// This is the file that is giving the error, not the form below
<?php
// Insert Comments into Database that user provides
<?php
// Insert Comments into Database that user provides
$comm = mysql_real_escape_string($_POST['addComment']);
// following line has changed:
$pID4 = filter_var( $_POST['pID'], FILTER_SANITIZE_STRING );
$cID = mysql_real_escape_string($_POST['courseInfoDD']);
$username = "###";
$password = "###";
$pdo4 = new PDO('mysql:host=localhost;dbname=###', $username, $password);
$pdo4->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$sth4 = $pdo4->prepare('INSERT INTO Comment (info, pID, cID) VALUES(?,?,?);');
$sth4->execute(array($comm, $pID4, $cID ));
?>
Form
<input type='text' id='addComment' name='addComment' tabindex='3' value='Enter comment' />
<input type='hidden' name='pID' value='<?php echo $pID ?>'>
</form>
ERROR Received:
*No error is received upon load, but once I type something in and press enter it gives me a blank page saying 'no pID specified' ?? Please help!*
To directly answer your question, you'll need to add the pID to the request data either via the form action, though this parameter will show in the $_GET array instead of $_POST
<form action="inc/q/prof.php?pID=<?php echo $pID ?>" method="post">
or via a form element (will be part of the $_POST array)
<input type="hidden" name="pID" value="<?php echo $pID ?>">
Now, a further consideration...
You don't need to apply db string escaping (mysql_real_escape_string()) when using PDO prepared statements with bound parameters. The act of binding a parameter or value takes care of that for you.
To clarify my comments below, you need something like this...
Given a URL like http://example.com/index.php?pID=842, your form on that page should have the following hidden element
<input type="hidden" name="pID" value="<?php echo (int) $_GET['pID'] ?>" />
Two words: GET FIREBUG. Before checking your PHP script, you should check your HTML form. It's possible you're not echoing the form correctly.
I don't thinks it's safer to go with POST submissions, but definitely it's cleaner.
After you checked your form it should look like this:
<form method="POST" action="form-process.php">
<input type='text' id='addComment' name='addComment' tabindex='3' value='Enter comment' />
<input type="hidden" name="courseInfoDD" value="XXX" id="courseInfoDD">
<input type="hidden" name="pID" value="XXX" id="pID">
</form>
On your submit script, you can access those parameters with $_POST. But remeber, if you have an empty value on your HTML form, it would become an empty variable.
You can do a quick echo on $pID to see their content.
#Phil Brown is right about PDO. You don't have to escape variables before sending it to the handler.
Hope it helps!
Related
I am working on a PHP project - I had one form post a date to another form
I made some changes (although none to the input in question)
Now all other inputs are updated with their Posted values, except the date
If I manually set the date in HTML it works:
<div><input type="date" class="form-control" id="DateCourse" name="DateCourse" value="2009-01-01"></div>
If I set it to the following, it doesn't:
<div><input type="date" class="form-control" id="DateCourse" name="DateCourse" value="<?php echo (isset($DateCourse))?$DateCourse:'';?>"></div>
The below:
$DateCourse = ($_POST["DateCourse"]);
var_dump($_POST["DateCourse"]);
var_dump($DateCourse);
Returns:
string(10) "2019-01-05" - means the post value is set
Notice: Undefined variable: DateCourse in /home/bitecons/bts.biteconsulting.co.za/v2/editccr.php on line 119 - how can it be undefined, I just defined it
NULL
What on earth am I doing wrong? Apart from using PHP :P
Flow as requested:
Records.php:
This is the function to prepopulate my posted fields:
function Prefill(x) {
TabletoEdit = x.closest('table').id;
SelectedRow = x.rowIndex;
document.getElementById("EntryEditing").value = x.cells[19].innerHTML;
document.getElementById("DateCourse").value = x.cells[0].innerHTML;
document.forms["records"].submit();
}
Then I also have:
<form action="editrec" method="post" id="records">
<input type='hidden' name='Period' id='Period' />
<input type='hidden' name='Month' id='Month' />
<input type='hidden' name='res' id='res' />
<input type='hidden' name='CustName' id='CustName' />
<input type='hidden' name='DateCourse' id='DateCourse' />
</form>
The Prefill gets called, then submits the form
I have tracked and DateCourse has data, but when getting to the other form, it "disappears":
if(!empty($_POST)) {
$DateCourse = ($_POST["DateCourse"]);
$CustName = ($_POST["CustName"]);
}
For example, CustName is filled in, but not DateCourse?
