HTML page with form that simply adds a line of text, permanently, to the webpage

Beginners - Learning PHP
#13

The problem with the w3schools form sanitation method is that it requires the database be on the same server as the webpage, mine is not, also, my form action points to a different page than the form itself is on. I can’t figure out how to make their method work on my webpage because of these issues. If I can’t use
[php]<form method=“post” action="<?php echo $_SERVER["PHP_SELF"];?>">[/php]
because my webpage sends to a different file for form processing, and then that sends the data to an entirely different server than the webpage is on, what do I do? How would I modify this to work?

I have updated the code to mysqli as suggested. I am well past the original question/problem, the form is working fine now. I need help adding form security and making apostrophes work.

#14

Phaewryn

Not sure how that sanitation method is tied to database as i was mostly thinking of this:
[php]<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = “”;

if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
$name = test_input($_POST[“name”]);
$email = test_input($_POST[“email”]);
$website = test_input($_POST[“website”]);
$comment = test_input($_POST[“comment”]);
$gender = test_input($_POST[“gender”]);
}

function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>[/php]

–that has nothing to do with any database - But then, what i have read so far & noticed what the local gurus here on this forum always advise - look into PDO & prepared statements. I know i do sound like a parrot repeating myself but indeed, everybody advises on focusing on PDO & prepared statement rather than on sanitizing inputs from user.

$_SERVER[“PHP_SELF”] :

--where the script_name.php is obviously the name of your script. Not sure if that will help it but i would try it though.
#15

I honestly do not understand how switching from mysqli to pdo is going to make any difference for this problem. My problem isn’t happening from where the php processes the user input and inserts it into mysql database, it’s happening the second my post is submitted to the server itself, the webserver is blocking the form processor as soon as it sees the apostrophe. I need to find a way to change special characters before the form submits to the webserver. The problem isn’t happening when the php processes and posts the data to the database server, it’s happening on my webpage’s submit function (on the webserver). If it can be fixed by switching to PDO, I need someone to point out a tutorial showing me how to do it, because I do not see anything on the php.net website tutorials about preparing statements that would solve the matter of removing special characters before submitting the form to the webserver. Prepared statements are preparing them for insertion into the database, not the changing them prior to being processed by the webserver, are they not?

#16

Please don’t follow what w3schools shows. It is fine as a language reference (but the original html/php documentation at w3.org and php.net is better), but it’s code examples are just plain bad at times and teach poor programming. In particular, as it applies to this thread, the test_input() function is nonsense (it’s incorrectly named for what it does, is should not unconditionally apply stripslashes(), and it should not apply htmlspecialchars() to input data at all) and the validation logic (at the link) is testing and validating different versions of each input and so allows data consisting of all white-space characters to create empty entries in your database. And please don’t start creating hard-coded lists of data and error variables, one set for each form field. This is just a huge waste of typing.

The problem with your form processing code being on the same page with the form and inserting blank values when the page is first requested is because you need to detect that a post method form has been submitted and only run the form processing code if it has. You should do this even if the form processing code is on its own page, so that you won’t get a bunch of php errors if the form processing code page gets requested via a get request. Using the if ($_SERVER[“REQUEST_METHOD”] == “POST”) { all the form processing code goes here } is how you would do this. If you have multiple form processing code on one page, you would further detect which form has been submitted by having a hidden field, named ‘action’, for example, that has a different value for each form.

Your form processing code should ‘validate’ the input data. At a minimum, it should detect if ‘required’ fields are empty, after trimming the data. The only thing you should do to the submitted data is trim() it. If you modify it in any other way, you are changing the meaning of the data. You can trim all the data at once (one statement), by by using array_map()/array_walk_recursive() and making a copy of the $_POST into a common/working array variable. You would validate the elements in this array variable (so that all the code is using the same version of a value.) You would also use the elements in this array variable when supplying the data to the sql query statement and in re-populating the form (assuming that the form is on the same page with the form processing code) when there are validation errors (so that the visitor doesn’t need to re-enter data in all the form fields.)

You should store validation errors in another array variable. Then after you have finished validating all the data, if there are no errors (the array will be empty), you can use the submitted form data.

