I'm facing problem in inserting HTML label to database and found no way to do so. My code is as under
<html>
<body>
<form name = "myForm" >
<label name = 'q1'>Question 01: what Jorge do according to the story</label>
</form>
<?php
require "connection.php";
$qst = $_POST['q1'];
mysql_query("insert into xxx values('$qst')") or die(mysql_error);
?>
any help will be appreciated please.
You have a slew of problems here. First let's talk about the things that are actually preventing this from working.
First, you need to set the method property of the <form> element to POST to have the form perform a POST action upon submittal instead of the default GET action.
<form name="myForm" method="post">
Note, that it is usually considered good form to also specify the action property of the form, though in this case the default behavior of posting to the currnet URI just happens to work for you.
Second, you need to actually create an input field in the form. This is where the data that is posted is input:
<label for="q1">Question 01: what Jorge do according to the story?</label>
<input type="text" name="q1" />
Third, You need a submit button to actually make the form POST:
<input name="submit" type="submit" value="submit" />
Now, let's talk about the stuff that should be fixed that doesn't actually prevent this from working, but just represents good programming practice.
First, you should not be using mysql_* functions. They are deprecated. I would suggest mysqli or PDO as widely used alternatives.
Second, you have a significant vulnerability to SQL injection. You should NEVER use user input data without validating and sanitizing it. This means you should probably check to see if a value was even POSTed (not an empty string) before trying to do the insert and then you need to escape the value before using it in SQL, or better yet, learn how to use parametrized prepared statements which prevents the need for input escaping.
Third, I would recommend getting in the habit of putting your code logic at the beginning of your script (before HTML) output. In your case this means moving the logic where you read in the PST content and perform the database insert before the HTML. WHy? Because this allow you to do things like conditionally print out error messages if the user did not provide input or to otherwise change the page in response to the POST. This also help build a good habit in that, when you start doing more complex things in PHP, you might need to do things like redirect users from one page to another, or totally separate out the logic form the display into separate files. This is not possible with code stuck at the end of the HTML output.
$_POST variables do not correspond to label elements, they correspond to input elements. The key to your post array is the name of your input element.
<input type="text" name="mytext" />
After post will be $_POST['mytext']
However, you're vulnerable to SQL Injection. You should not be using mysql_query() but rather PDO or Mysqli with prepared statements, but if you insist on using it, escape it first with mysql_real_escape_string()
$qst = mysql_real_escape_string($_POST['q1']);
mysql_query("insert into xxx values('$qst')") or die(mysql_error);
Fred made a good point in the comments though. This bit of code is going to execute the first time you load the page before the form is submitted and throw an error (or warning) because $_POST['q1'] doesn't exist yet. You'll want to make sure it does exist before doing things with it.
if(!empty($_POST['q1'])){
$qst = mysql_real_escape_string($_POST['q1']);
mysql_query("insert into xxx values('$qst')") or die(mysql_error);
}
Further, you need to tell the form where to submit to and what method to use:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<label for = 'q1'>Question 01: what Jorge do according to the story</label>
<input type='text' name='q1' value='' />
</form>
BTW, label does not have a name attribute, it has a "for" attribute.
Also, <form> elements use "GET" by default and submit to the current page if an action is not set, so it's technically not necessary to even have the action set in this case, but it's good practice.
You need add input field for your form and change form sumbit method. By default it's "GET", so you can't have input value in $_POST.
Or you can get input value from $_GET.
<html>
<body>
<form name = "myForm" method="post">
<label for = 'inp'>Question 01: what Jorge do according to the story</label>
<input type="text" name="q1" id="inp" />
<input type="submit" value="Submit">
</form>
<?php
require "connection.php";
$qst = $_POST['q1'];
mysql_query("insert into xxx values('$qst')") or die(mysql_error);
?>
And also you need to have sumbit input field to submit form or can sumbit it with js or on keyup enter key.
<input type="submit" value="Submit">
Related
I am trying to input submit value and want to pass the value to another page through GET but for that I have to use two Clicks button.
I want the same in a single click. Help required.
Code:-
<form method="post">
<input name="inwardid" type="text" id="inwardid" />
<?php $inwardid = $_POST['inwardid']; ?>
<input type="submit" value="Next" />
</form>
<a href="addbook.php?up=<?php echo $inwardid; ?>"><button>Proceed</button>
You want to send the value the user typed in to the other page. So use this for your <form>:
<form method="POST" action="addbook.php">
<input name="up" type="text" id="up">
<input type="submit" value="Proceed">
</form>
To access the value in addbook.php, use $_POST['up'].
This will send the value the user typed in the input label (type="text") to the addbook.php page, using a $_POST. No need for a $_GET, $_POST will do just fine.
As you deliberately asked for method GET, my solution shows you GET!
You must know there is no security issue when using GET. It depends what you want to do. GET is useful if you want to use a dynamic code in multiple ways depending on some some variables that you do not want to hard-code in your script, or simply do not want to send files or other huge data.
