submitting form data to sql database in.php - php

i am trying to submit a query to my SQL server with a student ID as the tag and also the file names uploaded.
php part:
if(isset($_POST['submit']))
{
$card=$_POST['card'];
$SQL = "INSERT INTO cny2018 (cardnumber, timestamp, photo1) VALUES ('$card', '4-6 Days', '£75.00')";
$result = mysql_query($SQL);
html part
<div class="form-group row">
<label for="example-search-input" class="col-2 col-form-label">ID:</label>
<div class="col-10">
<form>
<input type="text" name="card"/>
</form>
</div></div>
<br><br>
Upload Photos (a maximum of 6 photos)<br>
<input id="file-input" type="file" multiple>
<div id="preview"></div>
<br><br><br>
<form method="post">
<input class="btn btn-primary" type="submit" name="submit" value="Submit">
</form>


In HTML part, you didn't mention action attribute for the form, also you are uploading images but you didn't write enctype="multipart/form-data" and you didn't provide name attribute for the file-upload element. In PHP part, if you want to store the name of the uploaded image, you need to store the name to a variable. Then you need to add the variable to the SQL query.
For example,
$card=$_POST['card'];
$orig_filename=$_FILES['your_image_name']['name'];
$SQL = "INSERT INTO cny2018 (cardnumber, timestamp, photo1) VALUES ('$card', '4-6 Days', '$orig_filename')";
$result = mysql_query($SQL);
And lastly, I would like to advice that you should not use mysql_query() function as it is deprecated, instead use mysqli_query or PDO.
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php

Related

How to insert values from editor to database

I am new to PHP development. I am trying to insert values in database
Using HTML form I had used PHP editor in form but I do not know how to insert
values from editor to database.
Here is the field there is no name attribute so how to insert value in
database without the name attribute.
<div class="form-group">
<label for="pwd">
<span class="glyphicon glyphicon-pencil"></span> Question:
</label>
<?php
echo $rte->GetString();
?>
</div>

Assuming you're using MySQL for your database solution:
You will need an input field for this to work.
HTML:
<div class="form-group">
<form method="post" action="yourphpfile.php">
<span class="glyphicon glyphicon-pencil"></span> Question:
</label>
<input type="text" id="question" name="question">
<input type="submit" value="submit">
</form>
</div>
PHP:
$question = $_POST['question'];
$query = "INSERT INTO database (question) VALUES ($question);";
if(mysqli_query($conn, $query)){
//success
}
This is simply how I do my form actions. Some users like to use the isset() function on the same page, but I think making separate pages for actions is a bit more of an organized approach.

Method POST not working with datetime-local fields

I am trying to get two datetime-local fields from a HTML form and insert them in a SQL database and they're not getting inserted.
user-stardate and user-enddate are the datetime-local fields, and I cannot get neither user-totalhours which is the difference between enddate - startdate.
<form role="form" action="sendFdata.php" method="POST">
<div class="row">
<input type="text" name="username">
<input type="text" name="user-role">
</div>
<div class="row">
<input type="text" name="user-pm">
<select name="user-project">
<option>Text1</option>
<option>Text2</option>
<option>Text3</option>
</select>
</div>
<div class="row">
<input type="text" name="user-agroup">
<input type="text" name="user-task">
</div>
<div class="row">
<input type="datetime-local" name="user-startdate">
<input id="end-time" type="datetime-local" name="user-enddate">
<input type="text" name="user-totalhours" placeholder="Total Hours">
</div>
<div class="rule"></div>
<div class="form-footer">
<button type="submit" name="button-submit">Submit</button>
<button type="button">Reset</button>
</div>
</form>
PHP:
<?php
$link = mysqli_connect("localhost","admin","") or die("failed to connect to
server !!");
mysqli_select_db($link,"test");
$username=$_POST['username'];
$userRole=$_POST['user-role'];
$userPM=$_POST['user-pm'];
$userProject=$_POST['user-project'];
$useraGroup=$_POST['user-agroup'];
$userTask=$_POST['user-task'];
$userStartDate=$POST['user-startdate'];
$userEndDate=$POST['user-enddate'];
$userTotalHours=$POST['user-totalhours'];
$insqDbtb="INSERT INTO `test`.`persons`
(`UserName`, `Role`, `PM`, `Product`, `ActivityGroup`, `Task`, `StartDate`,
`EndDate`, `TotalHours`) VALUES ('$username', '$userRole', '$userPM',
'$userProject', '$useraGroup', '$userTask', '$userStartDate', '$userEndDate',
'$userTotalHours')";
mysqli_query($link,$insqDbtb) or die(mysqli_error($link));
?>

You have $POST['user-startdate'], where it should be $_POST['user-startdate'].
But aside from that, you should definitly use prepared statements to make sql queries. How can I prevent SQL injection in PHP?

First datetime-local is not a correct HTML attribute for type, you should use date or time.
see it there : https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input
Then your mysql statements are a security risk since you are not using prepared statement. You should look into it.
Finally, you should debug de the request before sending it to your database.

