How do I stop the form from submitting on page load or refresh? I'm not worried about parameterizing right now. Thanks in advance!
$firstname = $_POST['firstname']
$lastname = $_POST['lastname']
$sql = ("INSERT INTO table (firstname, lastname) VALUES ('$_POST[firstname]' , ' $_POST[lastname]')");
mysql_query($sql) or die ("Error is: ".mysql_error());
<form name="add-name" id="add-name" method="post" action="/add-name.php">
<button type="submit">Save</button>
<fieldset>
<label>First Name *</label>
<input name="firstname" type="text" id="firstname" />
</fieldset>
<fieldset>
<label>Last Name *</label>
<input name="lastname" type="text" id="lastname" />
</fieldset>
</form>
if (isset($_POST['firstname'])) {
$firstname = $_POST['firstname']
$lastname = $_POST['lastname']
$sql = ("INSERT INTO table (firstname, lastname) VALUES ('$_POST[firstname]' , ' $_POST[lastname]')");
mysql_query($sql) or die ("Error is: ".mysql_error());
}
If you're only trying to stop the query from being executed, then bob's code will work.
If you're also trying to stop the "Would you like to re-submit the form" dialog box, then you'll also want to use headers to redirect back to the page after executing the query.
header("Location: /add-name.php"); // assuming add-name.php is the name of your file
Related
I'm trying to add revived form input into database.
<form action="index.php" method="post">
<input type="text" name="firstname" id="firstname">
<br>
<input type="text" name="lastname" id="lastname">
<br>
<input type="submit" name="submit" value="Submit">
if(isset($_POST['submit'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$query = "INSERT INTO users (firstname, lastname) VALUES ($firstname, $lastname)";
if($conn->query($query) === true) {
echo "added";
}else {
echo $con->error;
}
Example : Firstname = Jason / Lastname = Haw
After clicking on submit button, i see error message : Unknown column 'Jason' in 'field list'
Where is the wrong thing to do?
$query = "INSERT INTO users (firstname, lastname) VALUES ('$firstname', '$lastname')";
put single quote for $firstname.
but this is not a proper approach, you should use prepared statement.
your query is risk of sql injection, because no escaping the input.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I have an issue with inserting the data that I gather from one of my forms into my database.
Each form adds data to a different table in the database(one into users and one into tasks).
I use one form for registration and I'll paste the important parts of the code below(this one is working).
This is the form part of the Register.php file
<form method="post" action="register_code.php">
<div class="FormElement">
<input name="user_name" type="text" class="Tfield" id="user_name" required placeholder="User Name">
</div>
<div class="FormElement">
<input name="password" type="password" class="Tfield" id="password" required placeholder="Password">
</div>
<div class="FormElement">
<input name="email" type="email" class="Tfield" id="email" required placeholder="E-mail">
</div>
<div class="FormElement">
<input name="first_name" type="text" class="Tfield" id="first_name" required placeholder="First Name">
</div>
<div class="FormElement">
<input name="last_name" type="text" class="Tfield" id="last_name" required placeholder="Last Name">
</div>
<div class="FormElement">
<input type="submit" id="Register" name="Register" value="Register" class="button">
</div>
This is the register_code.php file
<?php
require "DBconnect.php";
$post = $_POST;
if(isset($post)) {
session_start();
$UName = $post['user_name'];
$PW = md5($post['password']);
$FName = $post['first_name'];
$LName = $post['last_name'];
$Email = $post['email'];
$sql = $con->query("INSERT INTO users (user_name, password, email, first_name, last_name) VALUES ('$UName','$PW','$Email', '$FName', '$LName')");
if($sql)
header("Location: Registration_successful.php");
else
echo "Please try again to register";
}
include 'Register.php';
And another form I use to add data into another table(named tasks). The data I gather from this file will not insert into my database for some reason.