Lets admit a newspaper has a site called breaking_news.php and you want to access the breaking news of November 8, 2016you could use this as :
breaking_news.php?y=2018&m=11&d=08
The fact that one can see your GET vars means nothing. Even by using POST one can see your variables by looking at your code. And one way or the other you must protect against code injection and brute force.
But if your not in the mood to show this vars to your visitor you can use URL rewriting to rewrite the url above in the browser as
RewriteRule ^breaking/(.*)/(.*)/(.*)/news\.html$ breaking_news.php?y=$1&m=$2&d=$3 [NC,L]
so you send your visitor to see the (rewritten)URL
breaking/2018/11/08/news.html
but what the web-server is showing him is:
breaking_news.php?y=2018&m=11&d=08
A reason to use this if for example when you want your dynamic site to be taken into consideration by some searching engine as a static site, and get indexed. But this is again another battle field.
Second, you want to send the variable to "addbook.php", and not to itself.
Your question sounded like you want to send to "another page" not to the same page.
Third, I can see in your code snippet you want to submit the variable "up" and not "inwardid", as you did in your code.
And also I can see you want the "submit" button to be called "Proceed".
Your code would look like this:
<form method="GET" enctype="application/x-www-form-urlencoded" action="addbook.php" target="_blank">
<input name="up" type="text" id="inwardid" />
<input type="submit" value="Proceed" />
</form>
As I said you must protect against injection, and this means for example, that in the "addbook.php",to whom you are sending the variables you must write some code that protects you against this issues. As your question is not in this direction I will not enter this subject.
To avoid problems with special chars you must "url-encode" your variable specially when sending them per POST method. In this case you must use this enctype if your handling text. Because this enc-type is transforming special chars into the corresponding ASCII HEX-Values.
Using GET your safe, because GET cant send in another enc-type. So your variable will automatically be url-encoded and you receive a string that is compliant to RFC 3986 similar by using:
rawurlencode($str)
Lets admit someone smart guy fills in a your input box the following code, in the desire to break your site. (This here is not exactly a dangerous code but it looks like those who are.)
<?php echo "\"?> sample code in c# and c++"; ?>
using enctype="application/x-www-form-urlencoded" this will become something like this:
%3C%3Fphp%20echo%20%22%5C%22%3F%3E%20sample%20code%20in%20c%23%20and%20c%2B%2B%22%3B%20%3F%3E
what makes it safe to be transported in a URL, and after receiving and cleaning it using
strip_tags(rawurldecode($_GET['str']))
it would output something like this, what is a harmless string.
sample code in c# and c++
I want to make an HTML (or php maybe?) page that constructs a new HTML page based on input parameters the user gives to a drop-down box. I just don't know how you handle the input.
Here's my HTML:
<html>
<body>
<input type="number" min="1">
</body>
</html>
Yes I know it's not the full HTML page, but I just want to focus on the <input> tag. I know you probably have to set it equal to a PHP variable maybe?
I want it to generate a different HTML page that looks like this:
<html>
<body>
<p>You have chosen: $input </p>
</body>
</html>
I might be asking this all wrong, but I hope it makes sense what I'm looking for. I need to know how to handle the user input. I couldn't find a thread that discusses this. Do I need to generate a new HTML file? Or just override the current one and maybe have a reset button? I'm so confused.
In the simple case, you'll have two pages: your form and your result page. You can send data from the form page to the results page with one of two methods: GET or POST.
GET means that the data you're sending gets put in the page URL. This is useful because then you can link to a specific version of the results page, but potentially dangerous because you don't want to put sensitive data in the URL bar.
POST means that the data is sent with the HTTP request in the background. This is preferable for something like a password.
The GET and POST data can be read by nearly any server-side language and used to generate HTML on-the-fly. The example below uses PHP.
The form page doesn't necessarily need any server-side code, just basic HTML. Here's a simple example:
<!DOCTYPE html>
<html>
<form method="GET" action="my_result.php">
<input type="text" name="my_value">
<input type="submit">
</form>
</html>
Your second page (the results page) should bear the name that you specified in the form's action attribute. This is the page which will need server-side code. So here is an example my_result.php:
<!DOCTYPE html>
<html>
<p><?php echo $_GET['my_value']; ?></p>
</html>
Obviously, my_value can and should be replaced by whatever you want to call your data, as long as the name attribute of the input element matches the key in the PHP.
This example uses the GET method. You can use POST by changing the method attribute of the form and using $_POST instead of $_GET (if you are using PHP).
If you use $_REQUEST rather than $_GET or $_POST, it finds a value that was passed via either GET or POST. This is usually less safe than explicitly stating how your value was passed.
Addendum: Some servers are configured to disallow you from directly using the values of php superglobals such as $_GET, $_POST, and $_REQUEST for security purposes. That is because you really should always sanitize user input before using it in an application. The type of sanitization required depends on the type of input and how it is being used, and is well outside of the scope of this question. For this purpose, php provides the filter_input function.
The sanitization filter is an optional parameter for the filter_input function, so if you really want to use the data unfiltered, you can simply omit it (but know that this is dangerous). In this case, you can replace all instances of $_GET['my_value'] in the above code with filter_input(INPUT_GET, 'my_value').