To secure your database queries against sql special characters in the data from breaking the sql query syntax (which is how sql injection is accomplished), you should use prepared queries (you can research in the php.net documentation for what the means.) You CAN use php escape string functions, but these can still allow sql injection if you haven’t set up the character encoding being used by php to match your database tables (which not commonly shown in online tutorials), and the one place you have used the escape string function isn’t actually being used on data going into the sql query statement. Using a prepared query will cause any data containing things like to be properly handled.

An BIG issue with the php msyqli extension is that it is not very well designed and implemented, especially when it comes to prepared queries. The php PDO extension is much better designed and simpler/easier to use. If you can switch to the php PDO extension, sooner, rather than later. There is another huge advantage to using PDO, once you learn the php statements to use for one database type, you can use those same php statements with other database types. You don’t have to keep relearning different php statements that are specific to each type of database.

As to the error you are getting about the URL, , are you sure this doesn’t always occur and is due to an incorrect action=’’ attribute in the form tag? Nothing (unless you are using javascript to submit the raw form data using a get method request) will result in an error due to data being put into a form field.

When you output data on a web page is when you would apply htmlentities() to the data and you should at a minimum use the ENT_QUOTES flag so that both single and double quotes are converted.

#17

No, it doesn’t always occur, the entire process works perfectly until someone tries to enter an ’ into the form fields. As far as I can tell, other special characters do not cause a problem, only apostrophes. I’m baffled by the problem. Phpcodechecker.com reports no problems in my php code in any page. Nu html checker at w3 validator shows no errors. I’m reluctant to post the url because I’m not sure it is properly secured (having never done any php before and now that you’re telling me the w3schools methods are incorrect), but here is the link, feel free to test it:
http://phaewryn.net/fa/clv.php
additionally, here are the pages that page calls:
http://phaewryn.net/fa/formcode.php
http://phaewryn.net/fa/submissions.php

“ENT_QUOTES” … googles that term, finds http://php.net/manual/en/function.htmlspecialchars.php, realizes this is probably exactly what I need, but php.net doesn’t give one any reference on where in the code one would place their suggested [php]string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get(“default_charset”) [, bool $double_encode = true ]]] )[/php] lines. I use w3schools because they give code examples that show me where to put things. That above snippet from php.net doesn’t tell me where to insert it into my code. I’ll happily add it, if you just show me where it should be in my code.

I thought that this part in my code was doing that process? I mean, I googled it and that’s what someone on StackOverflow did once and it worked for them, so I can only copy it and hope it works since I don’t actually understand what any of this is actually doing at all. None of this stuff is actually explained anywhere online that I have found. Tutorials tell you how to make things work, they don’t tell you how they work.
[php]if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
$users_name = test_input($_POST[“name”]);
$users_request = test_input($_POST[“requests”]);
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}[/php]

if ($_SERVER[“REQUEST_METHOD”] == “POST”) already exists in my code. How would it get requested by a GET request (I mean, other than maliciously)? I don’t use GET anywhere in my code. Is “The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873613039002471” a PHP error? I was assuming it was a server error, not a PHP error. I will try to copy the formcode.php contents back to the clv.php page and see if it has stopped submitting on every page load. I may have added that after I had decided to use a separate page for the form submission.

I’m not requiring any fields, all fields are optional. People are welcome to submit a request without giving a name. I know I need to trim, that’s what I can’t get to work correctly. All I want to do is trim out the apostrophes and replace them with the correct character entity. That’s it. And I can’t seem to do it. I have no idea what any of that array stuff means. I don’t even know what an array is. I’ve never written a single script in my life before this week. I don’t have the skill set required to understand what you’re telling me here. A tutorial might be helpful.

The problem is that php.net doesn’t give me any examples, so I have no idea where to put anything they teach me on the page. There’s no guide to what comes first, where this goes, how this affects that, etc. I go to http://php.net/manual/en/class.pdo.php and it means nothing to me, I don’t understand a single thing it is saying because they do not give examples that show what any of it does.

#18

OK, so I made a copy, moved all the php from formcode.php back to the main page at http://phaewryn.net/fa/clv2.php, and removed the test_input() function you said was nonsense from the if ($_SERVER[“REQUEST_METHOD”] == “POST”) section, changed the form post line to <form method=“POST” action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">, and the problem still exists as before (however, loading the page is now not adding blank entries, so your suggestion did fix that issue). But my real problem, the main one I came here to solve: If the user inputs an apostrophe in either field, the page still redirects to “The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873613038379062” . Is this better than calling the php from a separate page? <form method=“POST” action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

Either way, it makes no difference to the problem. of “The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873613038379062” which is the one thing I am trying to solve.

