="user-agroup">
<input type="text" name="user-task">
</div>
<div class="row">
<input type="datetime-local" name="user-startdate">
<input id="end-time" type="datetime-local" name="user-enddate">
<input type="text" name="user-totalhours" placeholder="Total Hours">
</div>
<div class="rule"></div>
<div class="form-footer">
<button type="submit" name="button-submit">Submit</button>
<button type="button">Reset</button>
</div>
</form>
PHP:
<?php
$link = mysqli_connect("localhost","admin","") or die("failed to connect to
server !!");
mysqli_select_db($link,"test");
$username=$_POST['username'];
$userRole=$_POST['user-role'];
$userPM=$_POST['user-pm'];
$userProject=$_POST['user-project'];
$useraGroup=$_POST['user-agroup'];
$userTask=$_POST['user-task'];
$userStartDate=$POST['user-startdate'];
$userEndDate=$POST['user-enddate'];
$userTotalHours=$POST['user-totalhours'];
$insqDbtb="INSERT INTO `test`.`persons`
(`UserName`, `Role`, `PM`, `Product`, `ActivityGroup`, `Task`, `StartDate`,
`EndDate`, `TotalHours`) VALUES ('$username', '$userRole', '$userPM',
'$userProject', '$useraGroup', '$userTask', '$userStartDate', '$userEndDate',
'$userTotalHours')";
mysqli_query($link,$insqDbtb) or die(mysqli_error($link));
?>
You have $POST['user-startdate'], where it should be $_POST['user-startdate'].
But aside from that, you should definitly use prepared statements to make sql queries. How can I prevent SQL injection in PHP?
First datetime-local is not a correct HTML attribute for type, you should use date or time.
see it there : https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input
Then your mysql statements are a security risk since you are not using prepared statement. You should look into it.
Finally, you should debug de the request before sending it to your database.
The attribute for the elements type "datetime-local" does not create data to be read and inputed. Especially if viewed with Firefox or IE12 (and earlier). It is an input the user on the page must enter a date and time into.
Assuming you are utilizing the input correctly. What data type is your column in your database? It must be able to handle '0000-00-00 00:00:00' as that is the restricted input that must be stored.
I have HTML registration form when I submit the form the PHP code appears and data not insert to database i made my database using phpMyAdmin, what should I do?
Here my PHP code:
<?php
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
if ($con) {
echo "good";
}else {
die('error');
}
if(isset($_POST['submit'])){
$Fname = mysqli_real_escape_string($con,$_POST["Fname"]);
$Lname = mysqli_real_escape_string($con,$_POST["Lname"]);
$email = mysqli_real_escape_string($con,$_POST['email']);
$password = mysqli_real_escape_string($con,$_POST['password']);
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher` (Re_fname,Re_lname,Re_mobile,Re_password) values ('$Fname','$Lname','$email','$password ')");
if (mysqli_query($sql)){
echo "insert";
} else {
echo "error" .$sql ."<br>". mysqli_error($con);
}
}
?>
here my registration HTML code
<form method="post" action="connect.php">
<legend class="center">Register </legend>
<br>
<div>
<input type="text" name="Fname" placeholder="First Name"/>
</div>
<div>
<input type="text" name="Lname" placeholder="Last Name"/>
</div>
<div>
<input type="text" name="email" placeholder="Email"/>
</div>
<div>
<input type="password" name="password" placeholder="Password"/>
</div>
<div>
<input type="password" name="con_password" placeholder="Password confirm"/>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
Look at the following:
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher`
^^^^^^^^^^^^ function
(Re_fname,Re_lname,Re_mobile,Re_password)
values ('$Fname','$Lname','$email','$password ')");
^ space
if (mysqli_query($sql)){
^^^^^^^^^^^^ function
You're using that mysqli_query() function twice, remove one and just do:
if ($sql){...}
and mysqli_error($con) should have thrown you an error about it.
If it didn't throw an error, then that may suggest you're using this as file:/// as opposed to http://localhost.
Edit:
"i have html registration form whin i submit the form the php code apears"
That's because of what I wrote above before quoting you. You need to run this off a webserver with php/mysql installed and running properly and as http://localhost.
