HTML page with form that simply adds a line of text, permanently, to the webpage

I’m so sorry to come here for what has probably been asked before (I swear I did search the tutorials, but I don’t think I know the terminology enough to ask the right question), but I’ve been searching for days trying to find any hint on how to make the form action I need, and I figured a PHP help forum might be the best place. I’m willing to learn PHP from the ground up if I must, but I’m hoping someone can just help me create a code snippet that will get the job done.

What I’m trying to do is to create a HTML5-based webpage with a simple, single input field and form submit button that takes the line the visitor types and adds it, permanently, to the webpage itself. I know it’s a spam risk, so I plan on putting it behind a login. I’m trying to make a webpage that, at the bottom, has a section where visitors can add a line of text. (thereby reducing a significant workload to myself having to manually add every entry every person emails to me every week)

I know how to create the HTML side of forms, and how to link to a PHP file to process the input, but I do not know PHP much at all, and the problem I’m having is that all the PHP form processors and snippets I can find only submit the text someone enters as a mailto link to email it to me. That’s not what I want at all. Does anyone have a php form processor that will take the submitted text and add it to the webpage itself, permanently, so it remains as a public part of the page forever (sort of like a public comments section does - I can style it down to be more compact from there)? I was considering installing an entire php forum system and trying to edit it down to do what I want, but that seems like an extremely complex solution for such a simple little need, and I’m not sure how to take a system that makes threads and cut it back to what I need (which is not threaded and has no ability to add responses to posts). I just need one input field with a submit button, that adds one line of text to the webpage (publicly, permanently). Surely there is a way?

I found this:
[php] <?php
$myfile = fopen(“newfile.txt”, “w”) or die(“Unable to open file!”);
$txt = “John Doe\n”;
fwrite($myfile, $txt);
$txt = “Jane Doe\n”;
fwrite($myfile, $txt);
fclose($myfile);
?> [/php]

which seems like I’m onto something, but I need to find a way to incorporate this open/write process from the form input submission, along with (I think) an ID (probably inside a span or div tag), I think, so it appends each submission as a linear entry on the page and eliminates the possibility of overwrites.

Since I was thinking it is a lot like a public comments form, I’ve searched and searched for a code snippet, but all the “add a comments box to your website” links in google search results seem to be for services, not actually giving you the code to make this on your own. I don’t understand why this is such a secretive process, it should be simple enough, yet I can’t find any mention of how to create it. Can anyone help? I am willing to learn if this is something so complex that really learning PHP from the ground up is the only way.

You are part way there with what you have.

If you think of the logic on your display page it is something like:

[ol][li]Display fixed content[/li]
[li]Open file for reading[/li]
[li]Display file contents on page[/li]
[li]Close file[/li]
[li]Display any more fixed content[/li][/ol]

You already have what you need for the create page and just need to add an input data form.

Ok, so I’m working on it and stuck at a "Can’t connect to local MySQL server through socket ‘/var/mysql/mysql.sock’ " error.

I use the hosting company aPlus.net, and I am curious as to if this is because my database appears to not be on the same server as the entire rest of my hosting account, and if there is a way to resolve this in my code? Since this is my first attempt at writing PHP, it would be good to know if my code is wrong, or if my hosting company is messing me up? I’m baffled how I can’t find my database in my file manager.

Here’s the code that’s failing to pull from the database and resulting in the error:
[php]
{
$con = mysql_connect(“localhost”,“2p5dq9vxmy240651”,“Flixotide250#”);

if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“felineasthma_2p5dq9vxmy240651”, $con);

$users_name = $_POST[‘name’];
$users_comment = $_POST[‘requests’];

$users_name = mysql_real_escape_string($users_name);
$users_comment = mysql_real_escape_string($users_comment);

$inputid = $_GET[‘id’];

$query = "
INSERT INTO felineasthma_2p5dq9vxmy240651.submissions (id, name, requests, inputid) VALUES (NULL, ‘$users_name’, ‘$users_comment’, ‘$inputid’);";

mysql_query($query);

echo “

Your request has been processed, reload page.

