Cannot INSERT INTO from my form

Question

I have this form

<form method="post" action="new_announcement.php">
<fieldset>
    <legend>Create New Announcement</legend>
Subject :<input type="text" style="float-offset: !important;" name="subject" required="required" /><br>
Content :<br />
<textarea rows="10" cols="60" name="content"></textarea>   </br></br> 
<input type="submit" value="Upload"/>
</fieldset>
</form>

and I want to store the data from my form into a table in my database.

My INSERT INTO code is this...

<?php

include_once 'header.php';

$username = $_SESSION["username"];

if(isset($_POST['username']))
{
    $subject = $_POST['subject'];
    $content = $_POST['content'];

    $sqlinsert = "INSERT INTO announcements (author,subject,content) VALUES ('$username','$subject','$content')";
}

?>

What I am doing wrong and it does not store the data in my database. My database table is the below...

CREATE TABLE announcements
(
    id INT UNSIGNED AUTO_INCREMENT,
    author varchar(200),
    subject varchar(200),
    content varchar(3000),
    timestamp int(11) unsigned not null,
    PRIMARY KEY (id,author)
) ENGINE=MyISAM;

@WorkSmarter doesn't it work automatically when i am entering an input? — Waaaaat, Mar 28 '15 at 15:17
Are you even executing the query? writing it in a string only is usually insufficient — dvhh, Mar 28 '15 at 15:19
@RajnikantSharma where do you want to echo it inside the if isset because if i do it inside the if then i didnt get something — Waaaaat, Mar 28 '15 at 15:19
@niklakis where you execute your query. like mysql_query($sqlinsert ); — Navjot Singh, Mar 28 '15 at 15:21
The timestamp definition needs to read like this logtime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP. Where you are specifying the default value. Note: using timestamp as a column name should be done with care. Probably place in brackets due to it being a keyword. Take a look at this post for an example http://stackoverflow.com/questions/18962757/when-is-a-timestamp-auto-updated — WorkSmarter, Mar 28 '15 at 15:23
@RajnikantSharma i did this.... if(isset($_POST['username'])) { var_dump($_POST); .... } ... nothing happened — Waaaaat, Mar 28 '15 at 15:25
Nothing is going to happen to the DB with this code. It isn't being sent to the DB as @dvhh stated. — chris85, Mar 28 '15 at 15:25
@chris85 I removed the timestamp column from the database just to see if it will work without it — Waaaaat, Mar 28 '15 at 15:28
Yes and as I and dvhh stated this code isnt being sent to your DB. You need to make a connection then execute your query. You're doing neither. — chris85, Mar 28 '15 at 15:28
@chris85 i have a connection with my database because at the begining of the code i have include_once 'header.php'; — Waaaaat, Mar 28 '15 at 15:29
Okay so you got a connection. You're not using it with that query though... — chris85, Mar 28 '15 at 15:30
Please specify how you open your database connection and someone could provide an answer — dvhh, Mar 28 '15 at 15:42
@dvhh i access my database from the include_once 'header.php' — Waaaaat, Mar 28 '15 at 15:43
please update you question to include the relevant line in the `header.php` where you open the connection, if possible **don't forget to replace the username and password with dummy values** — dvhh, Mar 28 '15 at 15:45

chris85 · Accepted Answer · 2015-03-28T16:07:55.877

2

Issue 1. Your form doesn't have an input named "username". So your if(isset($_POST['username'])) will never match. If you expect a username from the form you'll need to make one. If the session is set and correct (which it sounds like it is) use it. Issue 2. The connection isn't being used in the query (as the question stated). Here's updated navjot answer.

<?php
   include_once 'header.php';
   $username = mysql_real_escape_string($_SESSION["username"]);
   if(!empty($_POST)){
   if(isset($username)) {
        $subject = mysql_real_escape_string($_POST['subject']);
        $content = mysql_real_escape_string($_POST['content']);
        $sqlinsert = "INSERT INTO announcements (author,subject,content) VALUES ('$username','$subject','$content')";
$execute = mysql_query($sqlinsert) or die(mysql_error());
   }
}
?>

Issue 3. This was SQL injectible, never trust user input. Issue 4. mysql functions are out of date you should switch over to mysqli or pdo.

There's tons of other threads on these topics though.

If you sanitize the username when you store it to the session that might be fine without the real escape.

edited Mar 28 '15 at 16:07

answered Mar 28 '15 at 15:51

chris85

23,846
7
34
51

mysqli_real_escape_string() expects exactly 2 parameters, 1 given in $username – Waaaaat Mar 28 '15 at 15:52
now it says undefined index for subject and content – Waaaaat Mar 28 '15 at 15:55
Run `print_r($_POST);` are they there? – chris85 Mar 28 '15 at 15:56
where should i write it , inside the if() or after the if – Waaaaat Mar 28 '15 at 15:57
In the `if`. You're processing the form when trying this right? – chris85 Mar 28 '15 at 15:57
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/73995/discussion-between-chris85-and-niklakis). – chris85 Mar 28 '15 at 15:58

score 1 · Answer 2 · answered Mar 28 '15 at 15:30

1

You need to execute query. try this

 <?php

        include_once 'header.php';

        $username = $_SESSION["username"];

        if(isset($_POST['username']))
        {
            $subject = $_POST['subject'];
            $content = $_POST['content'];

            $sqlinsert = "INSERT INTO announcements (author,subject,content) VALUES ('$username','$subject','$content')";
    $execute = mysql_query($sqlinsert) or die(mysql_error());
        }

        ?>

answered Mar 28 '15 at 15:30

Navjot Singh

514
4
14

add this below $sqlinsert line $result = mysql_query($sqlinsert); – Rajnikant Sharma Mar 28 '15 at 15:31
Are you getting post data into Query? – Rajnikant Sharma Mar 28 '15 at 15:34
have you selected db in your connection script like this mysql_select_db('yourdb') or die ('Database connection failed'); – Rajnikant Sharma Mar 28 '15 at 15:36
@RajnikantSharma if i add what you said i get this .. Undefined variable: sqlinsert – Waaaaat Mar 28 '15 at 15:36
@RajnikantSharma i dont think that there is a problem with the connection because i am using the include_once code and into others pages and it works fine – Waaaaat Mar 28 '15 at 15:36
You don't have a `POST username`. Remove that check or check `$username`. I don't know how you'd get into that conditional with the code provided. – chris85 Mar 28 '15 at 15:38
@chris85 if i echo $username i get the logged in user – Waaaaat Mar 28 '15 at 15:40
Yea? Look at your code though you're not using that variable. `$username = $_SESSION["username"]; if(isset($_POST['username']))` – chris85 Mar 28 '15 at 15:41
@chris85 what is your suggestion for my if(isset($_POST['WHAT SHOULD I WRITE HERE'])) – Waaaaat Mar 28 '15 at 15:42

Cannot INSERT INTO from my form

2 Answers2