Also, remove the space in this '$password '. That space counts as a character.
Double-check your column names also. There seems to be something that doesn't match (Re_fname,Re_lname,Re_mobile,Re_password) the Re_mobile and you're referencing an email '$email' in VALUES.
You also seem to store plain text passwords; don't, it's not safe if you intend on going live with this. Use password_hash() and a prepared statement.
Footnotes:
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
You can shorten that to using all 4 arguments in mysqli_connect():
$con=mysqli_connect('localhost','root', '', 'research_sys');
I need to automatically set the ID column of a row in the database and I would like some help in figuring out how to do that, because at the moment I have to assign an ID through an input field.
PHP
<?php
//include db configuration file
include 'connection.php';
function user_joined($user_id, $user_name, $user_age, $user_end){
$user_id = mysql_real_escape_string(htmlentities($user_id));
$q = "INSERT INTO evenement (id, title, start, end) VALUES
('" . $user_id . "', '" . $user_name . "', '" . $user_age . "', '" . $user_end . "')";
mysql_query($q);
echo $user_id;
}
if(isset($_POST['user_id'], $_POST['user_name'], $_POST['user_age'], $_POST['user_end'], $_POST['action'])){
$user_id = $_POST['user_id'];
$user_name = $_POST['user_name'];
$user_age = $_POST['user_age'];
$user_end = $_POST['user_end'];
$action = $_POST['action'];
if ($action == 'joined'){
user_joined($user_id, $user_name, $user_age, $user_end);
}
}
?>
HTML form
<form class="form-inline">
<div id="d1" title="Maak afspraak aan" style="display: none">
<div class="control-group">
<label class="control-label">Gebruikers id:</label>
<div class="controls">
<input type="text" name="userid" placeholder="Gebruikers ID" id="id" />
</div>
</div>
<div class="control-group">
<label class="control-label">Title:</label>
<div class="controls">
<input type="text" name="username" placeholder="Titel" id="name" />
</div>
</div>
<div class="control-group">
<label class="control-label">Starttijd:</label>
<div class="controls">
<input type="text" name="userstart" placeholder="Starttijd" id="start" />
</div>
</div>
<div class="control-group">
<label class="control-label">Eindtijd:</label>
<div class="controls">
<input type="text" name="userend" placeholder="Eindtijd" id="end" />
</div>
</div>
</div>
</div>
</form>
Use the AUTO_INCREMENT attribute in combination with PRIMARY KEY to set the ID automatically. You can return this ID with SCOPE_IDENTITY(), or if you'd switch to a better PHP SQL option, you could use PDO::lastInsertID to get the latest ID.
I would also like to warn you that you have a pretty serious SQL injection problem, which you could fix by using prepared statements and perhaps an extra preg_replace to strip all unwanted characters from the query and table in general. You should totally go and learn a little bit more about preventing SQL injections. There are great topics here that are dedicated to the subject and I made a list of these articles to you:
stackoverflow.com - How can I prevent SQL injection in PHP
php.net - SQL Injection
I would also like to refer you to switch over to MySQLi or PHP PDO, because you are currently using the deprecated MySQL database extension.
I am trying to generate a script to insert comments on a blog to 'comments' table in MySsl database
<form action="insertcomment.php" method="post">
<p class ="ctitle">Leave a Comment:</p>
<p>
<label for="name"><b>PostID:</b></label>
<input type="text" id="postid" name="name" maxlength="4" /> <br/>
<label for="name"><b>Name:</b></label>
<input type="text" id="name" name="name" maxlength="25" /> <br/>
<label for="email"><b>Email:</b></label>
<input type="text" id="email" name="email" maxlength="50" /> <br/>
<label for="website"><b>Website:</b></label>
<input type="text" id="website" name="website" maxlength="25" /> <br/>
<label for="content"><b>Comment:</b></label>
<textarea id="content" name="content" cols="10" rows="4" maxlength="800"></textarea> <br/>
<input type="submit" value="Submit Comment" name="submit_comment" /> <br/>
</p>
</form>
and my PHP script is as follows:
<?php
include("dbconnect.php");
$con=new dbconnect();
$con->connect();
error_reporting(E_ALL);
if(isset($_POST['submit'])) {
$sSql = "INSERT INTO comments
( post_id,name, email, website,content)
VALUES ('$_POST[postid]','$_POST[name]', '$_POST[email]', '$_POST[website]', '$_POST[content]')";
mysql_query($sSql);
echo '<h2> Your Comment is submitted</h2><br />';
}
?>
But I was not able to insert my comment into database. my 'comments' table has comment_id,post_id,name,email,website,content,date_published fields. comment_id is the primary key. It has the option auto_increment. and date_published by default gives current time stamp. I was not able to figure out what my error is. Any thoughts would be appreciated.
