Hey guys this is my first PHP project so I'm a rookie and I'm developing a forum website but I need to develop comment system here so I'm using the following code to accept the values from my HTML form which then assigns these values to two PHP variables and they call a function which I have stored in a different PHP file.
Now the problem is that these values are being submitted automatically whenever I refresh my webpage so my database is getting filled up with the same values that I assigned to those variables so I need your help in sorting this out.
<html>
<head>
<?php include 'menu.php'?>
<?php include 'include/core.php'?>
<?php
if($_SERVER['REQUEST_METHOD']=="POST")
{
$nme = trim($_POST['name']);
$cmnt = trim($_POST['comments']);
if(!empty($nme) && !empty($cmnt))
{
create_commentsystem($nme,$cmnt);
unset($nme);
unset($cmnt);
}
else
{
echo "Please enter the complete details";
unset($nme);
unset($cmnt);
}
}
?>
<link href="css/main.css" rel="stylesheet" type="text/css">
<link href="css/auth.css" rel="stylesheet" type="text/css">
<title>Doctors Forum</title>
</head>
<body>
<div id="container">
<div class="tab" align="Center">
Page Content Here
</div>
<div class="content">
<form method="post" name="form1" action="">
<input class="field" type="text" name="name" placeholder="Name" style="width:635px; height:40px;"/></br></br>
<textarea class="field" name="comments" placeholder="Leave Comments Here..." style="width:635px; height:100px;"></textarea></br></br>
<input class="btn" type="submit" value="Post" style="width:150px;" >
</form>
</div>
<div id="" class="tab" align="center">
<div>
</div>
</body>
</html>'
And here is the Function that is being called when I press the button and the problem is the same record is being inserted exactly twice every time i reload the page
` function create_commentsystem($name,$comments)
{
$name = $_POST['name'];
$comments = $_POST['comments'];
$conn = dbConnect();
mysqli_query($conn, "INSERT INTO comments(name, comments) VALUES('$name','$comments')");
$result = mysqli_query($conn, "SELECT * FROM comments ORDER BY id ASC");
while($row=mysqli_fetch_array($result))
{
echo "<div class='comments_content'>";
echo "<h4><a href='delete_commentsystem()?id=" . $row['id'] . "'> X</a> </h4>";
echo "<h1>" . $row['name'] . "</h1>";
echo "<h2>" . $row['comments'] . "</h2></br></br>";
echo "<h3>" . $row['date_publish'] . "</h3>";
echo "</div>";
}
$conn->close();
}`
When you refresh the web page the browser sends the request again. The easiest solution is after saving the comment to use header to redirect.
Example:
if (add_comment_success()){
header('Location: http://www.current.url.com/');
exit();
}
Two things can be done:
Re-direct as suggested by other answers
If re-direct is not an option, check in DB to see if same name and comment
exists and dont add it
There is no other way of preventing this.
You could try appending
'?submit=true'
to your action url. Use
$_GET['submit']
to access the value of 'submit'. Your code could look like this
if($_GET['submit'] == true):
#form processing code
$_GET['submit'] = false;
header('your original file');
endif;
Related
Here's the code from where I am sending id
In this code I am getting ID by using $_GET['id']. At start the $_GET['id'] fetches id and the first query of SQL works to fetch the data in input fields but soon as I press EDIT button to update the data than the data stays same in database. I used echo after isset($_POST['edit_user']) but there is nothing in $id.
