0

I have one page which has one input text box and that data needs to be either inserted or updating the existing row.

I will echo it later, that is under control.

<form method="post" name="tapahtuma">
Submit: 
<input type="text" name="auts[]"> 
<input type="button" value="Ilmoita">
</form >

<?php

if(isset( $_POST["tapahtuma"]) ) {
$link = mysql_connect("localhost","root","","db");
mysqli_query($link, "INSERT INTO table (column) VALUES ('".$auts."')");
$auts = mysql_real_escape_string($_POST['auts']);
mysqli_close($link);
}

?>
Salman Mohammad
  • 182
  • 1
  • 14
Miggs
  • 1
  • 2

2 Answers2

0

According to the code provided.

Changes

  1. Change <input type="button" value="Ilmoita"> to <input type="submit" name="Ilmoita" value="Ilmoita">
  2. Change if(isset( $_POST["tapahtuma"]) ) { to if(isset( $_POST["Ilmoita"]) ) {
  3. Change $link = mysql_connect("localhost","root","","db"); to $link = mysqli_connect("localhost","root","","db");
  4. Put $auts = mysql_real_escape_string($_POST['auts']); before mysqli_query

Updated Code

<form method="post" name="tapahtuma">
  <input type="text" name="auts">
  Submit: <input type="submit" name="Ilmoita" value="Ilmoita">
</form >
<?php

if(isset( $_POST["Ilmoita"]) ) {
  $link = mysqli_connect("localhost","root","","db");
  $auts = mysql_real_escape_string($_POST['auts']);
  mysqli_query($link, "INSERT INTO table (column) VALUES ('".$auts."')");
  mysqli_close($link);
}?>

I will suggest you to use prepared statements to avoid SQL Injections

<form method="post" name="tapahtuma">
  <input type="text" name="auts">
  Submit: <input type="submit" name="Ilmoita" value="Ilmoita">
</form>

<?php
if(isset($_POST["Ilmoita"])) {
  $link = mysqli_connect("localhost","root","","db") or die("connection failed: " . mysqli_connect_error());
  $result = mysqli_prepare($link, "INSERT INTO `table` (`column`) VALUES (?)");
  mysqli_stmt_bind_param($result, "s", $_POST['auts']);
  mysqli_stmt_execute($result);
  mysqli_close($link);
}?>

Quick Links

Nana Partykar
  • 10,556
  • 10
  • 48
  • 77
  • It's on localhost so not worried about sqli – Miggs Oct 03 '17 at 13:01
  • This isn't updating my mysql db either. The connection should be alright, but cannot get it to post anything tho' Database is set to varchar. Should it be something else? – Miggs Oct 03 '17 at 13:24
  • Then, it's your DB Connection problem. Check whether DB Credentials are properly passed in database connection method @Miggs – Nana Partykar Oct 03 '17 at 13:36
  • I've updated my answer. I forgotten to add `name="Ilmoita"` in submit button. Have a look and try again @Miggs – Nana Partykar Oct 03 '17 at 14:02
  • Hello, so if I update a date table with this function, it works like a charm. Text doesn't so I really do not know what it is that could cause this. – Miggs Oct 04 '17 at 07:38
  • Got it working without prepared statements, I will update shortly here – Miggs Oct 04 '17 at 07:58
0
<form method="post" name="tapahtuma">
Vapaa teksti: <input type="text" name="auts">
<input type="submit" value="ilmoita" name="ilmoita">
</form >

<?php

if(isset( $_POST["ilmoita"]) ) {
$link = mysqli_connect("localhost","root","","db");
$auts = mysqli_real_escape_string($link, $_POST['auts']);
mysqli_query($link, "INSERT INTO table (column) VALUES ('$auts')");
mysqli_close($link);
}?>

What I did, is that I used mysqli_real_escape_string instead of mysql_real_escape_string and also added the $link there as well.

I will test with the prepared statements sometime, but at least this works and it really isn't a concern with the sqli exploits.

Miggs
  • 1
  • 2