#19

I don’t know if it matters, but on my hosting account when I click into PHP Manager, it says my php version is php5.6. When i click into MySQL Manager, it generates a warning: “Your PHP MySQL library version 5.1.73 differs from your MySQL server version 5.7.18. This may cause unpredictable behavior.”

I asked my hosting company about that and they said “it won’t make any difference”. Is that true?

#20

You may want to take that error with the support id number and actually ask your web host what’s causing it.

However, here’s what I think is happening. Because you are not escaping the input being put into the sql query statement (or even better, using a prepared query to supply the data to the sql query when you execute it) you are getting an sql syntax error, AND because you are echoing $sql that contains the exact same data that was just posted to the page, some security software running on the server is being triggered (it found output on a page that exactly matches data posted to the page.)

So, two things -

  1. To prevent triggering this error response, when you echo the $sql and the mysqli_error information, pass them through htmlentities() with the flag parameter set to ENT_QUOTES

  2. To prevent the sql syntax error in the first place, you need to properly escape the data values being put into the sql query statement or even better and actually simpler and fool-proof-secure, use a prepared query.

#21

A) I have contacted them and my hosting company says “This should not cause any problem”.

“To prevent triggering this error response, when you echo the $sql and the mysqli_error information, pass them through htmlentities() with the flag parameter set to ENT_QUOTES”

  1. Can you provide the code for this? I googled it and can’t figure out how or where to incorporate it. Everywhere I try to past it in it breaks the page.
    I assume you mean to add it to this part of the code somehow?
    } else {
    echo “Error” . $sql . “
    ” . mysqli_error($conn);

“To prevent the sql syntax error in the first place, you need to properly escape the data values being put into the sql query statement or even better and actually simpler and fool-proof-secure, use a prepared query.” as I have pointed out, I do not know how, and that is why I am here asking for help.

I tried to build the PDO statement like you keep suggesting, but there’s very few tutorials available, and my attempt (below) is breaking the page:
[php]<?php
$servername = “SERVER”;
$username = “UN”;
$password = “PW”;
$dbname = “fDB”;
$users_name = $_POST[‘name’];
$users_request = $_POST[‘requests’];
if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
}
try {
$conn = new PDO(“mysql:host=$servername;dbname=$dbname”, $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$conn->beginTransaction();
$conn->exec(“INSERT INTO submissions (requests, name)
VALUES (’$users_request’, ‘$users_name’)”);
$conn->commit();
header(“Location: clv2.php”);
}
catch(PDOException $e)
{
$conn->rollback();
echo "Error: " . $e->getMessage();
}
$conn = null;
?>
[/php]
CLOSER? It’s now making that blank entry on every page load again.

#22

oops, double posted

#23

I’ll address some of the points in a separate reply.

Actually, I determined the urls already and you have a bunch of nonsense posts from my testing.

but php.net doesn't give one any reference on where in the code one would place their suggested...

That’s because programming is not like painting by the numbers, i.e. put “code A” (green paint) on all the number 1’s, put “code B” (blue paint) on all the number 2’s. Context is very important in programming. So, take the statement - “When you output data on a web page is when you would apply htmlentities() to the data …”. Where in your code are you (dynamically) outputting data on the page? In submissions.php, the data from the SELECT query and the message about no submissions to display, in formcode.php, when there is query error and you display $sql and the msyqli_error information, and for any form action=’…’ attribute where you are using $_SERVER[‘PHP_SELF’], which BTW, you can just leave the action attribute completely out and a html5 form will be submitted to the same page it is on.

I *thought* that this part in my code was doing that process?

The test_input() function is being called on the data that is the input to your code. This is not at the point where you are outputting something to the web page.

How would it get requested by a GET request ...

By posting url’s to it in forums that get indexed by search engines. Search engines will ONLY make get requests. If you ALWAYS enclose your post method form processing code in a test so that it will only be executed when there is a post request, your page won’t waste resources and won’t output php errors in response to search engines indexing your site.

I'm not requiring any fields, all fields are optional. People are welcome to submit a request without giving a name.

Then, the ‘requests’ field is required and you don’t want to waste time and resources inserting data if the ‘requests’ is empty.