Side question:
Would this return true if another post var is not set (unrelated to this one):
if(!empty($_POST))
I think You use wrong Code
you Must Submit First Form And Then Use $DateCourse this In another Form in POSTBACK
One of the best way is to define $DateCourse too like
<?php
$DateCourse = "";
if(!empty($_POST["DateCourse"])) {
$DateCourse = ($_POST["DateCourse"]);
}
?>
<div><input type="date" class="form-control" id="DateCourse" name="DateCourse" value="<?php echo $DateCourse;?>"></div>
Okay, apologies folks, but it may help others in the future.
I had a function call to an old function - this failed, causing my variable to never get defined... I knew it was something stupid, but sometimes one needs a sound board...
I have a value coming from another form in the same page called $_POST['serial']. And i want to use this value to run a query in another form but after I submit the second form nothing happened and the query not running.
<?php
if (isset($_POST['serial'])) {
$serial = $_POST['serial'];
?>
<form action="" method="post">
<button type="submit" name="submit">Click to use</button>
</form>
<?php
if (isset($_POST['submit'])) {
$query = mysql_query("UPDATE table_name SET status = 'inactive' WHERE serial = '$serial'");
}
}
?>
To pass the variable along you would create a hidden input on your second form to contain the value:
<?php
// check and clean up the passed variable
$serial = isset($_POST['serial']) ? htmlspecialchars($_POST['serial']) : '';
?>
<form action="" method="post">
<input type="hidden" name="serial" value="<?php echo $serial; ?>" />
<button type="submit" name="submit">Click to use</button>
</form>
For Safety's Sake
Your script is at risk for SQL Injection Attacks.
If you can, you should stop using mysql_* functions. These extensions have been removed in PHP 7. Learn about prepared statements for PDO and MySQLi and consider using PDO, it's really not hard.
Additional Thoughts
If you're planning to do a two-step form you'll likely want to place all of the data processing outside of the form page, in a separate PHP file. With the limited code that you have shown I fear that we will miss something in our answers which will lead you to additional questions because your code still isn't working as you would expect.
A button needs a name and a value to be successful. Your button doesn't have a value so $_POST['submit'] will be undefined.
Add a value attribute to your <button> element.
After you do that, $serial will be undefined because your form doesn't submit that.
You need to include it in your form too:
<input type="hidden" name="serial" value="<?php echo htmlspecialchars($serial); ?>">
The way I've structured my form data is by creating them in a while loop, but each time they are created the form will take a unique id.
So my question is, how do I access them individually and update specified data to a MYSQL server.
I've attempted to do it in the code at the end of the script, but I'm not sure how to access the forms individually
<?php
include 'user_data.php';
include 'core.inc.php';
$query = mysql_query("SELECT `post_text` FROM `posts`,`sub_posts` WHERE sub_posts.post_id = posts.id AND sub_posts.user_id='$user_id'");
while($row = mysql_fetch_array($query)){
?><?php echo $row[post_text].'<br>'?>
<form action="<?php $curent_file ?>" method="POST">
<textarea name="answer_field" > </textarea><br />
<input type="submit" value="Submit Answer">
<input type="hidden" name="post_id" value="<?php echo $row['post_id']; ?>" />
</form>
<?php
}//While Loop
if (isset($_POST['answer_field']) && !empty($_POST['answer_field'])){
$answer = mysql_real_escape_string($_POST['answer_field']);
$id = intval($_POST ['post_id']);
$query = "UPDATE `sub_posts` SET `sub_answer`='$answer' WHERE `post_id`='$id'";
}
?>
Only a single form gets posted when clicking the "submit" field. The form name does not get submitted by itself. Instead, you would place the post ID to which the form corresponds as a hidden field:
<input type="hidden" name="post_id" value="<?php echo $row['post_id']; ?>" />
And then later:
$answer = mysql_real_escape_string ($_POST ['answer']);
$id = intval ($_POST ['post_id']);
$query = "UPDATE `sub_posts` SET `sub_answer`='{$answer}' WHERE `post_id`={$id}";
Note that you definitely need to escape the answer before putting it in the query and make sure that the ID is a number. Otherwise, you're opening up your code to SQL injection attacks.
I have a pop up box which checks if the user is signed in or not. If he is, I'm echoing out a small form which the user will press a button and it will submit to the DB. The variables are displayed on the popup but when pressed submit, they do not pass to the submit php file.
