insert record using mysqli with one page

Question

I'm wondering what's the problem with this code? What I want to happen is to insert record when I click the Submit Button. But it seems I'm having a problem with the isset function.

 Database Name: dbase

 Table Name: tblmessage

 Fields:
 message_id - INT - auto increment
 message - TEXT

Update: I can't still add / insert record in my database.

Thank you in advance!

<html>
<head></head>
<body>
<form method = "post" action = "<?php echo $_SERVER['PHP_SELF']; ?>">
    Message: <input type = "text" name = "message">
    </br></br>
    <input type = "submit" name = "submit">
</form>

<?php
    if (isset($_POST['submit'])) {
       if (!empty($_POST['message'])) {

        $conn = mysqli_connect("localhost", "root", "","dbase");

        $message = $_POST['message'];

        $sql = ""INSERT INTO tblmessage (message_id, message) VALUES (NULL, '$message')";
        $insert = mysqli_query($conn,$sql);

          if ($insert) {
              echo "Message successfully added!";
          }
          else {
            echo "Error" . mysqli_error($conn);
          }
      }
    }
    mysqli_close($conn);
?>
</body>
</html>

Wow that is really risky. You directly query the content of an input field to your database. This screams SQL-injection. What exactly is the content of your meesage-input? a real query like `INSERT INTO...` or just a text and you want to save that in your database? — wayneOS, May 04 '18 at 06:03
@wayneOS I already added the sql - insert.. but still not working :( — CodeSurfer, May 04 '18 at 06:09
if you want help, provide an accurate description of your problem. "not working" is inadequate. — Bernhard, May 04 '18 at 06:13
@wayneOS is right. You want to use something like prepared statements and parametized queries to avoid mysql injections before you query your input. As for the current problem, is 'message' your table name? What error mesage are you receiving? — Moses Kirathe, May 04 '18 at 06:15
To check the error you are receiving, do something like this ` — Moses Kirathe, May 04 '18 at 06:18
@MosesKirathe I already added the name of the table, but it still doesn't add a record in my database. Thanks! — CodeSurfer, May 04 '18 at 06:23
Echo this out after the insert attempt and paste it into your question `echo mysql_error();` — Tarek Adam, May 04 '18 at 06:25
And please, please, please, heed the advice of @wayneOS, you're code is wide open to sql injection. — Tarek Adam, May 04 '18 at 06:26
@TarekAdam I already added: mysqli_error($conn); but it doesn't show any error. Yes I understand wayneOS advice, I'm only wondering why this part of my code is not working. Thank you! — CodeSurfer, May 04 '18 at 06:29
you can omit `action` on your form if you're just gonna submit it on the same page. — hungrykoala, May 04 '18 at 06:37
@CodeSurfer Change this `$conn = mysqli_connect($servername, $username, $pass,$db);` with the code found [here](https://www.w3schools.com/php/func_mysqli_connect.asp). Also, read [this](https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display) on how to turn on the PHP errors. — hungrykoala, May 04 '18 at 06:39
@hungrykoala I did your suggestion, problem is "Message successfully added!" is appearing even I haven't hit the submit button. — CodeSurfer, May 04 '18 at 06:56
Why are you doing `implode(',',$message)` when inserting a message? that's only applicable for arrays and your $message is a string. — hungrykoala, May 04 '18 at 07:47

Pavan Sikarwar · Accepted Answer · 2018-05-04T08:24:22.007

0

Working Code just copy and paste it

<html>
<head></head>
<body>
<form method = "post" action = "<?php echo $_SERVER['PHP_SELF']; ?>">
    Message: <input type = "text" name = "message">
    </br></br>
    <input type = "submit" name = "submit">
</form>

<?php
if (isset($_POST['submit'])) {
    if (!empty($_POST['message'])) {
        $conn = mysqli_connect("localhost", "root", "", "dbase");
        $message = $_POST['message'];

        $sql = "INSERT INTO tblmessage (message_id, message) VALUES (NULL, '" . $message . "')";
        $insert = mysqli_query($conn, $sql);
        mysqli_close($conn);
        if ($insert) {
            echo "Message successfully added!";
        } else {
            echo "Error" . mysqli_error($conn);
        }
    }
}
?>
</body>
</html>

edited May 04 '18 at 08:24

answered May 04 '18 at 07:08

Pavan Sikarwar

724
4
13

I already did your suggestion/advice, still I can't add/insert a record. – CodeSurfer May 04 '18 at 07:23
I didn't see any error output... I just can't add record when I hit the submit button and check phymyadmin to see if it succeeded, but unfortunately it didn't add. – CodeSurfer May 04 '18 at 08:04
Thank you! Problem Solved! :) – CodeSurfer May 04 '18 at 08:34
@PavanSikarwar why did you try to edit my answer into a wrong answer? – hungrykoala May 07 '18 at 01:30

score 0 · Answer 2 · answered May 04 '18 at 07:53

0

You're trying to implode a String. Read about implode.

Change:

  $sql = "INSERT INTO tblmessage (message) VALUES (NULL, ".implode(',',$message).")";
  $insert = mysqli_query($conn,$sql);

To:

  $sql = "INSERT INTO tblmessage (message_id, message) VALUES (NULL, '$message')";
  $insert = mysqli_query($conn,$sql);

answered May 04 '18 at 07:53

hungrykoala

1,030
1
11
27

I just did Pavan Sikarwar suggestion, I'll do your suggestion. – CodeSurfer May 04 '18 at 08:05

score -1 · Answer 3 · edited May 04 '18 at 06:40

-1

You don´t have any SQL-Statement in your Code. If you want to insert the Message from your form you need to change $sql.

$sql = INSERT into dbase(your_database_field) Values ($message);
$sql-statement=mysqli_query($conn, $sql);

You should sanitize your input before sending your data to the database.

edited May 04 '18 at 06:40

CodeF0x

2,379
6
15
23

answered May 04 '18 at 06:08

Phips

1
1

I already added: $sql = "INSERT INTO (message) VALUES ('$message')"; $insert = mysqli_query($conn,$sql); but still not working :( – CodeSurfer May 04 '18 at 06:11

insert record using mysqli with one page

3 Answers3