All I *want* to do is trim out the apostrophes and replace them with the correct character entity.

No, that’s not what you want. I believe my reply above this on addresses why you are getting the error response, but your web host should be able to give you definitive information. There are several hundred million web sites that happily accept data containing single-quotes. When you have a problem in a technical subject like programming, you must find the actual cause of the problem before you can fix it, otherwise all you are doing is trying to make symptoms disappear by putting a band-aid over the top of them. This just wastes a bunch of time.

Arrays are variables with more than one dimension. Arrays are for sets of data, that will be treated the same. If you had any algebra in school, you should have seen arrays for sets of numbers. Arrays will let you loop over data, rather than writing out code for each possible variable. Programming is already a tedious and error prone typing-activity. By cutting down on the repetitive coding, you will save time when writing, testing, and debugging problems. It wold be to your advantage to do some research and experimenting on using arrays.

The examples in the php.net documentation do show WHAT code does. It’s up to the programmer to take what the code does and use it where will accomplish something useful. For example, converting from msyqli to PDO. What basic tasks are you using mysqli for in your code -

  1. Making a database connection.

  2. Forming and running sql queries - SELECT and INSERT (and later UPDATE and DELETE and a few others.)

  3. For SELECT queries, testing the number of rows the query matched and fetching the data from the query.

All you would need to do is learn what the equivalent PDO statements are for these tasks.

Using prepared queries involves using place-holders in the sql query statements, instead of putting variables in directly. This actually simplifies the sql syntax, since any single-quotes you have around string values will be eliminated. Instead of executing the query you have formed, you prepare it, then there is an additional execution() step, where you supply the actual data values and cause the query to be executed with that data (you can repeat the data/execution step multiple times, without needing to prepare the query again.) It is here the the PDO extension becomes much simpler than the mysqli extension. The mysqli extension requires an explicit bind step before execution and fetching data from a mysqli prepared query requires binding result variables in adding to calling a fetch statement.

#24

Ok, I now have a page that is working correctly for fixing the apostrophe issues, however, I had to remove just about everything and start over, and now it’s adding a blank entry at every page load. The if ($_SERVER[“REQUEST_METHOD”] == “POST”) line doesn’t seem to be stopping it from posting regardless of if there has been a submission or not. Since this is a whole new way of doing this page, is there a different way to deal with if ($_SERVER[“REQUEST_METHOD”] == “POST”) now? And is this secure?

LINK: http://phaewryn.net/fa/clv3.php

[php]

<?php $servername = "my_server"; $username = "my_username"; $password = "my_password"; $dbname = "my_database"; $users_name = htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8'); $users_request = $_POST['requests']; if ($_SERVER["REQUEST_METHOD"] == "POST") { } try { $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $conn->beginTransaction(); $conn->exec("INSERT INTO submissions (requests, name) VALUES ('$users_request', '$users_name')"); $conn->commit(); header("Location: clv3.php"); } catch(PDOException $e) { $conn->rollback(); echo "Error: " . $e->getMessage(); } $conn = null; ?>

[/php]

<form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Make A Request:<br>
<textarea name='requests' id='requests'></textarea> <br>
Your Name (a-z only):<br>
<input type='text' name='name' id='name'/><br>
<input type='submit' value='Send' class='button'>  
</form>
#25

Phaewryn

Sorry, i thought you wanted to secure your webpage from hacking etc. hence PDO.

#26
The if ($_SERVER["REQUEST_METHOD"] == "POST") line doesn't seem to be stopping it from posting regardless of if there has been a submission or not

That’s because your form processing code isn’t inside the conditional block { … }.

I recommend that you look at your code and identify where the start and end of the form processing code is, and then look where the opening { and closing } of the if(){…} statement are at.

#27

When I tried to move the closing tag to make the “if ($_SERVER[“REQUEST_METHOD”] == “POST”)” surround all the content, the entire page stopped working, so I moved it back temporarily so you could see the page’s function at present. I don’t know where to put the tag. If I enclose everything, the page doesn’t load at all. I’ll figure it out, just got sleepy last night and gave up.