<?php
session_start();
include("config.php");
//echo $id=$_SESSION['id'];
$id = isset($_GET['id']) ? $_GET['id'] : '';
$sql = "SELECT * FROM phone WHERE id='$id'";
$res = $conn->query($sql);
$row = $res->fetch_assoc();
echo $n = isset($row['name']) ? $row['name'] : '';
echo $phone = isset($row['contacts']) ? $row['contacts'] : '';
if (isset($_POST['edit_user'])) {
$name = $_POST['fname'];
$number = $_POST['num'];
//var_dump($name);
$sql = "UPDATE phone SET name='$name', contacts='$number' WHERE id='$id'";
//var_dump($sql);
//var_dump($res);
if ($conn->query($sql) == TRUE) {
echo "<script>alert('You have successfuly updated user') </script>";
header("location:index.php");
} else {
echo "<script>alert('Failed to edit user') </script>";
}
$conn->close();
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>EDIT USER</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="col-md-12">
<div class="row">
<div class="col-md-4"></div>
<div class="col-md-4" jumbotron my-5>
<h4 class="text-center my-2">Edit User</h4>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
<label>Name</label>
<input type="text" name="fname" class="form-control" autocomplete="off" required value="<?php echo $n ?>">
<label>Number</label>
<input type="text" name="num" class="form-control" autocomplete="off" required value="<?php echo $phone ?>">
<input type="submit" name="edit_user" value="Edit User" class="edituser">
</form>
</div>
</div>
</div>
</div>
</body>
</html>
Because when you submit its reloading page so you are missing id in the query string, You just need to pass query string to get data from an URL using $_GET.
on your given code you can do this by replacing the action link
$_SERVER["PHP_SELF"]
with
"http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
You can us both $_GET and $_POST at the same time but you have to define the
$_GET parameter in the URI like:
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>?id=21">
or use
$_POST with an hidden input type like:
<input type="hidden" id="id" name="id" value="21">
and you got one more error in the code i ansered here
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP.
How to redirect to page with the location?
This will not work:
echo "<script>alert('You have successfuly updated user') </script>";
header("location:index.php");
If you want to alert a message you have to do the alert after location|load the next side something like:
<?php
if ($conn->query($sql) == TRUE) {
$ok = 1;
}
else{
$ok = 2;
}
header("location:index.php?ok=$ok");
?>
on the new side do:
<?php
$ok = ($_GET['ok'] ?? '');
if($ok === 1){
echo "<script>alert('You have successfuly updated user')";
}
elseif($ok === 2){
echo "<script>alert('Failed to edit user') </script>";
}
?>
Dont forget your code like this is open for injection malicious code
Fix this
since you want to update by using the $_GET['id'], you need to ensure ?id=69 (69 is a dummy id) is present your url when the code runs.
replace your opening form with this:
<form action="./update.php?id=<?=$id?>" method="post">
or:
<form action='<?php echo "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";?>' method='post'>
I have this program that is kinda like a chat app "for testing purposes"
It works correctly but when i send a message i have to reload to make it appear on my end. I tried to redefine the text in the database after i send the message but it didnt work. I dont want to add a refresh button (i will add just to make it easier to check for if someone wrote something) , but i want the message to appear after i write it. So thought to add a refresh header in php sadly it always said that the headers were modified somewhere before so i added it before that code with a 1 sec delay , it worked but it loops. Is there any place to add the refresh header or do you have a better solution?
<?php
ini_set('session.use_cookies', 0);
$file_pointer = "../../programs/chat-database/deb570314ba42230d7f5493b57b53970/driver.sys";
$dbc = file_get_contents($file_pointer);
?>
<form action="chat.php" method="post">
<title>Sm Chat</title>
<link rel="stylesheet" type="text/css" href="stylechat.css">
<head>
<div class="nazi">
<a style="text-decoration:none" href="index.html"> Home </a>
</div>
</head>
<body vlink='white' alink='white' link='white'>
<center>
<div class="cont">
<?php
echo "<br>" . $dbc
?>
</div>
</center>
<center>
<?php
ini_set('session.use_cookies', 0);
if(isset($_POST['btn']))
{
$msg = $_POST['msg'];
$usrfile = "usr.txt";
$usr = file_get_contents($usrfile);
$raw = "../../programs/chat-database/deb570314ba42230d7f5493b57b53970/driver.sys";
$fp = fopen( $raw, 'r+');
$messg = $dbc . $usr . " : " . $msg . "<br>";
fwrite($fp,$messg);
fclose ($fp);
$dbc = file_get_contents($raw);
$dbc = file_get_contents($raw);
$dbc = file_get_contents($raw);
}
?>
<div class="input-form">
<input type="text" value="" id="msg" name="msg" placeholder="Enter Your Message"/>
</div>
<input type="submit" value="Send" name="btn" class="btn"/>
</center>
Its best to place all PHP code on top of your page and your HTML under it.
Your HTML is not correct at all, always start with the <html> tag and add a <head> and a <body>.