”;

mysql_close($con);
}
[/php]

I’ve attached a couple of screen captures from inside my hosting account, this frost one shows that my database felineasthma_2p5dq9vxmy240651 doesn’t appear in my hosting account. The second image shows that it clearly exists in MySQL Manager, but on a different server. ???

I was even more confused while making the user for this database, as the control panel didn’t allow me to make a username, it just randomly assigned one (as seen in screen captures). Help? Advice? I’d include the webpage, but I can’t because I’m not allowed to post links here yet.

Another thing, it’s now erasing everything on the page below where the php is inserting the database contents (or well, where it should be inserting the database contents). I need it to not do that, it needs to insert into a div there and not erase everything below it. I’m thinking maybe an iframe is the solution for that? But this page is getting majorly complex and I still have to add a lot more.

---

Several things:

You are using old unsafe calls to a mysql database. You need to use mysqli or better still pdo to access your database.

I suspect there may be something wrong with your hosting if your database is not on the same server. Contact your host

Why are you using a mysql database your original suggested just a simple text file?

I can’t find any other tutorials than the one that explained how to do it using this method. It took me 5 days of constant searching to find even this one tutorial.

If there is a better way, a link to the tutorial would be most appreciated.

I never meant to suggest a simple text file would do it alone, it was always going to have to have a form on it, which meant using PHP - I assumed this was obvious, which is why I came to a php help forum. How else am I going to allow members to write data to a webpage? I have to store the data they enter somewhere, and then call it from that location to be written to the page, right?

If there’s an easier way, I’m open to it, but I’ll need tutorials.

The logic you require is pretty simple.

Page with input form.
Take input and check it for hacking attempts
Open existing text file in append mode and add input. (see this for example http://www.tizag.com/phpT/fileappend.php)

Display page

In the div where you want to display the text just put something like

[php]

<?php $myfilename = "mytextfile.txt"; if(file_exists($myfilename)){ echo file_get_contents($myfilename); } ?>

[/php]

You therefore don’t need a mysql database to do something you are describing.

How is that going to work in a html page? If it’s going to append text to the end of the file, it will be outside the closing html tag, won’t it? And if I embed a plaintext file into the center of the page it’s not going to match the color scheme… humm, I never considered that it might be possible to style a txt file with CSS though. I guess I could live with that if there is no better way, but I know there’s a better way. A million websites have public comment sections that match the page. How are those being done?

You are not understanding how this is going to work.

It is really simple.

You style the div that is going to contain the text file output and that will look how you want it to.

You can prove it by just creating a simple text file in Notepad. Then call that with my code on your page. The page needs to have a php extension not html.

If this is beyond your abilities then maybe get one of the simple flat file CMS’s and embed that in your page.

I knocked up a quick page showing what is possible see

http://orba-design.com/test-textfile.php

I don’t think you grasp the type of webpage I’m trying to build. Here’s a screen shot of it (currently a bit messy with all my testing period database entries):
phaewryn.net/fa/ss-clv.PNG
Anyway, I now have it working (and really, PHP wasn’t that hard to learn)! I could use some help with making it secure from hacking though. Since my form action is on a separate page and my SQL server is not on the local machine, I can’t just put the [php]<form method=“post” action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">[/php] that the w3c tutorial recommends. Here’s my working code snippets so far (the page uses 3 different pages total, plus the database).
The main page that visitors see and add comments to:

[code]

Candlelight Vigil [/code]

and here’s the submissions.php page which I include in the div tag to display the submissions:
[php]<?php
$servername = “sql5c40n.carrierzone.com”;
$username = “2p5dq9vxmy240651”;
$password = “MY_PASSWORD”;
$dbname = “felineasthma_2p5dq9vxmy240651”;

// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}

$sql = “SELECT id, requests, name FROM submissions”;
$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {
// output data of each row
while($row = mysqli_fetch_assoc($result)) {
echo “” . $row[“requests”]. " - by " . $row[“name”]. “
”;
}
} else {
echo “0 results”;
}

mysqli_close($conn);
?> [/php]

and here’s the form action page code:
[php]<?php
$servername = “sql5c40n.carrierzone.com”;
$username = “2p5dq9vxmy240651”;
$password = “MY_PASSWORD”;
$dbname = “felineasthma_2p5dq9vxmy240651”;
$users_name = $_POST[‘name’];
$users_request = $_POST[‘requests’];

// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}

$sql = “INSERT INTO submissions (name, requests)
VALUES (’$users_name’, ‘$users_request’)”;

if (mysqli_query($conn, $sql)) {
header(“Location: clv.php”);
} else {
echo "Error: " . $sql . “
” . mysqli_error($conn);
}

mysqli_close($conn);
?> [/php]

How would I go about making this secure? Putting the form action code on the same page as the main content made it enter blank database entries on every page load, so that won’t work.

New problem (since everyone’s reading the old one and not replying)! (seriously, I’m sorry if my topic was phrased really badly)

The new problem is, if the user’s name has an apostrophe in it, the server (I pay for hosting, it’s not my server and I can’t change the configuration on it) is sending them to a error page that says:

“The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873612934211694”

Ideally, I’d like my users to be able to actually spell their names correctly in my form (with any required apostrophes). Is a way to capture the name field in the form, check it for apostrophes and change them on the fly to ’ before they are sent to the server (javascript maybe?), or at least before it takes people to the server’s auto-generated error page? Once they are on the server’s error page, there is no link back to my page as well as no really helpful insight as to what they did wrong, so I’d like to prevent them from ending up there. If I just enter ’ into the name field it displays an apostrophe back on the page just fine, so I’m thinking if I can just replace the apostrophes in the name field with ’ it might solve everything - but I have no idea how to do that.

I’m open to any and all solutions! This is the first time I have ever written in PHP, so I’m really sorry if my question has a simple answer, but I have searched a lot and haven’t found a solution (please don’t attack me for being ignorant, I’m doing the best I can on my third day of ever using PHP).

Here is all the code on the 3 pages involved as it stands now (there are changes from the original post):

formcode.php:
[php]

<?php $servername = "sql5c40n.carrierzone.com"; $username = "2p5dq9vxmy240651"; $password = "MY_PASSWORD"; $dbname = "felineasthma_2p5dq9vxmy240651"; $users_name = $_POST['name']; $users_request = $_POST['requests']; // Create connection $conn = mysqli_connect($servername, $username, $password, $dbname); // Check connection if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } if (isset($_POST['requests'])) { $requests = mysqli_real_escape_string($link, $_POST['requests']); $sql = "INSERT INTO submissions (name, requests) VALUES ('$users_name', '$users_request')"; if (mysqli_query($conn, $sql)) { header("Location: clv.php"); } else { echo "Error" . $sql . "
" . mysqli_error($conn); } mysqli_close($conn); } ?>

[/php]

submissions.php (the include page):
[php]

<?php $servername = "sql5c40n.carrierzone.com"; $username = "2p5dq9vxmy240651"; $password = "MY_PASSWORD"; $dbname = "felineasthma_2p5dq9vxmy240651"; // Create connection $conn = mysqli_connect($servername, $username, $password, $dbname); // Check connection if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } $sql = "SELECT id, requests, name FROM submissions"; $result = mysqli_query($conn, $sql); if (mysqli_num_rows($result) > 0) { // output data of each row while($row = mysqli_fetch_assoc($result)) { echo "" . $row["requests"]. " - by " . $row["name"]. "
"; } } else { echo "no special requests this week"; } mysqli_close($conn); ?>

[/php]

and the HTML page with the form on it:

<!DOCTYPE html>
<html lang="en-US">
	<head>
		<meta charset="utf-8">
		<link rel="stylesheet" type="text/css" href="clv.css">
		<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css"> 
		<title>Candlelight Vigil</title>
	</head>
	<body>
		<script>
		function ignite() {
			document.getElementById("candle").src="candle.gif";
			}
		</script>	
<div class="container">
	<div class="w3-row">
		<div class="w3-third w3-container w3-padding-0 w3-margin-0 w3-display-container" style="height:100vh;">
			<div class="w3-display-topleft">
				<div class="submissions">
					<form action="formcode.php" method="POST">
					Make A Request:<br />
					<textarea name='requests' id='requests'></textarea> <br />
					Your Name (a-z only):<br />
					<input type='text' name='name' id='name' /><br />
					<input type='submit' value='Send' class='button' />  
					</form>
				</div>
			</div>
		<div class="w3-display-topright"></div>
		<div class="w3-display-bottomleft"></div>
		<div class="w3-display-bottomright"></div>
		<div class="w3-display-left"></div>
		<div class="w3-display-right"></div>
		<div class="w3-display-middle"></div>
		<div class="w3-display-topmiddle"></div>
		<div class="w3-display-bottommiddle">
			<div id="light">
				<img id="candle" src="unlitcandle.gif" onclick="ignite()">
			</div>
		</div>
		</div>
		<div id="dedication" class="w3-container w3-twothird">
			<div class="dedication-container">
<p>As we light our candles, we honor those who need strength, and send the healing gift of love with all our hearts, may it flow into the brokenhearted who are tending the sick, and bring them comfort in their time of need. We send them our love, may it bolster their strength and comfort their hearts to be held in the loving embrace of this family of fellow feline caretakers.</p>
<p>As we light our candles, we send strength and comfort to those kitties who struggle with their illness this week, may our love bring them relief and peace, aiding in their quick recovery.</p>
<p>As we hold our candle close to our heart, we read the names of the sick and those with special needs, granting them their request, manifesting that it be done, in love, in trust, and in time that it may assist them to conquer through their time of need.</p>
				<div id="myrequest">
				<?php include("submissions.php"); ?>
				</div>
<p>As we light our candles, we also send our heartfelt love and thankfulness to those kitties who have departed this week. May they know the gratitude we hold in our hearts for the gift of unconditional love they blessed us with, although their time was short, they are forever remembered.</p>
				<div id="memorial"><p>(insert departed kitties here)</p></div>
			</div>
		</div>
	</div>
</div>
</body>
</html>

Phaewryn

w3schools has a tutorial on how to sanitize user inputs - i am no expert so i can not comment on how efficient it is but i guess better then none: https://www.w3schools.com/php/php_form_validation.asp

Valkrider already suggested you may want to have a look at either ,mysqli, (looks like you have done so) or PDO: https://phpdelusions.net/pdo#dml

The problem with the w3schools form sanitation method is that it requires the database be on the same server as the webpage, mine is not, also, my form action points to a different page than the form itself is on. I can’t figure out how to make their method work on my webpage because of these issues. If I can’t use
[php]<form method=“post” action="<?php echo $_SERVER["PHP_SELF"];?>">[/php]
because my webpage sends to a different file for form processing, and then that sends the data to an entirely different server than the webpage is on, what do I do? How would I modify this to work?

I have updated the code to mysqli as suggested. I am well past the original question/problem, the form is working fine now. I need help adding form security and making apostrophes work.

Phaewryn

Not sure how that sanitation method is tied to database as i was mostly thinking of this:
[php]<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = “”;

if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
$name = test_input($_POST[“name”]);
$email = test_input($_POST[“email”]);
$website = test_input($_POST[“website”]);
$comment = test_input($_POST[“comment”]);
$gender = test_input($_POST[“gender”]);
}

function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>[/php]

–that has nothing to do with any database - But then, what i have read so far & noticed what the local gurus here on this forum always advise - look into PDO & prepared statements. I know i do sound like a parrot repeating myself but indeed, everybody advises on focusing on PDO & prepared statement rather than on sanitizing inputs from user.

$_SERVER[“PHP_SELF”] :

--where the script_name.php is obviously the name of your script. Not sure if that will help it but i would try it though.