Thank You!
You should use mysqli or PDO, but if you need to use the about-to-be depreciated mysql plugin:
<?php
include("dbconnect.php");
$con=new dbconnect();
$con->connect();
error_reporting(E_ALL);
if(isset($_POST['submit'])) {
foreach ($_POST as $key => $value) {
$$key = mysql_real_escape_string($value); // You should always sanitize user inputs.
}
$sSql = "INSERT INTO comments
( post_id,name, email, website,content)
VALUES ($postid,'$name', '$email', '$website', '$content')"; // No quotes around $postid because I'm assuming post_id column is an int type.
mysql_query($sSql);
echo '<h2> Your Comment is submitted</h2><br />';
}
?>
Notice the single quotes have been removed from $postid. This is because if table post_id is an int type, then you should not have quotes around the integer value.
Also, notice I've used the mysql_real_escape_string() function to clean your inputs. You should never ever quote direct user-inputted variables into SQL. It's very dangerous as users can use SQL injection attacks to gain access to your DB where they shouldn't or even possibly drop tables.
Still, I recommend converting to mysqli or PDO if at all possible, because the mysql plugin is about to be depreciated.
I was wondering what the syntax was in PHP to update a row in a PostgreSQL database. I have made a login page that checks a UserName and Password from a database, then it goes to a page where it displays all the user info from the database for that user name. I am trying to allow the user to change some of the columns, like password, name, etc. So I added another page that has fields for each of the columns I want to change.
This is the code I have for the query:
if(array_key_exists('save',$_POST))
{
$firstname=$_POST['ifirstname'];
$lastname=$_POST['ilastname'];
$email=$_POST['iemail'];
$password=$_POST['ipassword'];
$conn_string='host=#### port=#### dbname=###### user=####### password=######';
$dbconn=pg_connect($conn_string) or die('Connection failed');
$query="UPDATE project.customer SET FirstName='$firstname',
LastName='$lastname',Email='$email',Password='$password')
WHERE UserName=$1";
$result=pg_query($dbconn,$query);
$row_count= pg_num_rows($result);
pg_free_result($result);
pg_close($dbconn);
}
This is for the fields:
<div id="header">UPDATE USER INFO</div>
<form id="testform" name="testform" method="post" action="" >
<p> <label for="ifirstname">First Name:</label>
<input name="ifirstname" type="text" id="ifirstname"/>
</p>
<p> <label for="ilastname">Last Name:</label>
<input name="ilastname" type="text" id="ilastname"/>
</p>
<p> <label for="iemail">E-Mail:</label>
<input name="iemail" type="text" id="iemail"/>
</p>
<p>
<label for="ipassword">Password:</label>
<input name="ipassword" type="password" id="ipassword"/>
</p>
<p>
<label for="iconfpass">Confirm Password:</label>
<input name="iconfpass" type="password" id="iconfpass"/>
</p>
<p>
<input type="submit" name="save" value="Register"/>
</p>
</form>
I think it must be like this. Also make user to write old password when changing data for security reason. Also dont forget to filter your data before using in query to avoid sql injection attacks
$query="UPDATE project.customer
SET (FirstName,LastName,Email,Password) =
('$firstname','$lastname','$email','$password')
WHERE UserName= '$1' and Password = '$oldpassword'";
Why not just use standard SQL syntax?
Update project.customer Set
"FirstName" = '$firstname',
...
Where ...
The main difference in Postgres is that you usually quote the column names.