Form does not echo values from userinput.

chrisdee

Hello. Im trying to make the script below accept user input from a form and then echo these values/input to the screen, but it is not echoing anything. Its fetching mysql table columns names as description to the input values.

Any ideas ?

<?php
echo "<a href=./>Home</a><br>";

$connect = mysqli_connect("localhost","user","pass","db") or die(mysql_error());

$id = $_GET['id'];
$query = mysqli_query($connect, "SELECT * FROM pdb WHERE id=$id") or die (mysqli_connect_error());
$fetch_data = mysqli_fetch_array($query, MYSQLI_ASSOC);

foreach($fetch_data as $value) {
  $v = $_REQUEST[$value];
}

if (empty($_POST)) {
  echo "<form method='post' action='".$_SERVER['PHP_SELF']."'>";
  echo "<table border='1'>";
  foreach($fetch_data as $key => $value) {
    echo "<tr><td>".$key."</td><td><input type='text' name='".$value."[]' value='".$value."'></td></tr>";
  }
  echo "</table>";
  echo "<input type='submit' value='Insert'>";
  echo "<input type='button' onclick='history.go(-1)' value='Cancel'>";
  echo "</form>";
}
else {
  echo "<pre>";
  print_r($v);
  echo "</pre>";
}
mysqli_close($connect);
?>

bradgrafelman

For one, see my reply in your other thread for info on why this:

foreach($fetch_data as $value) { 
  $v = $_REQUEST[$value]; 
}

doesn't make any sense (and probably isn't doing anything useful and/or what you want it to do).

Next, why are you using the values from MySQL as the names of the input elements in the form? I would expect that you'd want to use the names of the MySQL columns as the names of the form inputs.

chrisdee

bradgrafelman;11000794 wrote:
For one, see my reply in your other thread for info on why this:
foreach($fetch_data as $value) { 
  $v = $_REQUEST[$value]; 
} 
doesn't make any sense (and probably isn't doing anything useful and/or what you want it to do).

So I should just remove it ?
How do I then get/store the values from the input fields and pass them on into the mysql table ?

bradgrafelman;11000794 wrote:
Next, why are you using the values from MySQL as the names of the input elements in the form? I would expect that you'd want to use the names of the MySQL columns as the names of the form inputs.

Yes. I want to use the names of the mysql columns as the names of the form inputs. I thought that was what I was doing ?

bradgrafelman

chrisdee;11001283 wrote:
So I should just remove it ?

I would. Again, it's not doing anything useful anyway (you keep overwriting the value of $v before you ever have a chance to use each intermediate value).

chrisdee;11001283 wrote:
How do I then get/store the values from the input fields and pass them on into the mysql table ?

What's wrong with using the $POST (or $GET) arrays? (And by 'using', I of course mean 'sanitizing and then using' in order to prevent SQL injections and/or errors.)

chrisdee;11001283 wrote:
Yes. I want to use the names of the mysql columns as the names of the form inputs. I thought that was what I was doing ?

No, that's not what you're doing - you're using the values stored in MySQL. You even named the variable $value.

chrisdee

Thank you for your answers.

Hmm. I think I have to start from scratch again.

I am looking for a way to automatically get the mysql table column names and use them as names/descriptions for the different user input values.
I was thinking my script would be more dynamic this way if I later whish to change one or more mysql column names, I don't have to do that in the script aswell.

Derokorian

You could query for the columns like:

SELECT column_name
  FROM information_schema.columns
 WHERE table_schema =  'DATABASE_NAME'
   AND table_name =  'TABLE_NAME'

Change DATABASE_NAME and TABLE_NAME to reflect the db and table you are trying to look up.

chrisdee

Derokorian;11001405 wrote:
You could query for the columns like:
SELECT column_name
  FROM information_schema.columns
 WHERE table_schema =  'DATABASE_NAME'
   AND table_name =  'TABLE_NAME'
Change DATABASE_NAME and TABLE_NAME to reflect the db and table you are trying to look up.

Great. Thanks🙂

I'll try that.

chrisdee

Iv gone back to my insert into mysql script to try to understand this, but after I removed the part where I set $v = $_REQUEST[$value] as suggested it doesnt work.

Now my insert script doesnt return anyting.
Any ideas ?

