I have a page which basically allows an admin user to create manager user types (basically a register function. So when the values are submitted, they are stored into the DB, very very basic stuff. However, I have a hidden variable type..reasons are I have 3 different user levels and I have declared they identification as an integer (e.g. 7 = manager, 8 =user etc.)
Can someone help me out with how to correctly pass this hidden value so it stores in the database...
Here is my form:
<form id="userreg" name="userreg" method="post" action="adduser-process.php">
<label>Full Name:</label> <input name="fullname" size="40" id="fullname" value="<?php if (isset($_POST['fullname'])); ?>"/>
<br />
<label>Username:</label> <input name="username" size="40" id="username" value="<?php if (isset($_POST['username'])); ?>"/> <br />
<label>Password:</label> <input name="password" size="40" id="password" value="<?php if (isset($_POST['password'])); ?>"/> <br />
<label>Email Address:</label> <input name="emailaddress" size="40" id="emailaddress" value="<?php if (isset($_POST['emailaddress'])); ?>"/>
<br />
<input name="userlevel" type="hidden" size="1" id="userlevel" value="<?php $_POST[5]; ?>" /> <br />
<input value="Add User" class="addbtn" type="submit" />
</form></div>
Next, here is the script that runs the query:
<?php
require_once "config.php";
$fullname = $_POST['fullname'];
$username = $_POST['username'];
$password = $_POST['password'];
$emailaddress = $_POST['emailaddress'];
$userlevel = $_POST[5];
$sql = "INSERT INTO users_tb VALUES('".$user_id."','".$fullname."','".$username."',MD5('".$password."'),'".$emailaddress."','".$userlevel."')";
$result = mysql_query($sql, $connection)
or die("MySQL Error: ".mysql_error());
header("Location: administratorfrontview.php");
exit();
?>
I'm basically trying to pass the hidden typem with a constant value of '5' just for this form, as it will not be changed...also while im here, for some reason, the 'fullname' is not stored in the DB either!!?? WTH?? all other fields are processed fine. Any help is much appreciated! Thank you.
Two things. One, $userlevel should equal $_POST['userlevel'] not 5 as POST data isn't always in that order. Two, your insert statement should be preceded with the column names (to prevent any data from going in the wrong order).
$sql = "INSERT INFO users_tb (id, name, username, password, email, userlevel) ".
"('".$user_id."','".$fullname."','".$username."',MD5('".$password."'),'".
$emailaddress."','".$userlevel."')";
Your PHP for outputting the value is wrong. Use:
<?= $_POST[5]; ?>
or
<?php echo $_POST[5]; ?>
Related
I have HTML registration form when I submit the form the PHP code appears and data not insert to database i made my database using phpMyAdmin, what should I do?
Here my PHP code:
<?php
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
if ($con) {
echo "good";
}else {
die('error');
}
if(isset($_POST['submit'])){
$Fname = mysqli_real_escape_string($con,$_POST["Fname"]);
$Lname = mysqli_real_escape_string($con,$_POST["Lname"]);
$email = mysqli_real_escape_string($con,$_POST['email']);
$password = mysqli_real_escape_string($con,$_POST['password']);
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher` (Re_fname,Re_lname,Re_mobile,Re_password) values ('$Fname','$Lname','$email','$password ')");
if (mysqli_query($sql)){
echo "insert";
} else {
echo "error" .$sql ."<br>". mysqli_error($con);
}
}
?>
here my registration HTML code
<form method="post" action="connect.php">
<legend class="center">Register </legend>
<br>
<div>
<input type="text" name="Fname" placeholder="First Name"/>
</div>
<div>
<input type="text" name="Lname" placeholder="Last Name"/>
</div>
<div>
<input type="text" name="email" placeholder="Email"/>
</div>
<div>
<input type="password" name="password" placeholder="Password"/>
</div>
<div>
<input type="password" name="con_password" placeholder="Password confirm"/>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
Look at the following:
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher`
^^^^^^^^^^^^ function
(Re_fname,Re_lname,Re_mobile,Re_password)
values ('$Fname','$Lname','$email','$password ')");
^ space
if (mysqli_query($sql)){
^^^^^^^^^^^^ function
You're using that mysqli_query() function twice, remove one and just do:
if ($sql){...}
and mysqli_error($con) should have thrown you an error about it.
If it didn't throw an error, then that may suggest you're using this as file:/// as opposed to http://localhost.
