Need Help - Simple Submit News Form Not Quite Right

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

Well everyone has to start somewhere, and I am a noob to PhP but loving every minute of the learning process. Anyway I have come up with a post news page that puts news into my database. I have a two point problem (seperate issues) Can anyone look at my code and see what I am missing. Or need to edit or remove.

Point 1 - I would like to either show something that says "Your post has been submitted" or re-direct me to a "post submitted" page. For some reason when trying the former it gave me the text before i posted the item. Which is a bit unhelpful.lol

Point 2 - I keep getting double blank posts on submit or refresh. On submit it happens with two blank posts especially when i integrate my form into a website template. But i think if i put some sort of protection against blank posts going in, it will solve both problems. Or to kill two birds with one stone, how do i make a "cannot leave blank" field?

My code below

Code: Select all

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="news" id="news">
  <table width="744" border="1" align="center" cellpadding="1" cellspacing="1" class="boxtext">
    <tr>
      <th width="122" bgcolor="#333333" scope="col">Title</th>
      <th width="609" bgcolor="#333333" scope="col"><input name="title" type="text" id="title" size="30" maxlength="30" /></th>
    </tr>
    <tr>
      <td bgcolor="#333333">News Intro</td>
      <td bgcolor="#333333"><textarea name="description" id="description" cols="60" rows="5"></textarea></td>
    </tr>
    <tr>
      <td bgcolor="#333333">Full News</td>
      <td bgcolor="#333333"><textarea name="fullstory" id="fullstory" cols="60" rows="10"></textarea></td>
    </tr>
    <tr>
      <td bgcolor="#333333">Author</td>
      <td bgcolor="#333333"><input name="author" type="text" id="author" size="25" maxlength="15" /></td>
    </tr>
    <tr>
      <td bgcolor="#333333">&nbsp;</td>
      <td bgcolor="#333333"><input type="submit" name="submit" id="submit" value="Submit" onClick='document.location("index.php");'/></td>
    </tr>
  </table>
</form>
 
<p>
  <?php
// connect to database
$db=mysql_connect("localhost","news","password") or die ("cant connect"); 
mysql_select_db("news",$db) or die ("cant change"); 
$news=mysql_query("SELECT * FROM News ORDER BY date DESC LIMIT 3") or die ("cant get em"); 
?>
<?
session_start();
$secret=md5(uniqid(rand(), true));
$_SESSION['FORM_SECRET']=$secret;
?>
 
<?php
// _POST Query for sending entered info to database
    if (isset($_POST['title']))
        $title = $_POST['title'];
        $description = $_POST['description'];
        $fullstory = $_POST['fullstory'];
        $author = $_POST['author'];
        $date = $_POST['TIMESTAMP'];
        $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
        
        if (@mysql_query($sql)) {
                echo 'Your post has been saved';
        } else {
            echo '<p>Sorry your post has not worked' .
            mysql_error() . '</p>';
        }
    ?>
Thank you in advance for any help. I know some of the coding must be messed up, but it does what it is supposed to, however doesnt do the little bits i need it to .lol
Last edited by Benjamin on Tue Jun 30, 2009 12:05 am, edited 1 time in total.
Reason: Changed code type from text to php.
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

any ideas?? Keep testing different ideas but nothing seems to be working.
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

lol must be more complicated than i thought. Oh well back to the drawing board.
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by BornForCode »

Problem solving:

Remove the javascript event (that onclick) or if you need that event that change the type of the button from type="submit" to type="button". Because you are submitting the form twice.

To redirect:

Code: Select all

 
if (@mysql_query($sql)) {
       header( 'Location: http://www.yoursite.com/confirmation.html' ) ;
}
 
Now i must say that your solution is not very elegant, for example you don't verify information sent also in case of some errors you don't give proper message or re-populate the form.
Last edited by Benjamin on Tue Jun 30, 2009 12:05 am, edited 1 time in total.
Reason: Changed code type from text to php.
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

i will give it a go and let u know how i get on. had a feeling u might say the thing about the elegance. like i said tho i am a real noob to this so picking things up as i go along. eventually i should be able to put bits and peices together to improve the all over scripting and user friendlyness of the thing. thanks for the help :)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Need Help - Simple Submit News Form Not Quite Right

Post by Benjamin »

Forum Rules wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by BornForCode »

One of the most important qualities of the moderators id to bang our heads on the walls till we will learn the rules :banghead:
I knew that this is a conspiracy but i hadn't proves, now i have one.
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

glad the moderator pointed it out, in future i will say "you" instead of "u".