<?php
echo "<a href=./>Home</a><br>";

$connect = mysqli_connect("localhost","user","pass","db") or die(mysql_error());

$query = mysqli_query($connect, "SELECT * FROM pdb") or die (mysqli_connect_error());
$fetch_data = mysqli_fetch_array($query, MYSQLI_ASSOC);

if (empty($_POST)) {
  echo "<form method='post' action='".$_SERVER['PHP_SELF']."'>";
  echo "<table border='1'>";
  foreach($fetch_data as $key => $val) {
    echo "<tr><td>".$key."</td><td><input type='text' name='".htmlspecialchars($key)."'></td></tr>";
  }
  echo "</table>";
  echo "<input type='submit' value='Insert'>";
  echo "<input type='button' onclick='history.go(-1)' value='Cancel'>";
  echo "</form>";
}
else {
  echo "<pre>";
  print_r($key);
  echo "<pre>";

  #$insert="INSERT INTO pdb (filename,dato,size,spoken,speaker,dialect,project,gender) VALUES ('$val[0]','$val[1]','$val[2]','$val[3]','$val[4]','$val[5]'$
  #mysqli_query($connect,$insert) or die (mysqli_error($connect));

  #$affected_rows = mysqli_affected_rows($connect) or die (mysqli_error());
  #echo "<strong>".$affected_rows."</strong> row inserted.";
}
mysqli_close($connect);
?>

chrisdee

Iv come a bit further, but not to the target/goal.
With the updated script below print_r($_POST, true) correctly returns the values I enter in the form. But when I try to insert these values into the mysql table all the fields says array. Im shure I am inserting the values the wrong way but I don't know excactly how. Any suggestions are greatly apreciated.

<?php
echo "<a href=./>Home</a><br>";

$connect = mysqli_connect("localhost","user","pass","db") or die(mysql_error());

$query = mysqli_query($connect, "SELECT * FROM pdb") or die (mysqli_connect_error());
$fetch_data = mysqli_fetch_array($query, MYSQLI_ASSOC);

if (!$_POST) {
  echo "<form method='post' action='".$_SERVER['PHP_SELF']."'>";
  echo "<table border='1'>";
  foreach($fetch_data as $key => $val) {
    echo "<tr><td>".$key."</td><td><input type='text' name='".$key."'></td></tr>";
  }
  echo "</table>";
  echo "<input type='submit' value='Insert'>";
  echo "<input type='button' onclick='history.go(-1)' value='Cancel'>";
  echo "</form>";
}
else {
  echo "<pre>";
  echo htmlspecialchars(print_r($_POST, true));
  echo "<pre>";

  $insert="INSERT INTO pdb (filename,dato,size,spoken,speaker,dialect,project,gender) VALUES ('$_POST','$_POST','$_POST','$_POST','$_POST','$_POST','$_POS$
  mysqli_query($connect,$insert) or die (mysqli_error($connect));

  $affected_rows = mysqli_affected_rows($connect) or die (mysqli_error());
  echo "<strong>".$affected_rows."</strong> row inserted.";
}
mysqli_close($connect);
?>

chrisdee

I finally got it to work🙂🙂🙂

Here is the working script :

<?php
echo "<a href=./>Home</a><br>";

$connect = mysqli_connect("localhost","user","pass","db") or die(mysql_error());

$query = mysqli_query($connect, "SELECT filename,dato,size,spoken,speaker,dialect,project,gender FROM pdb") or die (mysqli_connect_error());
$fetch_data = mysqli_fetch_array($query, MYSQLI_ASSOC);

if (!$_POST) {
  echo "<form method='post' action='".$_SERVER['PHP_SELF']."'>";
  echo "<table border='1'>";
  foreach($fetch_data as $key => $val) {
    echo "<tr><td>".$key."</td><td><input type='text' name='".$key."'></td></tr>";
  }
  echo "</table>";
  echo "<input type='submit' value='Insert'>";
  echo "<input type='button' onclick='history.go(-1)' value='Cancel'>";
  echo "</form>";
}
else {
  $insert="INSERT INTO pdb (filename,dato,size,spoken,speaker,dialect,project,gender) VALUES ('$_POST[filename]','$_POST[dato]','$_POST[size]','$_POST[spo$
  mysqli_query($connect,$insert) or die (mysqli_error($connect));

  $affected_rows = mysqli_affected_rows($connect) or die (mysqli_error());
  echo "<strong>".$affected_rows."</strong> row inserted.";
}
mysqli_close($connect);
?>

Derokorian

Either there was a copy paste error or that is not your working code as it has a pretty noticeable parse error starting where you define the $insert variable.

bradgrafelman

Also note that you should never place user-supplied data directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize the data such as with a function like [man]mysql_real_escape_string/man (for string data) or by using prepared statements. See [man]security.database.sql-injection[/man] for more info.

chrisdee

There was a copy paste error.
Below is the full script.