#28

I do, so I have switched to that method, and I think I’ve got it now! Is this secure?
[php]

Candlelight Vigil <?php $servername = "my_server"; $username = "my_username"; $password = "password"; $dbname = "db"; $users_name = htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8'); $users_request = htmlentities($_POST['requests'], ENT_QUOTES, 'UTF-8'); if ($_SERVER["REQUEST_METHOD"] == "POST") { try { $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $conn->beginTransaction(); $conn->exec("INSERT INTO submissions (requests, name) VALUES ('$users_request', '$users_name')"); $conn->commit(); header("Location: clv.php"); } catch(PDOException $e) { $conn->rollback(); echo "Error: " . $e->getMessage(); } $conn = null; } ?>
"> Make A Request:

Your Name (a-z only):

candle

As we light our candles, we honor those who need strength, and send the healing gift of love with all our hearts, may it flow into the brokenhearted who are tending the sick, and bring them comfort in their time of need. We send them our love, may it bolster their strength and comfort their hearts to be held in the loving embrace of this family of fellow feline caretakers.

As we light our candles, we send strength and comfort to those kitties who struggle with their illness this week, may our love bring them relief and peace, aiding in their quick recovery.

As we hold our candle close to our heart, we read the names of the sick and those with special needs, granting them their request, manifesting that it be done, in love, in trust, and in time that it may assist them to conquer through their time of need.

			<div id="myrequest">
			<?php include("submissions.php"); ?>
			</div>

As we light our candles, we also send our heartfelt love and thankfulness to those kitties who have departed this week. May they know the gratitude we hold in our hearts for the gift of unconditional love they blessed us with, although their time was short, they are forever remembered.

			<div id="memorial"><p>(insert departed kitties here)</p></div>
		</div>
	</div>
</div>
[/php]

Submissions.php (the include - I assume I need to switch this file to PDO as well?):
[php]

<?php $servername = "my_server"; $username = "my_username"; $password = "password"; $dbname = "db"; // Create connection $conn = mysqli_connect($servername, $username, $password, $dbname); // Check connection if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } $sql = "SELECT id, requests, name FROM submissions"; $result = mysqli_query($conn, $sql); if (mysqli_num_rows($result) > 0) { // output data of each row while($row = mysqli_fetch_assoc($result)) { echo "" . $row["requests"]. " - by " . $row["name"]. "
"; } } else { echo "no special requests this week"; } mysqli_close($conn); ?>

[/php]

#29
Is this secure?

No. You are not using a prepared query, you are still doing some things that someone has written not to do, and you have additional things present that are not correct or can stop working when moving between different server configurations.

Just using the php PDO extension doesn’t make your code safe against anything. Using a prepared query will make your code safe against sql special characters from breaking the sql query syntax, which is how sql injection is accomplished. The PDO extension makes using prepared queries easier. This however will only make the part of the code that’s executing database queries safe.

You must also apply htmlentities() to data that’s being output on the web page. You are still applying it to the data being input to your sql query statement (I recommend that you re-read my replies in this thread.)

Here’s a list of problems and things to improve in the current code -

  1. The post method form processing code needs to be near the top of your file, before the start of the html document.

  2. You should put your database connection credentials and the connection code in a .php file and ‘require’ it into any code that needs a connection.

  3. You should use ‘require’, not ‘include’ when bringing in an external .php script file that you page ‘requires’ for it to work.

  4. require/include are not functions and don’t need the () around the value. The () are just adding clutter to your code.

  5. You should only make ONE database connection on any page, at a common point where all the code on a page that needs a connection can use it.

  6. As has been stated multiple times, htmlentities() is an output function. You use it on data being output on the web page. Why are you still using it on the input $_POST data that you are supplying to the sql query statement?

  7. The two lines of code (incorrectly) applying htmlentities() to the two $_POST variables are part of your form processing code. Why aren’t they inside the if(){…} with all the other form processing code?

  8. Don’t copy variables to other variables for no purpose. This is just make-work wasted typing time. After you remove the htmlentities() usage from the two $_POST varaibles in your form processing code, you would be left with $some_var = $_POST[‘some_index’];. If you find yourself with code that looks like this, stop and consider that the original variable is perfectly fine to use in the rest of the code and copying it to another variable is a waste of time and is just cluttering up your code.

8.1) You need to trim() submitted data before validating it, so that you can detect data that consist of all white-space characters.

  1. When you make the PDO connection, you need to set the character set for the connection, turn off emulated prepared queries, and if you set the default fetch mode to assoc, you won’t have to specify it in every fetch statement.