This is the form part of the Add_Task.php file:
<form method="post" action="Add_Task_code.php">
<div class="FormElement">
<input name="TName" type="text" class="Tfield" id="TName" required placeholder="Task name">
</div>
<div class="FormElement">
<input name="TDesc" type="text" class="TextField" id="TDesc" required placeholder="Task summary">
</div>
<div class="FormElement">
<input type="submit" id="Submit" name="Submit" value="Submit" class="button">
</div>
</form>
And this is the code from the Add_Task_code.php file
<?php
require 'DBconnect.php';
$post=$_POST;
if(isset($post))
{
$TaskName = $post['TName'];
$TaskDesc = $post['TDesc'];
$sqltask="INSERT INTO tasks ('TName','TDesc') VALUES ('$TaskName','$TaskDesc')";
if ($con->query($sqltask))
header("Location: Tasks.php");
else
header("Location: Add_Task.php");
}
?>
The file DBconnect.php only contains this:
<?php
$con= mysqli_connect("localhost", "root","","first_app")
?>
The problem is that even though the code is similar in both forms only one of them is working. Every time I run the Add_Task.php file it redirects me to the same page (as I instructed it) since it does not add anything to the database.
I also checked the tables just in case it adds something but it does not.
please set your primary_key(id) as auto increment in table tasks. if you not set it might be possible.
and change this line
$sqltask="INSERT INTO tasks ('TName','TDesc') VALUES ('$TaskName','$TaskDesc')";
like this :
$sqltask="INSERT INTO tasks (TName,TDesc) VALUES ($TaskName,$TaskDesc)";
You are mixing OOP style and Procedural Style in your code
You are used Procedural Style in your DBconnect.php file. And You are missing ; in your connection file.
DBconnect.php file should be:
<?php
$con= mysqli_connect("localhost", "root","","first_app");
?>
register_code.php code should be:
<?php
require "DBconnect.php";
$post = $_POST;
if(isset($post)) {
session_start();
$UName = $post['user_name'];
$PW = md5($post['password']);
$FName = $post['first_name'];
$LName = $post['last_name'];
$Email = $post['email'];
$sql = mysqli_query($con,"INSERT INTO users (user_name, password, email, first_name, last_name) VALUES ('$UName','$PW','$Email', '$FName', '$LName')");
if($sql)
header("Location: Registration_successful.php");
else
echo "Please try again to register";
}
include 'Register.php';
Add_Task_code.php file code should be:
<?php
require 'DBconnect.php';
$post=$_POST;
if(isset($post))
{
$TaskName = $post['TName'];
$TaskDesc = $post['TDesc'];
$sqltask="INSERT INTO tasks ('TName','TDesc') VALUES ('$TaskName','$TaskDesc')";
if (mysqli_query($con,$sqltask))
header("Location: Tasks.php");
else
header("Location: Add_Task.php");
}
?>
Try to make the below changes and see what the actual error is.then debug your code.
if($_SERVER['REQUEST_METHOD']=='POST')
{
$TaskName = $post['TName'];
$TaskDesc = $post['TDesc'];
$sqltask="INSERT INTO tasks ('TName','TDesc') VALUES ('$TaskName','$TaskDesc')";
if ($con->query($sqltask))
echo "Successfully Inserted";
else
echo "Error: " . $sqltask. "<br>" . mysqli_error($conn);
}
?>
I'm trying to do a simple HTML form that sends data to DB:
Form:
<form action="processor.php" method="post">
<div class="field-box">
<label>Name:</label>
<input type="text" name="name" />
</div>
<div class="field-box">
<label>Age:</label>
<input type="text" />
</div>
<div class="field-box">
<label>Phone Number:</label>
<input type="text" name="email" />
</div>
<div class="field-box">
<label>Email:</label>
<input type="text" name="username"/>
<input type="submit">
</form>
And the SQL to send the data on processor.php:
//Connecting to sql db.
