Combining tutorial PHP Form with Mysql insert

[AndrewGillespie]

Hi, I am quite new to this and have been learning from the tutorials. The tutorial at http://www.w3schools.com/php/php_form_complete.asp for a form that does validation and avoids injection exploits sends the posted data to the screen. I want to send it to a database.

 

I have not been able to figure out how to go about it. Is it correct to post to the same file with htmlspecialchars($_SERVER["PHP_SELF"]) and have the sql statement in the same file or do I have to post the data to another file with the sql statement in it (like action="dblink.php")?

[Ingolme]

You can read about databases here: http://www.w3schools.com/php/php_mysql_intro.asp

[thescientist]

How you want to handle the form submitting is entirely up to you (same page vs different page). I would favor a different page so I don't have to mix HTML and PHP (front end and back end code), and do pre-form submission error handling with JS on the client side.

[AndrewGillespie]

Thanks

 

I would like to know if this kind of thing is even possible:

 

//First some code to check for empty fields and sanitise the data<?php$name = $nameErr = $email = $emailErr = null;if ($_SERVER["REQUEST_METHOD"] == "POST") {   if (empty($_POST["name"])) {     $nameErr = "Name is required";   } else {     $name = test_input($_POST["name"]);} if (empty($_POST["email"])) {     $emailErr = "Email is required";   } else {     $email = test_input($_POST["email"]);     // check if e-mail address is well-formed     if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {       $emailErr = "Invalid email format";     }   } function test_input($data) {   $data = trim($data);   $data = stripslashes($data);   $data = htmlspecialchars($data);   return $data;}?>//Now the form which will show a message if the field is blank, sanitise the data and echo the data already filled in so the user doesn't have to type it again<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">   Name: <input type="text" name="name" value="<?php echo $name;?>">E-mail: <input type="text" name="email" value="<?php echo $email;?>">   <span class="error">* <?php echo $emailErr;?></span>   <span class="error">* <?php echo $nameErr;?></span><input type="submit" name="submit" value="Submit"></form>//Now send the data to the database if it passes all tests, this is where I have the issue<?php$con = ...the connection details here;if ($_SERVER["REQUEST_METHOD"] == "POST") {$sql="INSERT INTO tbl_whatever (name, email)VALUES ('$name','$email')";if ($con->query($sql)) {// now show if post is successful or otherwise show error infomationecho "<h4>Your data was successfully submitted.</h4>";}else {echo "error: (" . $con->errno . ") " . $con->error ;}}?>

 

but I have 2 issues:

1. the line is written in the database even if validation fails

2. If the post is successfull, how do I empty the input fields so that it is as if the page was just opened?

Edited December 2, 2014 by AndrewGillespie

[justsomeguy]

Displaying the form should be the last thing you do, after dealing with the database. You need to have a variable that keeps track of whether there were any errors. You can check that variable to figure out if you should add the record to the database. If you do add the record, then you can clear out the variables after adding the record so that they will be empty when you display the form. Also, you should really be using prepared statements, right now your code is vulnerable to SQL injections. Prepared statements would fix that. Both mysqli and PDO support prepared statements.