The attribute for the elements type "datetime-local" does not create data to be read and inputed. Especially if viewed with Firefox or IE12 (and earlier). It is an input the user on the page must enter a date and time into.
Assuming you are utilizing the input correctly. What data type is your column in your database? It must be able to handle '0000-00-00 00:00:00' as that is the restricted input that must be stored.

sql submission shows different texts not what i actually submitted i'm trying to submit on DHIVEHI language

Hi guys please help me here i'm to submit my posts on DHIVEHI language but sql database shows it something like this (???????&%$) what to do???? here is code some parts are written in DHIVEHI and class MVDIV is dhivehi language style class. plx help me guys?
FORM PAGE
<form enctype="multipart/form-data" action="post.php" method="post">
<label class="mvdiv" for="type">ވައްތަރު </label>
<input type="text" id="type" name="type" dir="rtl" class="thaanaKeyboardInput mvdiv form-control" >
</div>
<button name="submit" type="submit data" value="data" class="btn btn-default mvdiv">ފޮނުއްވާ</button>
</form>
POST.php page
if (isset($_POST["type"])) {
$name = crypt($_POST["type"]);
$sql = mysql_query("INSERT INTO story_type (name)
VALUES('$name')") or die (mysql_error());
echo "$name";
}

Form Action Process.php file not echoing results from mySQL DB

Currently, I have an index.php file with a form and a text input from the user as well as a submit button. When the submit button is pressed, the process.php file is supposed to get the data and echo it out. However, it just sends me to a blank page and does not echo anything out. I am well aware that I would need to style it the page, etc... But it just isn't echoing out at all. I am already connected to the mySQL DB with another php script and have tested that and it works fine so I know I am connected. What am i doing wrong?
index.php
<form action="process.php" form method="post" id="myForm">
<div class="col-xs-12 col-md-6">
<div class="input-group">
<span class="input-group-addon">
<input aria-label="..." type="checkbox" id="checkbox1">
</span>
<input aria-label="..." class="form-control" type="text" id="food1">
</div>
</div>
<input type="submit" value="Submit">
</form>
process.php
<?php
//Check whether the form has been submitted
if($_POST['submit'] == "Submit")
{
$varFood1 = $_POST['food1'];
$sql = "SELECT menu.dish FROM menu WHERE menu.description LIKE '%varFood1%'"; // sql query
$result = mysql_query($sql);
// Loop the recordset $result
// Each row will be made into an array ($row) using mysql_fetch_array
while($row = mysql_fetch_array($result)) {
echo "Items : {$row['dish']}\n";
}
}
?>

Use name attribute not id. <input aria-label="..." class="form-control" type="text" id="food1"> Try printting out the POST in the future.
<input aria-label="..." class="form-control" type="text" id="food1" name="food1">
Additional changes...
$varFood1 = mysql_real_escape_string($_POST['food1']);
$sql = "SELECT menu.dish FROM menu WHERE menu.description LIKE '%$varFood1%'";
without escaping you open yourself to injections. You should consider switching driver to mysqli or PDO as well.

The problem is that you are checking for $_POST['submit'], which the process.php file does not see, because it does not exist in the POST array. Solution: give your submit button a name, instead of this:
<input type="submit" value="Submit">,
which is what you have, do this:
<input type="submit" name="submit" value="Submit">

Updating user table in database

I've created a members area where a user can update their bio. The problem is that the information the user submits isn't updating the rows in the database.
Member's Area
<body bgcolor="#E6E6FA">
<button>Log Out</button><br><br>
<input type="text" name="age"placeholder="Enter a your age."><br>
<input type="text" name="bio"placeholder="Enter your bio.">
<input type="submit" name="submit" value="Submit your details!">
PHP
<?php
if(isset($_POST['submit'])){
$con=mysql_connect("localhost","root","****","****");
// Check connection
if (mysql_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$age = mysql_real_escape_string($_POST['age']);
$bio = mysql_real_escape_string($_POST['bio']);
$name = mysql_real_escape_string($_SESSION['username']);
mysql_query($con,"UPDATE accs SET age='.$age.' WHERE name='.$name.'");
mysql_query($con,"UPDATE accs SET bio='.$bio.' WHERE name='.$name.'");
mysql_close($con);
};
?>
</body></html>
Any Ideas as to what is wrong here?

in your HTML page, the form should be inside the <form></form> tags
<form method="post" action="update.php">
<input type="text" name="age" placeholder="Enter a your age.">
<br>
<input type="text" name="bio" placeholder="Enter your bio.">
<input type="submit" name="submit" value="Submit your details!">
</form>
In your PHP page - to check the results, you can temporarily echo $age; echo $bio;
As you are using $_SESSION['username']; I think you are missing session_start(); to the top of your PHP code.
Also mysql_query only needs the SQL command, and not the connection ($con), that is mysqli, which is strongly advised to use instead of mysql_*.
As a side note, don't rely on user names in your database as the update criteria. If not already introduced, you can add an ID column to your table

a) create a proper submit form. use form tags around your form fields.
b) check, that the form is correctly submitted, by checking the $_POST array.
var_dump($_POST);
c) check, that you have values for the fields that you want to insert.
do a var_dump() before mysql_query(), to see what's going on.
var_dump($age, $bio, $name);
d) combine your two query calls into one:
mysql_query($con, "UPDATE accs SET age='.$age.', bio='.$bio.' WHERE name='.$name.'");

If you want to use the page it self to process your request, then empty the action property of your form. For example :
<form method="post" action="">
<input type="text" name="age"placeholder="Enter a your age."><br>
<input type="text" name="bio"placeholder="Enter your bio.">
<input type="submit" name="submit" value="Submit your details!">
</form>

Categories