This is not a tutorial, but I guide you to some important points:
You can get user input with html by using form element. read more about form and methods of form (GET and POST).
Then, how can you print user input when submitted by user? php supports both (GET and POST) using $_GET and $_POST with input name as key.
Dealing with user-input needs extra care because of security. user might submit malicious content that later attacks you or another user.
Try like below
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<?php
if ($_POST) {
echo "<h3>You have selected ".$_POST['number']."</h3>";
} else {
echo '
<form method="post" action="">
<select name="number" id="number">
<option value="1" >1</option>
<option value="2" >2</option>
<option value="3" >3</option>
</select>
<input type="submit" value="submit">
</form>
';
}
?>
</body>
</html>
To handle a user input you have to use forms
<form action="action_page.php">
<input type="number" min="1 name="my-number">
<input type="submit" value="Submit">
</form>
After user set number and press submit button, you will get the value in action_page.php in $_REQUEST['my-number']
How can I submit a form to itself without clearing the data in the fields using HTML, javascript and PHP?
You could take different approaches (e.g. cookies, jquery, etc...), however HTML + a line in PHP are more than enough in this case. Try this example code:
<form name="test" method="post">
Your Name: <input type="text" name="YourName" <?php if (isset($_POST['YourName'])) echo 'value="'.$_POST['YourName'].'"';?> >
<input type="submit" value="Submit">
</form>
In the code above if something has been posted to the receiving page (that can be the same page, such as in your case), then the posted value is printed out in the corresponding field. You can use this approach for all the fields composing your form.
If you want, you can also use similarly the $_GET method in the form.
If you use the traditional form submit, you need to save the parameters and rewrite the form input elements when you write the form the next time. But a better way is to use AJAX -- then the field data is sent without a form submission, and the input elements retain their data. See this link: http://www.w3schools.com/ajax/default.asp
I have a index.html where I would like to submit some coordinates that can be passed upon to separate PHP file; where it could perform a query. I am new to this.
HTML:
Xmax<input type="text" name="Xmax" size="15">
Ymax<input type="text" name="Ymax" size="15">
<input type=SUBMIT name="submit" VALUE="Submit">
PHP query:
$query = "SELECT * FROM state WHERE LONG_HI<$_POST["Ymax"] AND LAT_HI<$_POST["Xmax"];
$result = mysql_query($query);
So is there a way to perform remote action from this HTML file to the specified PHP file?
Well, Forms can do the job. Is'nt it?
Yes
Either make an HTML form to accept the Xmax and Ymax parameters, and set the form action to the PHP file;
Or use AJAX to pass the data in the background and receive a response.
If both of these concepts are foreign to you, and you don't know JavaScript, get comfortable with the first option first.
Would you please describe in detail what you are about to do?
do you have a html form?
What kind of request do you do, clicking a link, sending the form?
The query does not contain any of the variables...
could you please post excerpts of the code? single lines are useless in most cases.
Regards,
Mario
use action attribute in FORM element to specify where the request will be sent to.
<form action="another.php" method="POST">
Xmax<input type="text" name="Xmax" size="15">
Ymax<input type="text" name="Ymax" size="15">
<input type=SUBMIT name="submit" VALUE="Submit">
</form>
You just add few line with your code because to transfer any variable value from one form to another page we have to use 'form' method. So, we have to add form tag with your code. Transferring of data from one page to another page (any type of page like php, jsp, aspx etc) is done by two methods mainly - one of them is Post and another one is Get.
Difference between both the method is quite simple. In Post method, data from one page to another page travels in hidden form whereas Get is basically used to transfer value by displaying it at url. Post method example: user-name and password, and Get Method: any query fired at Search Engine.
<form name="form" action="filename.php" method="POST" >
//Your Code
</form>
This seems so simple but I can't remember how I've done it before.
Using PHP I'm posting a form from mysite.com/?x=y and want the resulting page to be mysite.com/?x=y&formx=formy...
Options I've tried don't quite give the desired result:
action - setting action="?x=y" clears the get variables if method="get" in place of those in the form. Prior knowledge of the get variables are also required.
method - although it seems logical to set method="get", this passes the form variables but clears any placed in action. Setting method="post" retains the current get variables but doesn't add the form variables/values.
Hidden field(s) - All get variables/values can be in hidden fields with method="get". This requires prior knowledge of the get variables and a lot of duplication if there are a lot of variables or forms. This so far is the closest solution.
Just set the form's "method" attribute to "get" instead of "post".
Example:
<form action="?x=y" method="get">
<input type="text" name="query" size="20">
<input type="submit" name="submit" value="Go">
</form>
I suppose you could :
either pass those variables as <input type="hidden" name="x" vaue="y" /> in your form.
or, maybe this might work : use "mysite.com/?x=y" as action for your form : with a bit of luck, those parameters will remain when the browser will post your form -- you should try, but it might work.
Of course, if you want those parameters to appear in the URL of the destination page, you'll have to use the GET method for your form.