Edit:
"i have html registration form whin i submit the form the php code apears"
That's because of what I wrote above before quoting you. You need to run this off a webserver with php/mysql installed and running properly and as http://localhost.
Also, remove the space in this '$password '. That space counts as a character.
Double-check your column names also. There seems to be something that doesn't match (Re_fname,Re_lname,Re_mobile,Re_password) the Re_mobile and you're referencing an email '$email' in VALUES.
You also seem to store plain text passwords; don't, it's not safe if you intend on going live with this. Use password_hash() and a prepared statement.
Footnotes:
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
You can shorten that to using all 4 arguments in mysqli_connect():
$con=mysqli_connect('localhost','root', '', 'research_sys');
I've been tearing my hair out trying to figure out why the isset($_POST['Submit']) is not executing with my form. The data from the form is just not passing into the php code. Basically the code does not seem to be recognizing something like $ffname = $_POST["ffname"];
<?php
$ffname = $flname = $femail = $fcemail = $fpass = $fcpass = "";
if(isset($_POST['ffname'])){
$ffname = $_POST["ffname"];
$flname = $_POST["flname"];
$femail = $_POST["femail"];
$fcemail = $_POST["fcemail"];
$fpass = $_POST["fpass"];
$fcpass = $_POST["fcpass"];
echo "<p>Hello World<p>";
$con = mysqli_connect("localhost", "root", "") or die(mysqli_error());
mysqli_select_db($con, "userdata") or die(mysqli_error($con));
mysqli_query($con,"INSERT INTO tbluser (fname, lname, email, pass) VALUES('$ffname', '$flname', '$femail', '$fpass')")
or die (mysqli_error($con));
}
?>
<form method="post">
First Name: <input type="text" name="ffname" id="ffname" value="<?php echo $ffname;?>"><br>
Last Name: <input type="text" name="flname" value="<?php echo $flname;?>"><br>
E-mail: <input type="email" name="femail" value="<?php echo $femail;?>"><br>
Confirm E-mail: <input type="email" name="fcemail" value="<?php echo $fcemail;?>"><br>
Password: <input type="password" name="fpass" value="<?php echo $fpass;?>"><br>
Confirm Password: <input type="password" name="fcpass" value="<?php echo $fcpass;?>"><br>
<input type="submit" name="Submit" value="submit">
</form>
The other answer by #DerVO is correct. But there seems to be something else at play, since you say it still doesn't work.
A comment became too long, so I've built a full answer here.
Step 1:
Add a name to your input:
<input type="submit" name="Submit" value="submit">
However, relying on the submit in your $_POST is not the best plan. So I suggest watching a different form field - for example, ffname:
Step 2:
Improve your watch, using a different field:
if ( isset( $_POST['ffname'] ) ) {
// do your work
}
Lastly, you may be munging your form action attribute.
Step 3:
In order to keep things simple, if the form is supposed to submit to the same page, you can simply omit the form action.
<form method="post">
Betweeen these three items, the form will work, unless you have some problem with your server.
Step 4:
Clean up your form formatting. You've got odd spacing which is problematic. In an html element, the property="value" code needs to be without spaces, but spaces between properties. Example:
<!-- Your version -->
<input type = "text"name = "ffname"id = "ffname"value="<?php echo $ffname;?>"><br>
<!-- Clean / correct version -->
<input type="text" name="ffname" id="ffname" value="<?php echo $ffname;?>"><br>
Here's a "clean" version of your whole form:
<form method="post">
First Name: <input type="text" name="ffname" id="ffname" value="<?php echo $ffname;?>"><br>
Last Name: <input type="text" name="flname" value="<?php echo $flname;?>"><br>
E-mail: <input type="email" name="femail" value="<?php echo $femail;?>"><br>
Confirm E-mail: <input type="email" name="fcemail" value="<?php echo $fcemail;?>"><br>
Password: <input type="password" name="fpass" value="<?php echo $fpass;?>"><br>
Confirm Password: <input type="password" name="fcpass" value="<?php echo $fcpass;?>"><br>
<input type="submit" name="Submit" value="submit">
</form>
You need to give your input submit a name:
<input type="submit" name="Submit" value="Submit">
You have pass name of element in $_POST
try put name attribute in input submit
<input type = "submit" name="Submit" value = "1">
(I found this but still dont understand) {HTML form PHP post to self to validate or submit to new page}
I am sorry if this question is explained better in another place but I have been stuck for hours, have searched, and have just given up. I am going by the W3c website tutorial on how to validate, sanitize, and handle forms using PHP. All went well (At least I think it did) until it was time to do something with this data. I will show you the code now and further explain my position and problem after the code:
<form method="POST" name="signup" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<label for="first name"></label><input id="first name" name="first_name" placeholder="First Name" type="text" value="<?php echo $firstname;?>" /> <span class="error">* <?php echo $firstnameErr;?></span>
<label for="last_name"></label><input id="last name" name="last_name" placeholder="Last Name" type="text" value="<?php echo $lastname;?>" />
<span class="error">* <?php echo $lastnameErr;?></span>
<br><br>
<label for="email"></label><input id="email" name="email" placeholder="Email" type="text" value="<?php echo $email;?>" />
<span class="error">* <?php echo $emailErr;?></span>
<br /><br />
<label for="password"></label><input id="password" name="password" placeholder="Create Password" type="password" />
<span class="error">* <?php echo $passwordErr;?></span>
<br /><br />
<label for="male"><strong>Male</strong></label>
<input id="male" value="male" <?php if (isset($gender) && $gender=="male") echo "checked";?> name="gender" type="radio" />
<label for="female"><strong>Female</strong></label> <input id="female" value="female"
<?php if (isset($gender) && $gender=="female") echo "checked";?> name="gender" type="radio" />
<span class="error">* <?php echo $genderErr;?></span>
<br /><br />
<label for="submit">"I Agree To Terms And Conditions"</label> <input id="submit" value="Submit" type="submit" name="submit"/><br /><br />
<p><span class="error">* required field.</span></p>
<hr>
I am confused on many things. Should I keep the 'Form Action" as is, or should I change it to something like, "welcome.php". If I do change it to "welcome.php" do I still include the 'htmlspecialchars'? I am going to be using MSQLI. I am already able to connect to my database but how do I go about converting the users data into viable information for the server? Do I just go ahead and use the variables that I created in this HTML form? I know I need to put some kind of variables into a query string and then make sure I exit it as well. I am sorry if I pissed some of you off but I am just needing help. I dont want negative points but if I can receive some answers than I can handle a few bad points. Thanks for your help and happy holidays.
Below is my "welcome.php." It is actually called something different but for this moment it is "welcome.php". Thanks again.
<?php
$hostname="social89.db";
$username="social89";
$password="P!!";
$dbname="social89";
$db_conx = mysqli_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
if(mysqli_connect_errno()){
echo mysqli_connect_error();
exit();
}
$select = mysqli_select_db($db_conx,$dbname);
$firstname= $_POST["first_name"];
$lastname= $_POST["last_name"];
$email= $_POST["email"];
$password= $_POST["password"];
$gender= $_POST["gender"];
mysqli_query($db_conx,"INSERT INTO users (firstname, lastname, email, password, gender)
VALUES ('$firstname', '$lastname', '$email', '$password', '$gender')");
mysqli_close($db_conx);
header("Location: ERASETHISprofile.php")
?>
Ooh, where to begin.
At the beginning I guess.
"Post to self" refers to having the same script that renders the form receive the form data. The form action points back at the same php script using the server variable $_SERVER['PHP_SELF'].
This means you can do something like:
<?php
if (!empty($_POST)) { // if $_POST isn't empty, the user submitted the form
// validate
if ($validationPassed) {
// insert to db
} else {
// tell the user they messed up
$error = 'Hey, you! Email address was incorrect.';
}
}
//
?>
<html> ...
<?php if (isset($error)) { echo $error; } ?>
// form
The above is really basic. You'll want to set errors for specific fields failing validation to give the user more of a clue as to what to correct.
htmlspecialchars() - Convert special characters to HTML entities
In short, if you trust the input string, you don't need it. So "welcome.php" that has been typed manually by yourself into the document, is trusted, and doesn't need to have special characters converted - there aren't any in the string. If that text came from a user it could contain, for example, <h2>Hello</h2>. Without the use of this function, your page may render that Hello inside the H2.
Recommended reading for the next part: How can I prevent SQL injection in PHP?
At the moment you are vulnerable, because you are taking data from the form and are not validating or sanitizing it. Obligatory XKCD comic: http://xkcd.com/327/. In addition to the risk of SQL injection there is the risk of junk data ending up in your DB.