$connect = mysqli_connect("XXXXXXX","XXXXXXX","XXXXXXX","XXXXXX");
//Sending form data to sql db.
mysqli_query($connect,"INSERT INTO users (name, age, phone, email) VALUES ('$_POST['name']','$_POST['age']', '$_POST['phone']', '$_POST['email']')";
mysqli_close($connect);
I don't get error messages it just takes me to a blank page and no records are inserted into database.
The input for age lacks a name .
<div class="field-box">
<label>Age:</label>
<input type="text" name="age" />
</div>
And also do not insert directly a $_POST data. It would be best if you use mysqli_real_escape_string for added security. Your insert query as well lacks a closing parenthesis
//Connecting to sql db.
$connect = mysqli_connect("XXXXXXX","XXXXXXX","XXXXXXX","XXXXXX");
//Sending form data to sql db.
$name = mysqli_real_escape_string($connect, $_POST['name']);
$age = mysqli_real_escape_string($connect, $_POST['age']);
$phone = mysqli_real_escape_string($connect, $_POST['phone']);
$email = mysqli_real_escape_string($connect, $_POST['email']);
mysqli_query($connect,"INSERT INTO users (name, age, phone, email) VALUES ('$name', '$age', '$phone', '$email')");
There seems a problem with your query: A modified one looks like
mysqli_query($connect,"INSERT INTO users (name, age, phone, email)
VALUES ('".$_POST['name']."','".$_POST['age']."', '".$_POST['phone']."', '".$_POST['email']."')";
Directly inserting values without validations is not a good practice.
Use mysqli_real_escape_string before your entries towards database
I am very new to PHP & MySQL. Just designing websites for friends as a hobby, so any help is greatly appreciated. When I have a simple contact form on my page I keep getting error messages when submitting the information. Here is the PHP:
<?php
$con = mysql_connect("localhost","user","password");
if (!$con)) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("database_name", $con);
$sql="INSERT INTO contact (first_name, last_name, email, phone, message)
VALUES
('$_POST[first_name]','$_POST[last_name]','$_POST[email]','$_POST[phone]','$_POST[message])";
if (!mysql_query($sql,$con)) {
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
I put in my username & password where necessary, but I keep "localhost" there. Is this correct? I have hosting through webhostingpad. I also insert my database name above. Here is my HTML:
<!--Start of order form-->
<form id="contactform" method="POST" action="http://www.talephotography.com/insert.php">
<p><label>First Name:<br />
<input type="text" name="first_name" class="textfield" value="" />
</label></p>
<p><label>Last Name:<br />
<input type="text" name="last_name" class="textfield" value="" />
</label></p>
<p><label>Email: <br />
<input type="text" name="email" class="textfield" value="" />
</label></p>
<p><label>Phone: <br />
<input type="text" name="phone" class="textfield" value="" />
</label></p>
<p><label>Message: <br />
<textarea name="message" class="textarea" cols="45" rows="5"></textarea>
</label></p>
<p><input type="submit" name="submit" class="button" value="Submit" /></p>
</form>
<!--End of order form-->
I can elaborate anywhere necessary.
Changed some of the code, it's only posting the email address to the database however.
mysql_select_db("databasename", $con);
$first = mysql_real_escape_string($_POST['first']);
$last = mysql_real_escape_string($_POST['last']);
$email = strip_tags(mysql_real_escape_string($_POST['email']));
$number = preg_replace('/[^0-9]/', '', $_POST['number']);
$number = (int) $number;
$sql="INSERT INTO contact (first, last, email, phone);
VALUES
('$first','$last','$email','$number')";
There's my code, however when I check my database the only info listed is the email address.
localhost is correct if the database server is on the same machine as the web server. When you set up the database it should have told you somewhere what you need to connect to.
That aside, escape your -----------ing inputs!!!!
Seriously, take those variables and wash them thoroughly with mysql_real_escape_string and then concatenate them into the query. You'll thank me later.
