AndrewGillespie Posted December 2, 2014 Share Posted December 2, 2014 Hi, I am quite new to this and have been learning from the tutorials. The tutorial at http://www.w3schools.com/php/php_form_complete.asp for a form that does validation and avoids injection exploits sends the posted data to the screen. I want to send it to a database. I have not been able to figure out how to go about it. Is it correct to post to the same file with htmlspecialchars($_SERVER["PHP_SELF"]) and have the sql statement in the same file or do I have to post the data to another file with the sql statement in it (like action="dblink.php")? Link to comment Share on other sites More sharing options...
Ingolme Posted December 2, 2014 Share Posted December 2, 2014 You can read about databases here: http://www.w3schools.com/php/php_mysql_intro.asp Link to comment Share on other sites More sharing options...
thescientist Posted December 2, 2014 Share Posted December 2, 2014 How you want to handle the form submitting is entirely up to you (same page vs different page). I would favor a different page so I don't have to mix HTML and PHP (front end and back end code), and do pre-form submission error handling with JS on the client side. Link to comment Share on other sites More sharing options...
AndrewGillespie Posted December 2, 2014 Author Share Posted December 2, 2014 (edited) Thanks I would like to know if this kind of thing is even possible: //First some code to check for empty fields and sanitise the data<?php$name = $nameErr = $email = $emailErr = null;if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "Name is required"; } else { $name = test_input($_POST["name"]);} if (empty($_POST["email"])) { $emailErr = "Email is required"; } else { $email = test_input($_POST["email"]); // check if e-mail address is well-formed if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { $emailErr = "Invalid email format"; } } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data;}?>//Now the form which will show a message if the field is blank, sanitise the data and echo the data already filled in so the user doesn't have to type it again<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> Name: <input type="text" name="name" value="<?php echo $name;?>">E-mail: <input type="text" name="email" value="<?php echo $email;?>"> <span class="error">* <?php echo $emailErr;?></span> <span class="error">* <?php echo $nameErr;?></span><input type="submit" name="submit" value="Submit"></form>//Now send the data to the database if it passes all tests, this is where I have the issue<?php$con = ...the connection details here;if ($_SERVER["REQUEST_METHOD"] == "POST") {$sql="INSERT INTO tbl_whatever (name, email)VALUES ('$name','$email')";if ($con->query($sql)) {// now show if post is successful or otherwise show error infomationecho "<h4>Your data was successfully submitted.</h4>";}else {echo "error: (" . $con->errno . ") " . $con->error ;}}?> but I have 2 issues: 1. the line is written in the database even if validation fails 2. If the post is successfull, how do I empty the input fields so that it is as if the page was just opened? Edited December 2, 2014 by AndrewGillespie Link to comment Share on other sites More sharing options...
justsomeguy Posted December 2, 2014 Share Posted December 2, 2014 Displaying the form should be the last thing you do, after dealing with the database. You need to have a variable that keeps track of whether there were any errors. You can check that variable to figure out if you should add the record to the database. If you do add the record, then you can clear out the variables after adding the record so that they will be empty when you display the form. Also, you should really be using prepared statements, right now your code is vulnerable to SQL injections. Prepared statements would fix that. Both mysqli and PDO support prepared statements. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now