I structurized your code.
You should add your refresh header as high as possible before any output is generated and also inside the $_POST statement to ensure no output is generated before it.
You should also remove all post values before refreshing to prevent the loop.
Take a look at this reference:
https://www.php.net/manual/en/function.header.php
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.
This is how your code should look like:
<?php
ini_set('session.use_cookies', 0);
$file_pointer = "../../programs/chat-database/deb570314ba42230d7f5493b57b53970/driver.sys";
$dbc = file_get_contents($file_pointer);
if(isset($_POST['btn']))
{
$msg = $_POST['msg'];
$usrfile = "usr.txt";
$usr = file_get_contents($usrfile);
$raw = "../../programs/chat-database/deb570314ba42230d7f5493b57b53970/driver.sys";
$fp = fopen( $raw, 'r+');
$messg = $dbc . $usr . " : " . $msg . "<br>";
fwrite($fp,$messg);
fclose ($fp);
$dbc = file_get_contents($raw);
$dbc = file_get_contents($raw);
$dbc = file_get_contents($raw);
unset($_POST); // remove all post values
header("Location: yourpage.php"); // your refresh header
}
?>
<html>
<head>
<title>Sm Chat</title>
<link rel="stylesheet" type="text/css" href="stylechat.css">
</head>
<body vlink='white' alink='white' link='white'>
<div class="nazi">
<a style="text-decoration:none" href="index.html"> Home </a>
</div>
<center>
<div class="cont">
<?php
echo "<br>" . $dbc;
?>
</div>
</center>
<center>
<form action="chat.php" method="post">
<div class="input-form">
<input type="text" value="" id="msg" name="msg" placeholder="Enter Your Message"/>
</div>
<input type="submit" value="Send" name="btn" class="btn"/>
</form>
</center>
</body>
</html>
I am making a login page using html and php, i did a simple one which was working fine using these code :
HTML
Login Form
<link rel="stylesheet" href="css/style.css">
</head>
<body>
<div class="login">
<div class="login-triangle"></div>
<h2 class="login-header">Login</h2>
<form class="login-container" method="post" action="Login.php">
<p><input type="text" id="username" name="username" placeholder="Username"></p>
<p><input type="password" id="password" name="password" placeholder="Password"></p>
<p><input type="submit" value="Login"></p>
</form>
</div>
<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
</body>
</html>
PHP
<?php
include ("dbconfig.php");
session_start();
$name = mysqli_real_escape_string($dbconfig, $_POST['username']); //to clean up, to avoid sql injection
//$name = md5($name);
$pw = mysqli_real_escape_string($dbconfig, $_POST['password']);
// $pw = md5($pw);
$sql_query="SELECT userid FROM user WHERE username='$name' AND password='$pw'";
$result = mysqli_query($dbconfig, $sql_query);
$row = mysqli_Fetch_array ($result, MYSQLI_ASSOC);
$count = mysqli_num_rows ($result);
if ($count >0){
$_SESSION['Login'] = $name;
header ("location:Welcome.php");
}
if($count == 1)
{
echo "wrong login details";
}
?>
But when i try to do the login with a new html file using the same php file it wont work at all, it keep saying "wrong login details" even though i am putting the right login in.
Here is the new html, i am thinking maybe it has to do with the additional classes which was added.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Kate's World Sign In</title>
<!-- Google Fonts -->
<link href='https://fonts.googleapis.com/css? family=Roboto+Slab:400,100,300,700|Lato:400,100,300,700,900' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="css/animate.css">
<!-- Custom Stylesheet -->
<link rel="stylesheet" href="css/style.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"> </script>
</head>
<body>
<Form method="post" action="Login.php">
<div class="container">
<div class="top">
<h1 id="title" class="hidden"><span id="logo">Log <span>In</span></span></h1>
</div>
<div class="login-box animated fadeInUp">
<div class="box-header">
<h2>Log In</h2>
</div>
<label for="username">Username</label>
<br/>
<input type="text" id="username" name="username" >
<br/>
<label for="password">Password</label>
<br/>
<input type="password" id="password" name="password">
<br/>
<button type="submit">Sign In</button>
<br/>
</div>
</div>
</Form>
</body>
<script>
$(document).ready(function () {
$('#logo').addClass('animated fadeInDown');
$("input:text:visible:first").focus();
});
$('#username').focus(function() {
$('label[for="username"]').addClass('selected');
});
$('#username').blur(function() {
$('label[for="username"]').removeClass('selected');
});
$('#password').focus(function() {
$('label[for="password"]').addClass('selected');
});
$('#password').blur(function() {
$('label[for="password"]').removeClass('selected');
});
</script>
</html>
No, the additional classes should not effect your PHP code.