You have an extra ) in your if statement:
if (!$con)) {
should be
if (!$con) {
if (!$con)) it is wrong one extra ')' present here, remove ')' and then execute
for example
if (!$con){
//do something
}
Its query that is wrong, you have a ; that is in the middle of your query.
$sql="INSERT INTO contact (first, last, email, phone);
VALUES
('$first','$last','$email','$number')";
Notice it on the end of first line. Change this to:
$sql="INSERT INTO contact VALUES
('$first','$last','$email','$number')";
The problem is with your third line
$con = mysql_connect("localhost","user","password");
if (!$con)) {
die('Could not connect: ' . mysql_error());
}
there is an extra closing bracket ) in your third line. Remove it and then voilĂ !
hope this helps.
I'm trying to do a simple write to database with an HTML form, using PHP.
I've run the SQL query in the database and it works perfectly. However, using the form doesn't work. I'm not sure why. Any help? The user/pass/db name are all correct.
<?php
if(isset($_POST['submit']))
{
$con = mysql_connect("localhost","delives0_ideas","ideas");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("delives0_ideas", $con);
mysql_query("INSERT INTO data (firstName, lastName, email, idea) VALUES ('$_POST['firstName']','$_POST['lastName']', '$_POST['email']', '$_POST['idea']')");
//also email it to us besides writing it into the database
mysql_close($con);
?>
<form method="post">
<strong>First name:</strong> <input type="text" name="firstName"/>
<br/>
<strong>Last name:</strong> <input type="text" name="lastName"/>
<br/>
<strong>Email:</strong> <input type="text" name="email"/> #####Put a javascript checker for valid emails, like name#site.com format
<br/>
<br/>
<strong>Idea:</strong>
<br/>
<textarea rows="10" cols="30" name="idea">
Hit us with your best shot.
</textarea>
<br/>
<input name="submit" type="submit" value="Submit"/>
</form>
You forgot the "action = nameofyourpage.php" inside the form markup. And I would add a "or die (mysql_error())" at the end of your query to check the syntax of the request.
you've got a few errors in your script - please check the following
http://pastie.org/1056569
<?php
if(isset($_POST['submit']))
{
$con = mysql_connect("localhost","delives0_ideas","ideas");
if (!$con){
die('Could not connect: ' . mysql_error());
}
mysql_select_db("delives0_ideas", $con);
$sqlCmd = sprintf("INSERT INTO data (firstName, lastName, email, idea)
VALUES ('%s','%s','%s','%s')",
mysql_real_escape_string($_POST["firstName"]),
mysql_real_escape_string($_POST["lastName"]),
mysql_real_escape_string($_POST["email"]),
mysql_real_escape_string($_POST["idea"]));
mysql_query($sqlCmd);
mysql_close($con);
}
?>
<form method="post">
<strong>First name:</strong> <input type="text" name="firstName"/><br/>
<strong>Last name:</strong> <input type="text" name="lastName"/><br/>
<strong>Email:</strong> <input type="text" name="email"/>
<strong>Idea:</strong><br/>
<textarea rows="10" cols="30" name="idea">Hit us with your best shot.</textarea><br/>
<input name="submit" type="submit" value="Submit"/>
</form>
You already have the answer to your question as to why it was not working, but please check this article about SQL injection attacks before putting this code into production.
you have error
mysql_query("INSERT INTO data (firstName, lastName, email, idea) VALUES
('$_POST['firstName']','$_POST['lastName']', '$_POST['email']', '$_POST['idea']')");
Error = '$_POST['firstName']' you have chatter ' in post field
and you can change
$firstname = $_POST['firstName'];
$lastname = $_POST['lastName'];
$email = $_POST['email'];
$idea = $_POST['idea'];
mysql_query("INSERT INTO data (firstName, lastName, email, idea) VALUES ('{$firstname}','{$lastname}', '{$email}', '{$idea}')");
or with mysql query
mysql_query("INSERT INTO data SET firstName='{$firstname}', lastName='{$lastname}',
email='{$email}', idea='{$idea}'");