Or maybe i should do

$you = ['u'] at the top of my post. ;)
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

Thanks for the help, have followed the instructions, but still have an old problem of the confirmation page loading before i get to the form. Not sure where the problem is but like i was told my code isnt exactly tidy.

Here is the updated code:

Code: Select all

 <?php
// connect to database
$db=mysql_connect("localhost","news","password") or die ("cant connect"); 
mysql_select_db("news",$db) or die ("cant change"); 
$news=mysql_query("SELECT * FROM News ORDER BY date DESC LIMIT 3") or die ("cant get em"); 
?>
<?php
// _POST Query for sending entered info to database
    if (isset($_POST['title']))
        $title = $_POST['title'];
        $description = $_POST['description'];
        $fullstory = $_POST['fullstory'];
        $author = $_POST['author'];
        $date = $_POST['TIMESTAMP'];
        $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
        
        if (@mysql_query($sql)) {
        header( 'Location: http://www.myexample.com/home.html' ) ;
        } else {
            echo '<p>Error Please go back and try again' .
            mysql_error() . '</p>';
        }
    ?>
I am getting there slowly, very slowly. Thanks for the help so far.
Last edited by Benjamin on Tue Jun 30, 2009 10:27 am, edited 1 time in total.
Reason: Changed code type from text to php.
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by BornForCode »

Fix it by doing this (you forgot to add brackets at the first if, and that's why the redirect was execute each time).
Also remember to escape the $_POST content to prevent malicious code (aka mysql injection etc)

Code: Select all

 
 if (isset($_POST['title'])) {
        $title = $_POST['title'];
        $description = $_POST['description'];
        $fullstory = $_POST['fullstory'];
        $author = $_POST['author'];
        $date = $_POST['TIMESTAMP'];
        $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
       
        if (@mysql_query($sql)) {
        header( 'Location: http://www.myexample.com/home.html' ) ;
        } else {
            echo '<p>Error Please go back and try again' .
            mysql_error() . '</p>';
        }
}
 
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

thanks.

escape it?

sorry
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by BornForCode »

Yes, always escape what you have received from forms, get etc.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Need Help - Simple Submit News Form Not Quite Right

Post by Eric! »

http://php.net/mysql_real_escape_string

this prevents someone from deleting your database tables, or dumping out data or injecting all sorts of naughty things that you never thought possible from such a simple form. Google SLQ injection cookbook for examples.

I personally like to whitelist characters and reject input if they put in anything suspicious, but escaping will protect your database.
thewhinger
Forum Newbie
Posts: 8
Joined: Mon Jun 29, 2009 9:44 am

Re: Need Help - Simple Submit News Form Not Quite Right

Post by thewhinger »

Getting my head around that, took me to a new set of problems, but all needed tho.

anyway what i have done is below. i must add that before i did this, i was unable to submit the info into the database for some reason. and after i did the escape stuff nothing had changed. although no errors shown.

Code: Select all

<?php
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
// Have a look at SELEC FROM as may need something better.
$news=mysql_query("SELECT * FROM News ORDER BY date DESC LIMIT 3") or die ("cant get em"); 
?>
<?php
// _POST Query for sending entered info to database
         if (isset($_POST['title'])) {
         $title = $_POST['title'];
         $description = $_POST['description'];
         $fullstory = $_POST['fullstory'];
         $author = $_POST['author'];
         $date = $_POST['TIMESTAMP'];
         mysql_real_escape_string($_POST);
         $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
        
         if (@mysql_query($sql)) {
         header( 'Location: http://www.mysite.com/home.html' ) ;
         } else {
             echo '<p>Error Please go back and try again' .
             mysql_error() . '</p>';
         }
 }
    ?>
Very new to all this, and i guess i am going to have to add the escape to other stuff i have done that does work.
Post Reply