$add_wish = "<form action='memWishList.php' method='post' id='memWishList'>
<h3>Add this item to your Wish List?</h3><br>
<input type='hidden' name='title' value='".$title."'>".$title."</input><br>
<input type='hidden' name='link' value='".$link."'></input><br>
<input type='submit' name='submit' value='Add'/><button id='cancel'>
Cancel</button>
</form>";
echo $add_wish;
I want to pass the values title and link to be submitted to the DB. Here's my memWishList.php file:
if (isset($_POST['submit'])){
//get member id
$title = mysqli_real_escape_string($_POST['title']);
$link = mysqli_real_escape_string($_POST['link']);
$mysql = "INSERT INTO wish_list (memNum, title, link, date) VALUES ('$memnum', \
'$title', '$link', now())";
$myquery = mysqli_query($mysqli_connect, $mysql);}
Doing it this way, I only get the member id and the date inserted, not the title and the link. What's the problem? The reason why I'm echoing out this form is there's an if/else statement for logged in users and non logged in. Would be much easier to do it in html but can't...
DB: memnum(varchar), title(longtext), link(longtext), date(date). I have other tables where long links and titles are inserted just fine as longtext. They're coming from rss feeds.
please check documentation: mysqli_real_escape_string function expect the string as 2nd parameter if you use a procedural approach. It could be i.e.:
$link = mysqli_real_escape_string($mysqli_connect, $_POST['link']);
You have some markup errors. Your hidden input tags should look like:
<input type='hidden' name='link' value="<?php echo $link ?>">
Update your HTML file to look like this and all of the values will be sent to the $_POST variable:
<form action='memWishList.php' method='post' id='memWishList'>
<h3>Add this item to your Wish List?</h3><br>
<input type='hidden' name='title' value="<?php echo $title ?>"><?php echo $title ?><br>
<input type='hidden' name='link' value="<?php echo $link ?>"><br>
<input type='submit' name='submit' value='Add'/><button id='cancel'>Cancel</button>
</form>
I can't set a variable from a post array.
I have a simple form with a hidden field in it:
<input name="sid" type="hidden" id="sid" value="<?=$sid?>">
This hidden field gets sent off to a second file (exec.php) where I have the following code:
$sid = $_POST['sid'];
For some reason, when trying to set $sid, it gets a NULL value. For haha's, I ran the following:
foreach($_POST as $var => $value)
{
echo $var . ' : ' . $value . "<br>";
}
This provided a correct value of 1938 for sid. I've looked at this for 3 hours and can't find what is happening. I expect something extremely stupid...any thoughts?
Here is the form on enter.php
<form name="form1" method="post" action="exec.php">
<input name="sid" type="hidden" id="sid" value="<? echo($sid); ?>">
<input name="ticket_totals" type="hidden" id="ticket_totals" value="<?=$ticket_totals?>">
<input name="emp" type="hidden" id="emp" value="<?=$emp?>">
<input name="submit" type="submit" id="submit" value="Submit">
<input type="submit" name="submit" id="submit" value="Close">
</form>
Here is the POST output on exec.php:
type : Other
ticket_totals : 0
emp : 105
sid : 1939
submit : Submit
Okay - this was poor syntax on my part but now I'm curious as to why.
I left out quotation marks - the solution is as simple as this:
$sid = $_POST["sid"]
Now it works like a champ.
Any takers on why? I'd guess there is a setting in the php.ini that requires the quotes. Strangely enough, I have other variables called from the POST array that i'm not using quotes for and they're working fine...
Use Console in FireBug to inspect the POST request to see what is the sid value that is being sent.
If the sid value in request is ok, use var_dump($_POST["sid"]); to see the results on the server.
EDIT: it's considered good PHP style to use the quotes when accessing the associative array because quote-less keys are indistinguishable from constants:
define('myVar',3);
echo $array[myVar]; // retrieves $array[3], not $array['myVar'];
Try to echo the $sid instead of the <?=:
// Change that
<input name="sid" type="hidden" id="sid" value="<?=$sid?>">
// With that
<input name="sid" type="hidden" id="sid" value="<?php echo $sid; ?>">
also for the test time try to change the input type from hidden to text in order to be 100% sure the $sid contains a value.
Using quotes for associative array keys is mandatory, and while it may work without them, it's incorrect and erratic behavior is expected.
I had this same problem, trying to use $_POST[sid] as a variable. I'm am thinking that "sid" is a reserved or restricted variable name, because I changed my variable to $_POST[snid] and it worked just fine. This was my code
$sid = $_POST[sid];
$recipient = "($sid) ($_POST[sid])";
if ($_POST[sid] > 0)
{
$recipient = "It Worked";
}
print $recipient;
When I posted "&sid=15", the result was:
() (15)
Unbelievable. Impossible, right? All I did was change from using "sid" as the index to "snid", and it worked no problem.
So, don't ever use $_POST[sid].