I honestly do not understand how switching from mysqli to pdo is going to make any difference for this problem. My problem isn’t happening from where the php processes the user input and inserts it into mysql database, it’s happening the second my post is submitted to the server itself, the webserver is blocking the form processor as soon as it sees the apostrophe. I need to find a way to change special characters before the form submits to the webserver. The problem isn’t happening when the php processes and posts the data to the database server, it’s happening on my webpage’s submit function (on the webserver). If it can be fixed by switching to PDO, I need someone to point out a tutorial showing me how to do it, because I do not see anything on the php.net website tutorials about preparing statements that would solve the matter of removing special characters before submitting the form to the webserver. Prepared statements are preparing them for insertion into the database, not the changing them prior to being processed by the webserver, are they not?

Please don’t follow what w3schools shows. It is fine as a language reference (but the original html/php documentation at w3.org and php.net is better), but it’s code examples are just plain bad at times and teach poor programming. In particular, as it applies to this thread, the test_input() function is nonsense (it’s incorrectly named for what it does, is should not unconditionally apply stripslashes(), and it should not apply htmlspecialchars() to input data at all) and the validation logic (at the link) is testing and validating different versions of each input and so allows data consisting of all white-space characters to create empty entries in your database. And please don’t start creating hard-coded lists of data and error variables, one set for each form field. This is just a huge waste of typing.

The problem with your form processing code being on the same page with the form and inserting blank values when the page is first requested is because you need to detect that a post method form has been submitted and only run the form processing code if it has. You should do this even if the form processing code is on its own page, so that you won’t get a bunch of php errors if the form processing code page gets requested via a get request. Using the if ($_SERVER[“REQUEST_METHOD”] == “POST”) { all the form processing code goes here } is how you would do this. If you have multiple form processing code on one page, you would further detect which form has been submitted by having a hidden field, named ‘action’, for example, that has a different value for each form.

Your form processing code should ‘validate’ the input data. At a minimum, it should detect if ‘required’ fields are empty, after trimming the data. The only thing you should do to the submitted data is trim() it. If you modify it in any other way, you are changing the meaning of the data. You can trim all the data at once (one statement), by by using array_map()/array_walk_recursive() and making a copy of the $_POST into a common/working array variable. You would validate the elements in this array variable (so that all the code is using the same version of a value.) You would also use the elements in this array variable when supplying the data to the sql query statement and in re-populating the form (assuming that the form is on the same page with the form processing code) when there are validation errors (so that the visitor doesn’t need to re-enter data in all the form fields.)

You should store validation errors in another array variable. Then after you have finished validating all the data, if there are no errors (the array will be empty), you can use the submitted form data.

To secure your database queries against sql special characters in the data from breaking the sql query syntax (which is how sql injection is accomplished), you should use prepared queries (you can research in the php.net documentation for what the means.) You CAN use php escape string functions, but these can still allow sql injection if you haven’t set up the character encoding being used by php to match your database tables (which not commonly shown in online tutorials), and the one place you have used the escape string function isn’t actually being used on data going into the sql query statement. Using a prepared query will cause any data containing things like ’ to be properly handled.

An BIG issue with the php msyqli extension is that it is not very well designed and implemented, especially when it comes to prepared queries. The php PDO extension is much better designed and simpler/easier to use. If you can switch to the php PDO extension, sooner, rather than later. There is another huge advantage to using PDO, once you learn the php statements to use for one database type, you can use those same php statements with other database types. You don’t have to keep relearning different php statements that are specific to each type of database.

As to the error you are getting about the URL, , are you sure this doesn’t always occur and is due to an incorrect action=’…’ attribute in the form tag? Nothing (unless you are using javascript to submit the raw form data using a get method request) will result in an error due to data being put into a form field.

When you output data on a web page is when you would apply htmlentities() to the data and you should at a minimum use the ENT_QUOTES flag so that both single and double quotes are converted.

