0

I have a form:

<table border="1">
  <tr>
    <td align="center">Form Input Employees Data</td>
  </tr>
  <tr>
    <td>
      <table>
        <form method="post" action="input.php">
<input type="hidden" name="id" value="1234">
        <tr>
          <td>Product Name</td>
          <td><input type="text" name="name" size="20">
          </td>
        </tr>
        <tr>
          <td>Brand</td>
          <td><input type="text" name="brand" size="40">
          </td>
        </tr>
        <tr>
          <td></td>
          <td align="right"><input type="submit" name="submit" value="Sent"></td>
        </tr>
</form>
        </table>

and my input.php is:

<?
//the example of inserting data with variable from HTML form
//input.php
mysql_connect("localhost","xxx","xxx");//database connection
mysql_select_db("xxxx_xxx");




//inserting data order
$order = "INSERT INTO wp_userdata
            (id, product_name, product_brand)
            VALUES
            ('$_POST[id]',
            '$_POST[name]',
            '$_POST[brand]')";

//declare in the order variable
$result = mysql_query($order);  //order executes
if($result){
    echo("<br>Input data is succeed");
} else{
    echo("<br>Input data is fail");
}
?>

When I click Sent button, new row is added to database table, but only product_name and product_brand is recorded. The hidded input "id" value doesn't get into table...

How do I get it to record all 3 values: id, product_name and product_brand ?

Improve this question
6
  • print_r($_POST) in your input.php file and post the result here. Commented Aug 8, 2014 at 20:12
  • Array ( [id] => comparebest [name] => Test14 [brand] => dfg [submit] => Sent ) Commented Aug 8, 2014 at 20:14
  • Your id is text here. You might have int datatype in database for id Commented Aug 8, 2014 at 20:15
  • its all working now, don't know what was wrong all this time Commented Aug 8, 2014 at 20:16
  • 3
    DO NOT TRUST USER SUBMITTED INPUT! Commented Aug 8, 2014 at 20:39

3 Answers 3

Reset to default
0

I see some quotes missing and I advice you strongly to cast (force) the id to an integer and use mysql_real_escape_string to the string items. Otherwise if someone wants harm, he can edit your hidden HTML input field and read out your DB. Read more about it

I would also advice you not to use the $_POST var inside SQL queries. Rather try using a dedicated array for it, so you know it has been processed against SQL injection, but also you might want to do more with the data before using it. And it's in my opinion, a bad practice to modify the $_POST vars. Just leave $_POST exactly the way it is. Easier to debug issues. And modify a copy of the array.

Third; rather use PHP MySQLi functions (or PDO), because the old functions are deprecated.

input.php

//input.php
$sqli_handle = mysqli_connect("localhost","xxx","xxx");//database connection
mysqli_select_db($sqli_handle, "xxxx_xxx");

//convert the POST data to safe DB data
$data = $_POST;
$data['id'] = (int)$data['id'];
$data['name'] = mysqli_real_escape_string($sqli_handle, $data['name']);
$data['brand'] = mysqli_real_escape_string($sqli_handle, $data['brand']);

//inserting data order
$order = "INSERT INTO wp_userdata
            (id, product_name, product_brand)
            VALUES
            ('".(int).$data['id']."',
            '".$data['name']."',
            '".$data['brand']."')";

$result = mysqli_query($sqli_handle, $order);
if($result){
    echo("<br>Input data is succeed");
}
else{
    echo("<br>Input data is fail");
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In your input.php file, you have to use the variable interpolation, do the following:

        $id = (int) $_POST[id]; // Cast this to int because, I think you must have integer type date for ID column in your database

        $order = "INSERT INTO wp_userdata
        (id, product_name, product_brand) 
        VALUES ({$id}, {$_POST[name]}, {$_POST[brand]})";

For more info on interpolation - follow this link: PHP variable interpolation vs concatenation

Improve this answer

Comments

0

do following chnages

$order = "INSERT INTO wp_userdata (id, product_name, product_brand) VALUES ('".$_POST[mycustomid]."', '".$_POST[name]."', '".$_POST[brand]."')";

some times few keywords are reserved by wordpress pls check with my code

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.