-1

I am very new to stackoverflow. I want to create this form which uploads information to the database. When I click submit it does not get uploaded. I have checked my connections file and that is correct. Code below. Please help.

<?php
 include("/connections/db_conx.php");

 if ( isset($_POST['submit']) ) {


$title = mysqli_real_escape_string($_POST['title']);
 $text = mysqli_real_escape_string($_POST['text']);
   $picture = mysqli_real_escape_string($_POST['picture']);


  $sql = "INSERT INTO news  (title, text, picture) VALUES('$title','$text','$picture', now(),now(),now())";

    $query = mysqli_query ($db_conx, $sql);


     echo 'Entered into the news table'; 
     }
     ?>


  <html>


  <head>



 </head>


 <body>

  <table border="0"> 
  <tr>
  <form method="post" action="index.php" id="tech">
  <td>Title</td><td> <input type="text" name="title"></td> </tr>
  <tr> <td>Text</td><td> <textarea rows="4" name="text" cols="50"       name="comment"       form="tech"> </textarea>
       </td> </tr>

 <tr> <td>Picture</td><td> <input type="varchar" name="picture"></td> </tr>

 <tr> <td><input id="button" type="submit" name="submit" value="Submit"></td>

 </tr>
 </form>


 </table> 



</body>




</html>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Tech Endling
  • 13
  • 4
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 06 '17 at 19:16
  • 3
    Your number of fields and number of values does not match. – lkdhruw Jul 06 '17 at 19:16
  • Do you get an error code? – GrumpyCrouton Jul 06 '17 at 19:16
  • A little error checking would go a long way here. Have a look at your error logs. – Jay Blanchard Jul 06 '17 at 19:16
  • @Jay Blanchard how can I make it more secure – Tech Endling Jul 06 '17 at 19:17
  • @TechEndling Try [This code](https://pastebin.com/raw/6hbRrm5j) at the very least it will give you error reporting and you can tell us what the error is, and maybe we can help you. This also fixes many many formatting issues that you have. – GrumpyCrouton Jul 06 '17 at 19:19
  • @GrumpyCrouton I tried your code and it came back with two errors: mysqli_real_escape_string() expects exactly 2 parameters, 1 given and Uncaught Error: Call to a member function query() – Tech Endling Jul 06 '17 at 19:24
  • @TechEndling - to learn how to make your code more secure, start with the links in first comment. – Rushikumar Jul 06 '17 at 19:27
  • @GrumpyCrouton it is now only giving me one error : mysqli_real_escape_string() expects exactly 2 parameters, – Tech Endling Jul 06 '17 at 19:32

2 Answers2

1

Here is the code you need to use:

<?php
    include("/connections/db_conx.php");
    if(isset($_POST['submit'])) {
        $title   = mysqli_real_escape_string($db_conx, $_POST['title']);
        $text    = mysqli_real_escape_string($db_conx, $_POST['text']);
        $picture = mysqli_real_escape_string($db_conx, $_POST['picture']);
        $sql     = "INSERT INTO news (`title`, `text`, `picture`) VALUES('$title','$text','$picture');";
        if(!$result = $db_conx->query($sql)){
            die('There was an error running the query [' . $db_conx->error . ']');
        }
        echo 'Entered into the news table';
    }
?>


<html>
    <head>
    </head>
    <body>
        <form method="post" action="index.php" id="tech">
            <table border="0">
                <tr>
                    <td>Title</td>
                    <td> <input type="text" name="title"></td>
                </tr>
                <tr> 
                    <td>Text</td>
                    <td><textarea rows="4" name="text" cols="50" name="comment" form="tech"> </textarea></td> 
                </tr>
                <tr> 
                    <td>Picture</td>
                    <td> <input type="varchar" name="picture"></td> 
                </tr>
                <tr> 
                    <td><input id="button" type="submit" name="submit" value="Submit"></td>
                </tr>
            </table>
        </form>
    </body>
</html>

Your problem is that the mysqli_real_escape_string() function requires 2 parameters: the database connection, and the string to escape.

I've also included completely reformatted code, and error checking as well.

GrumpyCrouton
  • 8,486
  • 7
  • 32
  • 71
0

Try This :

$title = mysqli_real_escape_string($db_conx, $_POST['title']);
$text = mysqli_real_escape_string($db_conx, $_POST['text']);
$picture = mysqli_real_escape_string($db_conx, $_POST['picture']);

$sql = "INSERT INTO news  (title, text, picture) VALUES('$title','$text','$picture')";

$query = mysqli_query ($db_conx, $sql);

if($query){
echo 'Entered into the news table'; // Your Success Message
}
else { 
    echo mysqli_error($db_conx); 
}
AshhaR
  • 21
  • 7