[kwlug-disc] OT: PHP help
Khalid Baheyeldin
kb at 2bits.com
Mon Jul 9 21:11:40 EDT 2018
First, you have to sanitize user input to prevent SQL Injection.
Then, you need to check if the Request Method is 'POST'
This snippet should do the trick.
<?php
include('dbConfig.php');
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$barcode = mysqli_real_escape_string($conn, $_POST['barcode']);
$item_type = mysqli_real_escape_string($conn, $_POST['item_type']);
$donor_name = mysqli_real_escape_string($conn,
$_POST['donor_name']);
$donor_location = mysqli_real_escape_string($conn,
$_POST['donor_location']);
print("Inserting $barcode, $item_type, $donor_name,
$donor_location...<br/>");
$sql = "INSERT INTO cr_incoming
(date_donated, barcode, item_type, donor_name, donor_location)
VALUES
(CURDATE(),'" . $barcode . "','" . $item_type . "','" . $donor_name
. "','" . $donor_location . "')";
$result = mysqli_query($conn, $sql);
// Check if insert was successful, otherwise display an error
print('Insert failed ...<br/>');
}
?>
Also change this line like this:
<form action="<?php $_PHP_SELF ?>" method="POST">
PHP_SELF will make the script work regardless of what its actual name is.
And I think method has to be uppercase, but not sure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180709/681e4d8f/attachment.htm>
More information about the kwlug-disc
mailing list