<?php
echo "<a href=./>Home</a><br>";

$connect = mysqli_connect("localhost","user","pass","db") or die(mysql_error());

$query = mysqli_query($connect, "SELECT filename,dato,size,spoken,speaker,dialect,project,gender FROM pdb") or die (mysqli_connect_error());
$fetch_data = mysqli_fetch_array($query, MYSQLI_ASSOC);

if (!$_POST) {
  echo "<form method='post' action='".$_SERVER['PHP_SELF']."'>";
  echo "<table border='1'>";
  foreach($fetch_data as $key => $val) {
    echo "<tr><td>".$key."</td><td><input type='text' name='".$key."'></td></tr>";
  }
  echo "</table>";
  echo "<input type='submit' value='Insert'>";
  echo "<input type='button' onclick='history.go(-1)' value='Cancel'>";
  echo "</form>";
}
else {
  $insert="INSERT INTO pdb (filename,dato,size,spoken,speaker,dialect,project,gender) VALUES ('$_POST[filename]','$_POST[dato]','$_POST[size]','$_POST[spoken]','$_POST[speaker]','$_POST[dialect]','$_POST[project]','$_POST[gender]')";
  mysqli_query($connect,htmlspecialchars($insert)) or die (mysqli_error($connect));

  $affected_rows = mysqli_affected_rows($connect) or die (mysqli_error());
  echo "<strong>".$affected_rows."</strong> row inserted.";
}
mysqli_close($connect);
?>

chrisdee

bradgrafelman;11002253 wrote:
Also note that you should never place user-supplied data directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize the data such as with a function like [man]mysql_real_escape_string/man (for string data) or by using prepared statements. See [man]security.database.sql-injection[/man] for more info.

Thanks, but I would not know where to put the mysql_real_escape_string. I tried to put it around $insert and $key but got many error messages.

chrisdee

Hello again.

Im still having problems with my mysql update script.

The script below is supposed to fill the form with values based on wich row I clicked on the view page, another page wich lists out all the rows and columns of the mysql table. This is where id comes in. When the rows are filled with the values the user (myself) should be able to change/update the values befor I click on update. Then the updated values should be inserted into that spesific row. This is not happening now. Note that I for now have removed the update part and replaced it with print_r just to simplify the script for myself.

With the WHERE id=$id part the script correctly fills the values from the mysql table into the form. But when I click on update the script doesnt return any values at all. Only a blank page. If I remove the WHERE id=$id part the script only fills out the form with the first mysql table row, but when I click on update it returns the entered values correctly.

Please look away from the security issues for now.

Any idea what Im doing wrong here ?
Any help is greatly apreciated.

<?php
echo "<a href=./>Home</a><br>";

$id = $_GET['id'];
$connect = mysqli_connect("localhost","user","pass","db") or die(mysql_error());

$query = mysqli_query($connect, "SELECT filename,dato,size,spoken,speaker,dialect,project,gender FROM pdb WHERE id=$id") or die (mysqli_connect_error());
$fetch_data = mysqli_fetch_array($query, MYSQLI_ASSOC);

if (!$_POST) {
  echo "<form method='post' action='".$_SERVER['PHP_SELF']."'>";
  echo "<table border='1'>";
  foreach($fetch_data as $key => $val) {
    echo "<tr><td>".$key."</td><td><input type='text' name='".$key."' value='".$val."'></td></tr>";
  }
  echo "</table>";
  echo "<input type='submit' value='Update'>";
  echo "<input type='button' onclick='history.go(-1)' value='Cancel'>";
  echo "</form>";
}
else {
  print "<pre>";
  print_r($_POST);
  print "</pre>";
}
mysqli_close($connect);
?>

chrisdee

This seems to work.

<?php
echo "<a href=./>Home</a><br>";

$connect = mysqli_connect("localhost","user","pass","db") or die(mysql_error());

if (isset($_GET['id'])) {
  $id = (int)$_GET['id'];
}
else {
  print "<pre>";
  print_r($_POST);
  print "</pre>";
}

if (!$_POST) {
  $query = mysqli_query($connect, "SELECT filename,dato,size,spoken,speaker,dialect,project,gender FROM pdb WHERE id=$id") or die (mysqli_connect_error());
  $fetch_data = mysqli_fetch_array($query, MYSQLI_ASSOC);
  echo "<form method='post' action='".$_SERVER['PHP_SELF']."'>";
  echo "<table border='1'>";
  foreach($fetch_data as $key => $val) {
    echo "<tr><td>".$key."</td><td><input type='text' name='".$key."' value='".$val."'></td></tr>";
  }
  echo "</table>";
  echo "<input type='submit' value='Update'>";
  echo "<input type='button' onclick='history.go(-1)' value='Cancel'>";
  echo "</form>";
}
mysqli_close($connect);
?>

Now I have to figure out how to insert the data from the form into the mysql table, and finally secure agains injections. More questions will probably come.

vivek151189

chrisdee;11002351 wrote:
Thanks, but I would not know where to put the mysql_real_escape_string. I tried to put it around $insert and $key but got many error messages.

it is use for the data which is coming from the post to protect you against teh sql injection
eg
$your_variable = mysql_real_escape_string[$_POST["data"]]
please read the document regarding the sql injection