To solve the problem, you need to see what you are receiving on the PHP side. Stick in a few tests - echo out some data. First, at the very beginning. Then, when you know for sure what is comign through, move your tests down the file a bit. Work out all the bugs, then remove all the tests.
For example, start by modifying your PHP like this:
<?php
session_start();
include ("dbconfig.php");
$name = mysqli_real_escape_string($dbconfig, $_POST['username']); //to clean up, to avoid sql injection
echo 'Name: ' . $name. '<br>';
$pw = mysqli_real_escape_string($dbconfig, $_POST['password']);
echo 'Password: ' . $pw. '<br>';
die();
Then, move down the file a bit and do this:
$sql_query="SELECT userid FROM user WHERE username='$name' AND password='$pw'";
$result = mysqli_query($dbconfig, $sql_query);
$row = mysqli_Fetch_array ($result, MYSQLI_ASSOC);
$count = mysqli_num_rows ($result);
echo 'Rows found: ' .$count. '<br>';
if ($count >0){
echo 'Inside count > 0<br>';
$_SESSION['Login'] = $name;
header ("location:Welcome.php");
}else{
echo 'Inside count ELSE<br>';
echo "wrong login details";
}
Notes:
PHP header() method will not work if other header messages have been sent. Alternative: echo '<meta http-equiv="refresh" content="0; url=http://new.example.com/address" />';
Note McKenzma's observations about your if ($count >0){ code: both IF statements will be true if $count==1.
Note that session_start() should be the very first instruction in your PHP file. See my example code above
You should have used if and else, not if and if.
<?php
$count = mysqli_num_rows ($result);
if ($count >0){
$_SESSION['Login'] = $name;
header ("location:Welcome.php");
} else {
echo "wrong login details";
}
?>
Your 2nd conditional should be "$count != 1". You want to return exactly one row for a successful login.
I have created a form for a quiz, where you have to enter the answers and a PHP script will total them and send them to en E-Mail address and save them to a file. However, the user is only redirected on the 2nd attempt (submission) of the form. The results are totalled and sent on the first submission, but it does not redirect. On the 2nd submission, the results are not totalled, but an e-mail is sent and the user is redirected to the completion page.
Here is my code:-
<!DOCTYPE html>
<head>
<title>Quiz</title>
<link rel="stylesheet" type="text/css" href="../styles.css" />
<link rel="shortcut icon" href="../img/favicon.ico" type="image/x-icon" />
</head>
<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
if (isset($_SESSION['username'])) $username = $_SESSION['username'];
else header("Location: http://quiz.dibdibguy.com/client/index");
include_once($_SERVER['DOCUMENT_ROOT']."/scripts/sql.php");
$qid = $_SESSION['quiz'];
$con = connect();
$data = mysqli_query($con, "SELECT * FROM `qs` WHERE `id`='$qid' LIMIT 1");
$qinfo = mysqli_fetch_array($data, MYSQLI_ASSOC);
?>
<body><div id="white"> </div>
<div id="content" class="text">
<div class="header">Quizzes</div>
<div class="subheader">Quiz: <?php echo($qinfo['name']); ?></div>
<table width="85%" class="menu text" align="center">
<tr>
<td>
<div align="center"><?php if ($qinfo['desc'] == NULL) echo($qinfo['name'] . ", has no description available."); else echo($qinfo['desc']); ?></div>
</td>
</tr>
</table>
<br>
<?php
$table = $qinfo['table'];
$questionsTable = mysqli_query($con, "SELECT * FROM `$table`");
?>
<table width="85%" class="menu text" align="center">
<tr>
<td>
<div align="left"><b>Please Remember:</b> For questions that require you to type an answer, you must spell it correctly, as the system cannot detect spelling errors.<br>
<b>Playing as: <i><?php echo($_SESSION['username']); ?></i></b></div>
</td>
</tr>
</table>
<br>
<table width="85%" class="menu text" align="center">
<tr>
<td>
<form method="post" name="quiz" action="">
<?php
$amt = mysqli_num_rows($questionsTable);
$count = 1;
echo($questions['que']);
while($ques = mysqli_fetch_array($questionsTable)){
echo("Question: " . $ques['que'] . "<br>");
echo("Answer: <input type=\"text\" name=\"$count\"><br><br>");