  2. You should not put a try/catch block in your code unless needed and you should not echo the database error messages onto the web page. The only time you should put a try/catch block in your code is if your code must handle a specific error, such as a duplicate key error. For connection and most PDO statement errors, you should just let php catch the exception and handle the error for you. Php will use its error_reporting, display_errors, and log_errors settings to control what happens with the actual error information. This will allow you to display the error information when learning, developing, and debugging code, and log the error information when running your code on a live/public server, simply by changing the php display_errors/log_errors settings. This will also simply your code, since you can remove the try/catch block you have now.

  3. Database transactions have a purpose, but what you doing at this point isn’t one of them. Don’t use beginTransaction(), commit(), and rollback() unless you are doing something that actually is using a transaction.

  4. As posted above in this thread, a prepared query has place-holders in the sql query statement for the values. You would also call the prepare() method, not the exec() method, and you would supply the two data values when you execute the query.

  5. Any header() redirect needs an exit; statement after it to prevent the rest of the code on the page from running. A header() doesn’t stop code execution.

  6. You should generally let php automatically close a database connection for you when the php script ends.

  7. If there is a data validation error, you need to re-populate the form fields with any submitted data, so that the visitor doesn’t need to re-type in anything. Just correct whatever the validation error is. You have indicated that the ‘requests’ field is required. Do you want to make the visitor re-type in their name if they have accidentally hit the submit button before typing in a ‘requests’?

  8. The submissions.php code should not be in a separate file. this is just creating more pieces of code that you must maintain. Before the start of your html document, after the end of the post method form processing code, you should execute the SELECT query and retrieve the data into a php variable. In the html document where you want to display the data, just test/loop over the php variable. This will separate the concerns in your code, making it easier to design, write, test, debug, and maintain your code.

  9. There are people that have names that contain more than just A-Z characters. Any prompt you display and any validation you do on the submitted data, needs to use the same rules.

#30

Ok, let’s start here. You said that I’ve now made using prepared queries easier for myself (great). Teach me how to prepare my query and where I would insert my prepared query into my code.

Google wasn’t helpful when searching “prepared query php” and this page is the closest thing I could find to the topic:
http://php.net/manual/en/pdo.prepared-statements.php and it is about prepared STATEMENTS, not queries. How does a prepared query differ from a prepared statement?

I need to add these lines back in now that I’ve switched to PDO, but where do I put them in the code? After the $conn->beginTransaction(); line?
[php]
$stmt = $conn->prepare(“INSERT INTO submissions (requests, name) VALUES (?, ?)”);
$stmt->bind_param(“ss”, $users_request, $users_name);
[/php]

#31

Submissions.php page now also in PDO format (progress):
[php]<?php
$servername = “my_server”;
$username = “my_username”;
$password = “my_passowrd”;
$dbname = “my_db”;
$charset = ‘utf8’;
$users_name = htmlentities($_POST[‘name’], ENT_QUOTES, ‘UTF-8’);
$users_request = htmlentities($_POST[‘requests’], ENT_QUOTES, ‘UTF-8’);
$dsn = “mysql:host=$servername;dbname=$dbname;charset=$charset”;
$opt = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
$pdo = new PDO($dsn, $username, $password, $opt);
$stmt = $pdo->query(‘SELECT id, requests, name FROM submissions’);
while ($row = $stmt->fetch())
{
echo $row[‘requests’] . "   ⋅ " . $row[‘name’] . “
”;
}
?>
[/php]

Any obvious errors/omissions on this page’s code that need addressing? (I’m working my way down the list)

#32

The php goes at the very top of the file? Above the tag? Not in the tag? Ok, done!

DONE! (erm, I think, I just moved all the php from the clv.php page to a creds.php file and required it in like the submissions are done, and it worked, so I guess that’s what you mean)

NOTED! Thank you, I will make that change. <?php require"submissions.php"; ?> is correct now?

Because it made the page work so that I could enter apostrophes in the form fields. If I remove it from this page, leaving only $users_name = $_POST[‘name’]; $users_request = $_POST[‘requests’]; then the page errors to “The requested URL was rejected. If you think this is an error, please contact the webmaster. Your support ID is: 13509873613080608169”. If you have a solution, I’m all ears!

Sponsor our Newsletter | Privacy Policy | Terms of Service