No, it doesn’t always occur, the entire process works perfectly until someone tries to enter an ’ into the form fields. As far as I can tell, other special characters do not cause a problem, only apostrophes. I’m baffled by the problem. Phpcodechecker.com reports no problems in my php code in any page. Nu html checker at w3 validator shows no errors. I’m reluctant to post the url because I’m not sure it is properly secured (having never done any php before and now that you’re telling me the w3schools methods are incorrect), but here is the link, feel free to test it:
http://phaewryn.net/fa/clv.php
additionally, here are the pages that page calls:
http://phaewryn.net/fa/formcode.php
http://phaewryn.net/fa/submissions.php

“ENT_QUOTES” … googles that term, finds http://php.net/manual/en/function.htmlspecialchars.php, realizes this is probably exactly what I need, but php.net doesn’t give one any reference on where in the code one would place their suggested [php]string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get(“default_charset”) [, bool $double_encode = true ]]] )[/php] lines. I use w3schools because they give code examples that show me where to put things. That above snippet from php.net doesn’t tell me where to insert it into my code. I’ll happily add it, if you just show me where it should be in my code.

I thought that this part in my code was doing that process? I mean, I googled it and that’s what someone on StackOverflow did once and it worked for them, so I can only copy it and hope it works since I don’t actually understand what any of this is actually doing at all. None of this stuff is actually explained anywhere online that I have found. Tutorials tell you how to make things work, they don’t tell you how they work.
[php]if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
$users_name = test_input($_POST[“name”]);
$users_request = test_input($_POST[“requests”]);
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}[/php]

if ($_SERVER[“REQUEST_METHOD”] == “POST”) already exists in my code. How would it get requested by a GET request (I mean, other than maliciously)? I don’t use GET anywhere in my code. Is “The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873613039002471” a PHP error? I was assuming it was a server error, not a PHP error. I will try to copy the formcode.php contents back to the clv.php page and see if it has stopped submitting on every page load. I may have added that after I had decided to use a separate page for the form submission.

I’m not requiring any fields, all fields are optional. People are welcome to submit a request without giving a name. I know I need to trim, that’s what I can’t get to work correctly. All I want to do is trim out the apostrophes and replace them with the correct character entity. That’s it. And I can’t seem to do it. I have no idea what any of that array stuff means. I don’t even know what an array is. I’ve never written a single script in my life before this week. I don’t have the skill set required to understand what you’re telling me here. A tutorial might be helpful.

The problem is that php.net doesn’t give me any examples, so I have no idea where to put anything they teach me on the page. There’s no guide to what comes first, where this goes, how this affects that, etc. I go to http://php.net/manual/en/class.pdo.php and it means nothing to me, I don’t understand a single thing it is saying because they do not give examples that show what any of it does.

OK, so I made a copy, moved all the php from formcode.php back to the main page at http://phaewryn.net/fa/clv2.php, and removed the test_input() function you said was nonsense from the if ($_SERVER[“REQUEST_METHOD”] == “POST”) section, changed the form post line to <form method=“POST” action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">, and the problem still exists as before (however, loading the page is now not adding blank entries, so your suggestion did fix that issue). But my real problem, the main one I came here to solve: If the user inputs an apostrophe in either field, the page still redirects to “The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873613038379062” . Is this better than calling the php from a separate page? <form method=“POST” action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

Either way, it makes no difference to the problem. of “The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873613038379062” which is the one thing I am trying to solve.

I don’t know if it matters, but on my hosting account when I click into PHP Manager, it says my php version is php5.6. When i click into MySQL Manager, it generates a warning: “Your PHP MySQL library version 5.1.73 differs from your MySQL server version 5.7.18. This may cause unpredictable behavior.”

I asked my hosting company about that and they said “it won’t make any difference”. Is that true?

You may want to take that error with the support id number and actually ask your web host what’s causing it.

However, here’s what I think is happening. Because you are not escaping the input being put into the sql query statement (or even better, using a prepared query to supply the data to the sql query when you execute it) you are getting an sql syntax error, AND because you are echoing $sql that contains the exact same data that was just posted to the page, some security software running on the server is being triggered (it found output on a page that exactly matches data posted to the page.)

So, two things -

1. To prevent triggering this error response, when you echo the $sql and the mysqli_error information, pass them through htmlentities() with the flag parameter set to ENT_QUOTES

2. To prevent the sql syntax error in the first place, you need to properly escape the data values being put into the sql query statement or even better and actually simpler and fool-proof-secure, use a prepared query.