$count = $count + 1;
}
?>
<input type="submit" name="submit" value="Submit Answers" id="btn">
</form>
</td>
</tr>
</table>
<?php
if (isset($_POST['submit'])){
$answers = mysqli_query($con, "SELECT `ans` FROM `$table`");
$u_answers = $_POST;
$correct = 0;
while($answer = mysqli_fetch_assoc($answers)){
echo("Hi");
foreach($u_answers as $u_ans){
if ($answer['ans'] == strtolower($u_ans)) $correct = $correct + 1;
$count = $count + 1;
}
}
header("Location: http://quiz.dibdibguy.com/client/index");
#WRITE DATA TO FILE
$file = fopen("../results/" . strtoupper($_SESSION['username']) . "_" . date("d-m-Y_h:i_sa") . "_" . strtoupper($_SESSION['quiz'] . ".txt"), 'w');
fwrite($file, ($correct) . "/" . ($amt));
fclose($file);
mail("aaron#dibdibguy.com", $_SESSION['username'] . "quiz results", $correct . "/" . $amt);
$_SESSION['quiz'] = $qinfo['name'];
}
close($con);
?>
<br>
<?php include "../footer.php"; ?>
<br>
<br>
</div>
</body>
</html>
On the 1st attempt, if I get 1 question correct, I receive an e-mail stating; '1/39', which is what should happen, but on the 2nd attempt, I get an e-mail stating '0/', even if I get some correct.
Thanks in advance for any assistance. If you need anything else, please, E-Mail me (aaron#dibdibguy.com), or comment on this question!
Web Host: unlimitedwebhosting
PHP Version: 5.5
I see two problems.
First - HTML headers have to be sent before any content is sent. If you look in your error logs there are likely warnings about this. You print quite a lot of html to the page before your location header is used for the redirect. Since it's too late for headers it's ignored (you don't get redirected). To fix this either move the redirect logic further up the page before any output (and plain HTML counts as output) or use output_buffering to keep the output from being sent to the browser until you've sent all your headers.
Second - The '0/' email seems to be an error in your logic. If you look at this block:
if (isset($_POST['submit'])){
... Other Stuff
mail("aaron#dibdibguy.com", $_SESSION['username'] . "quiz results", $correct . "/" . $amt);
... More Stuff
}
The logic you've written says that the email will be sent any time the submit button is pressed. You never did a 'sanity check' to see if you actually have any valid information in the form first.
I am trying to implement a page where a user enters a comment and it gets displayed right in the same page. The problem i am having is that every time you go to the page there are no comments in the page(there are actually comments).
This is my sceneario i am having:
I go to the page and there are no comments, i enter a comment 'hello' and it gets displayed right away.
I go to a different page and then i come back to the comments page and there are no comments.(the comment "hello" should be already displayed)
I enter a comment "hi" and both comments "hello" and "hi" get displayed
I cant resolve this issue..
This is my code, its pretty long
<?php
session_start(); //starts or continues the session
require_once('functions.php'); //needed for some function calls
error_reporting(E_ALL ^ E_NOTICE);
?>
<!DOCTYPE html>
<html lang = "en">
<head>
<script type = "text/javascript" src = "functions.js"></script>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php
GetUserLayout($_SESSION['userId'], $_SESSION['superUser']);
?>
<div id = "shareyouridea_form" class = "post">
<h1> Share your post</h1>
<!-- used for the form -->
<form id = "idea_form" method = "post"
action = "<?php echo $PHP_SELF;?>"
onkeypress = "return DisableEnterKey(event);">
<table>
<caption>
<strong>
<br /> Share post form:
</strong>
</caption>
<tr class = "spacearound"> <!-- input for bright idea -->
<td> Post: </td>
<td>
<textarea form = "idea_form" name = "b_idea" rows = "12"
cols = "85" title = "Please describe your product idea"
id = "bright_idea" maxlength = "1000"
onkeypress =
"return InputLimiter(event, 'lettersSpacePunctuation');">
</textarea>
</td>
</tr>
</table>
<p>
<input type = "reset" value = "Reset" />
<input type = "submit" value = "Share Idea!"