Validation in PHP: filter_var examples: http://www.php.net/manual/en/filter.examples.validation.php
I am trying to generate a script to insert comments on a blog to 'comments' table in MySsl database
<form action="insertcomment.php" method="post">
<p class ="ctitle">Leave a Comment:</p>
<p>
<label for="name"><b>PostID:</b></label>
<input type="text" id="postid" name="name" maxlength="4" /> <br/>
<label for="name"><b>Name:</b></label>
<input type="text" id="name" name="name" maxlength="25" /> <br/>
<label for="email"><b>Email:</b></label>
<input type="text" id="email" name="email" maxlength="50" /> <br/>
<label for="website"><b>Website:</b></label>
<input type="text" id="website" name="website" maxlength="25" /> <br/>
<label for="content"><b>Comment:</b></label>
<textarea id="content" name="content" cols="10" rows="4" maxlength="800"></textarea> <br/>
<input type="submit" value="Submit Comment" name="submit_comment" /> <br/>
</p>
</form>
and my PHP script is as follows:
<?php
include("dbconnect.php");
$con=new dbconnect();
$con->connect();
error_reporting(E_ALL);
if(isset($_POST['submit'])) {
$sSql = "INSERT INTO comments
( post_id,name, email, website,content)
VALUES ('$_POST[postid]','$_POST[name]', '$_POST[email]', '$_POST[website]', '$_POST[content]')";
mysql_query($sSql);
echo '<h2> Your Comment is submitted</h2><br />';
}
?>
But I was not able to insert my comment into database. my 'comments' table has comment_id,post_id,name,email,website,content,date_published fields. comment_id is the primary key. It has the option auto_increment. and date_published by default gives current time stamp. I was not able to figure out what my error is. Any thoughts would be appreciated.
Thank You!
You should use mysqli or PDO, but if you need to use the about-to-be depreciated mysql plugin:
<?php
include("dbconnect.php");
$con=new dbconnect();
$con->connect();
error_reporting(E_ALL);
if(isset($_POST['submit'])) {
foreach ($_POST as $key => $value) {
$$key = mysql_real_escape_string($value); // You should always sanitize user inputs.
}
$sSql = "INSERT INTO comments
( post_id,name, email, website,content)
VALUES ($postid,'$name', '$email', '$website', '$content')"; // No quotes around $postid because I'm assuming post_id column is an int type.
mysql_query($sSql);
echo '<h2> Your Comment is submitted</h2><br />';
}
?>
Notice the single quotes have been removed from $postid. This is because if table post_id is an int type, then you should not have quotes around the integer value.
Also, notice I've used the mysql_real_escape_string() function to clean your inputs. You should never ever quote direct user-inputted variables into SQL. It's very dangerous as users can use SQL injection attacks to gain access to your DB where they shouldn't or even possibly drop tables.
Still, I recommend converting to mysqli or PDO if at all possible, because the mysql plugin is about to be depreciated.
So I have this empty textboxes in a registrationg page. The user enters some data, hits continue and then there's a confirmation page. If the data is incorrect, the user hits go back to go correct whatever was wrong. However, when he goes back, all the textboxes are empty. So the first thing that comes to my mind is to store the user data in a Session (I have a User class that holds all this data so I store the class in the session). When the user goes back I am able to retrieve the data.
I do something like this:
if($_SESSION['UserInfo'])
{
$user = $_SESSION['UserInfo'];
$firstName = $user->FirstName;
$lastName = $user->LastName;
}
How would I put these variables in a textbox?
To set the value, you can just echo out the content inside the value attribute:
<input type="text" name="firstname" value="<?php echo htmlentities($firstName); ?>" />
<input type="text" name="lastname" value="<?php echo htmlentities($lastName); ?>" />
Of course you will want to escape it but...
<input type="text" value="<?php echo $firstName ?>" />
or if the form is posted, it would be easier to do:
<input type="text" name="firstName" value="<?php echo $_POST['firstName'] ?>" />
fine... even though it was out of the scope of the question here is the escaped version:
<input type="text" name="firstName" value="<?php echo htmlentities($_POST['firstName']) ?>" />
smth like
<input type="text" value="<?php echo $first_name;?>">
Don't forget to escape with htmlentities() or smth similar. If you don't know why - google XSS.