Inserting data into MySQL by a teaxtarea

PHP
1

I am trying to insert data into a mysql database by a html textarea. However, when testing the textarea and if I use single quotes within the textarea the data doesn’t get put into the database, something to do with the variables? I have heard that you should use JavaScript to validate the form or something. I would rather just use PHP if that is possible. I have googled it, scanned through some books and searched these forums to no success. Any help would be greatly appreciated. Thanks

<form id="form1" method="post" action="admin.php">
            <p>
                <label for="title">Title:</label>
                <input name="title" type="text" class="widebox" id="title">
            </p>
            <p>
                <label for="article">Article:</label>
                <textarea name="article" cols="60" rows="8" class="widebox" id="article">
                </textarea>
            </p>
            <p>
               <input type="submit" name="submit" value="Insert New Article" id="submit">
            </p>
        </form> 

if(isset($_POST['submit']))
            {
               // Putting data from form into variables to be manipulated
               $title = $_POST['title'];
               $article = $_POST['article'];

               // Getting the form variables and then placing their values into the MySQL table
               mysql_query("INSERT INTO blog (title, article) VALUE('$title', '$article')");
            }
2 

if(isset($_POST['submit']))
            {
               // Putting data from form into variables to be manipulated
               $title = $_POST['title'];
               $article = $_POST['article']; 
              
               // Getting the form variables and then placing their values into the MySQL table
               mysql_query("INSERT INTO blog (title, article) VALUE('$title', '$article')");
            }

Try again:


if(isset($_POST['submit']))
            {
               // Putting data from form into variables to be manipulated
               $title = $_POST['title'];
               $article = $_POST['article']; 
                  
               $conn = mysql_connect("localhost","root","root") or die ("Can't connect");
               mysql_select_db("your_db",$conn);
                            
               // Getting the form variables and then placing their values into the MySQL table
               mysql_query("INSERT INTO blog (title, article) VALUES ('".$title."', '".$article."')");
            }

You fix “VALUE” -> “VALUES”
And check connect to database.
Host: localhost
Username: root
Pass: root
Database: your_db

3

You need to escape the variables before you insert them into the database. Why?

  1. it’ll solve your current problem with apostrophes in the textarea breaking the query
  2. it’ll protect your database, site and server from hackers (more info: http://en.wikipedia.org/wiki/SQL_Injection)

Building on Michael’s post:


if(isset($_POST['submit']))
            {
               // Putting data from form into variables to be manipulated
               $title = $_POST['title'];
               $article = $_POST['article'];

               $conn = mysql_connect("localhost","root","root") or die ("Can't connect");
               mysql_select_db("your_db",$conn);

               // Getting the form variables and then placing their values into the MySQL table
               mysql_query("INSERT INTO blog (title, article) VALUES ('".mysql_real_escape_string($title)."', '".mysql_real_escape_string($article)."')");
            }

Also, you should check to see if any errors have occurred during the execution of the query. Look at mysql_error.

Last tip: investigate PDO. It’s the defacto way of accessing databases from PHP, and offers a lot more security and features than the old mysql_* functions you’re currently using. It’ll take a while to learn it though. :wink:

4

Cheers, problem sorted! Now just need to work on editing posts.

I have come across PDO before from the book I was reading before called PHP solutions. The author wrote code for PDO and MySQLi, but i only worked from the MySQLi part. So i take it you would recommend PDO over MySQLi then? I would use one of them for this project i have been given but the university require us to use MySQL only.

Thanks again!

5

PDO has different database “drivers”, it provides database independence (to a degree) – one of those drivers is for mysql.

Mysqli is similar to PDO in that it provides a mechanism to prepare your queries to save you from sql injection attacks – if you use it correctly.

My preference is PDO, but Mysqli is fine.