title = "complete form first to submit"
id = "submit_button"
name = "add_comment"
onmousedown = "IsIdeaFormCompleted();" />
</p>
</form> <!-- end idea_form -->
</div>
</div> <!-- end of ShareYourIdea_middle -->
<script>
DisplayFooter();
</script>
<?php
if(isset($_POST['add_comment'])){ // if add comment was pressed
// get variables
$name = $_SESSION['firstName'];
$empId = $_SESSION['userId'];
$idea = $_POST['b_idea'];
// CONNECTING TO OUR DATABASE
$db = mysqli_connect(dbHost, dbUser, dbPassword, dbName);
if (mysqli_connect_errno()) { //if connection to the database failed
echo("<p id = 'greatideadescription'>
Connection to database failed: " .
mysqli_connect_error($db) . "</p>");
exit("goodbye");
} //by now we have connection to the database
// WE WRITE OUR QUERY TO INSERT POST INFO TO DATABASE
$query = "INSERT INTO posts(postId,empl_Id,post,postDate)
VALUES('','$empId','$idea',NOW())";
$result = mysqli_query($db, $query);
}
?>
<?php
// WE DO A QUERY TO SHOW ALL COMMENTS IN THE PAGE
$query = "SELECT firstName,lastName, post,
date_format((date_add(postDate,interval -7 hour)),'%a, %M, %d, %Y at %I:%i%p' ) as mydatefield
FROM users INNER JOIN posts ON userId = empl_Id
ORDER BY postDate DESC";
$result = mysqli_query($db,$query);
if (!$result) { //if the query failed
echo("<p id = 'greatideadescription'>
Error, the query could not be executed: " .
mysqli_error($db) . "</p>");
mysqli_close($db);}
if (mysqli_num_rows($result) == 0) { //if no rows returned
echo("<div id = 'blogs'>
<div id ='name'>
No posts detected
</div>
</div>
<div class='fb-like' data-href='http://jacobspayroll.zxq.net/index/blog.php' data-send='true' data-width='450' data-show-faces='true'></div>
");
mysqli_close($db); //close the database
exit("</table></div></form></div></div>
<script>DisplayFooter();</script></body></html>");
} //by now we know that we have some products purchases returned
$numRows = mysqli_num_rows($result); //gets number of rows
$numFields = mysqli_num_fields($result); //gets number of fields
//prints the data in the table
while($row = mysqli_fetch_assoc($result)){
$posted = $row['post'];
$message = wordwrap($posted,5);
echo
'<div id ="blogs">
<table id = "blog_id">
</br>
<div id = "name">
<strong>'.$row['firstName'] . ' ' .$row['lastName'].
'</strong>
: ' .$message .
'<br/>
</div>
<div id ="date">'.
$row['mydatefield'] . '
</div>
<div id ="delete_comment">
Delete this comment
</div>
<p>
</table>
</div>';
}
mysqli_close($db);
?>
</body>
</html>
You have the wrong Usage of PHP_SELF
//You must use Server and execution environment information `$_SERVER[]`
$_SERVER['PHP_SELF'];
// For your form action like this
action = "<?php echo $_SERVER['PHP_SELF'];?>"
as Kail mentioned you got it wrong but you might want to use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF'] then you might want to add some script to get GET parameters if you use them for your script(s). If you use PHP_SELF you might have a user link to script.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo might look like action="script.php/"><script>alert('xss')</script> or could be a redirect to collect cookies and the alike in other words XSS attack.
$_SERVER['PHP_SELF'] vs $_SERVER['SCRIPT_NAME'] vs $_SERVER['REQUEST_URI']
XSS Woes
What's the difference between $_SERVER['PHP_SELF'] and $_SERVER['SCRIPT_NAME']?