Page 1 of 1

Need Help - Simple Submit News Form Not Quite Right

Posted: Mon Jun 29, 2009 10:22 am
by thewhinger
Well everyone has to start somewhere, and I am a noob to PhP but loving every minute of the learning process. Anyway I have come up with a post news page that puts news into my database. I have a two point problem (seperate issues) Can anyone look at my code and see what I am missing. Or need to edit or remove.

Point 1 - I would like to either show something that says "Your post has been submitted" or re-direct me to a "post submitted" page. For some reason when trying the former it gave me the text before i posted the item. Which is a bit unhelpful.lol

Point 2 - I keep getting double blank posts on submit or refresh. On submit it happens with two blank posts especially when i integrate my form into a website template. But i think if i put some sort of protection against blank posts going in, it will solve both problems. Or to kill two birds with one stone, how do i make a "cannot leave blank" field?

My code below

Code: Select all

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="news" id="news">
  <table width="744" border="1" align="center" cellpadding="1" cellspacing="1" class="boxtext">
    <tr>
      <th width="122" bgcolor="#333333" scope="col">Title</th>
      <th width="609" bgcolor="#333333" scope="col"><input name="title" type="text" id="title" size="30" maxlength="30" /></th>
    </tr>
    <tr>
      <td bgcolor="#333333">News Intro</td>
      <td bgcolor="#333333"><textarea name="description" id="description" cols="60" rows="5"></textarea></td>
    </tr>
    <tr>
      <td bgcolor="#333333">Full News</td>
      <td bgcolor="#333333"><textarea name="fullstory" id="fullstory" cols="60" rows="10"></textarea></td>
    </tr>
    <tr>
      <td bgcolor="#333333">Author</td>
      <td bgcolor="#333333"><input name="author" type="text" id="author" size="25" maxlength="15" /></td>
    </tr>
    <tr>
      <td bgcolor="#333333">&nbsp;</td>
      <td bgcolor="#333333"><input type="submit" name="submit" id="submit" value="Submit" onClick='document.location("index.php");'/></td>
    </tr>
  </table>
</form>
 
<p>
  <?php
// connect to database
$db=mysql_connect("localhost","news","password") or die ("cant connect"); 
mysql_select_db("news",$db) or die ("cant change"); 
$news=mysql_query("SELECT * FROM News ORDER BY date DESC LIMIT 3") or die ("cant get em"); 
?>
<?
session_start();
$secret=md5(uniqid(rand(), true));
$_SESSION['FORM_SECRET']=$secret;
?>
 
<?php
// _POST Query for sending entered info to database
    if (isset($_POST['title']))
        $title = $_POST['title'];
        $description = $_POST['description'];
        $fullstory = $_POST['fullstory'];
        $author = $_POST['author'];
        $date = $_POST['TIMESTAMP'];
        $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
        
        if (@mysql_query($sql)) {
                echo 'Your post has been saved';
        } else {
            echo '<p>Sorry your post has not worked' .
            mysql_error() . '</p>';
        }
    ?>
Thank you in advance for any help. I know some of the coding must be messed up, but it does what it is supposed to, however doesnt do the little bits i need it to .lol

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Mon Jun 29, 2009 2:07 pm
by thewhinger
any ideas?? Keep testing different ideas but nothing seems to be working.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Mon Jun 29, 2009 5:32 pm
by thewhinger
lol must be more complicated than i thought. Oh well back to the drawing board.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Mon Jun 29, 2009 6:44 pm
by BornForCode
Problem solving:

Remove the javascript event (that onclick) or if you need that event that change the type of the button from type="submit" to type="button". Because you are submitting the form twice.

To redirect:

Code: Select all

 
if (@mysql_query($sql)) {
       header( 'Location: http://www.yoursite.com/confirmation.html' ) ;
}
 
Now i must say that your solution is not very elegant, for example you don't verify information sent also in case of some errors you don't give proper message or re-populate the form.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Mon Jun 29, 2009 9:11 pm
by thewhinger
i will give it a go and let u know how i get on. had a feeling u might say the thing about the elegance. like i said tho i am a real noob to this so picking things up as i go along. eventually i should be able to put bits and peices together to improve the all over scripting and user friendlyness of the thing. thanks for the help :)

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 12:06 am
by Benjamin
Forum Rules wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 5:57 am
by BornForCode
One of the most important qualities of the moderators id to bang our heads on the walls till we will learn the rules :banghead:
I knew that this is a conspiracy but i hadn't proves, now i have one.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 8:33 am
by thewhinger
glad the moderator pointed it out, in future i will say "you" instead of "u".

Or maybe i should do

$you = ['u'] at the top of my post. ;)

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 10:10 am
by thewhinger
Thanks for the help, have followed the instructions, but still have an old problem of the confirmation page loading before i get to the form. Not sure where the problem is but like i was told my code isnt exactly tidy.

Here is the updated code:

Code: Select all

 <?php
// connect to database
$db=mysql_connect("localhost","news","password") or die ("cant connect"); 
mysql_select_db("news",$db) or die ("cant change"); 
$news=mysql_query("SELECT * FROM News ORDER BY date DESC LIMIT 3") or die ("cant get em"); 
?>
<?php
// _POST Query for sending entered info to database
    if (isset($_POST['title']))
        $title = $_POST['title'];
        $description = $_POST['description'];
        $fullstory = $_POST['fullstory'];
        $author = $_POST['author'];
        $date = $_POST['TIMESTAMP'];
        $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
        
        if (@mysql_query($sql)) {
        header( 'Location: http://www.myexample.com/home.html' ) ;
        } else {
            echo '<p>Error Please go back and try again' .
            mysql_error() . '</p>';
        }
    ?>
I am getting there slowly, very slowly. Thanks for the help so far.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 11:02 am
by BornForCode
Fix it by doing this (you forgot to add brackets at the first if, and that's why the redirect was execute each time).
Also remember to escape the $_POST content to prevent malicious code (aka mysql injection etc)

Code: Select all

 
 if (isset($_POST['title'])) {
        $title = $_POST['title'];
        $description = $_POST['description'];
        $fullstory = $_POST['fullstory'];
        $author = $_POST['author'];
        $date = $_POST['TIMESTAMP'];
        $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
       
        if (@mysql_query($sql)) {
        header( 'Location: http://www.myexample.com/home.html' ) ;
        } else {
            echo '<p>Error Please go back and try again' .
            mysql_error() . '</p>';
        }
}
 

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 12:24 pm
by thewhinger
thanks.

escape it?

sorry

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 12:29 pm
by BornForCode
Yes, always escape what you have received from forms, get etc.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 12:32 pm
by Eric!
http://php.net/mysql_real_escape_string

this prevents someone from deleting your database tables, or dumping out data or injecting all sorts of naughty things that you never thought possible from such a simple form. Google SLQ injection cookbook for examples.

I personally like to whitelist characters and reject input if they put in anything suspicious, but escaping will protect your database.

Re: Need Help - Simple Submit News Form Not Quite Right

Posted: Tue Jun 30, 2009 12:52 pm
by thewhinger
Getting my head around that, took me to a new set of problems, but all needed tho.

anyway what i have done is below. i must add that before i did this, i was unable to submit the info into the database for some reason. and after i did the escape stuff nothing had changed. although no errors shown.

Code: Select all

<?php
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
// Have a look at SELEC FROM as may need something better.
$news=mysql_query("SELECT * FROM News ORDER BY date DESC LIMIT 3") or die ("cant get em"); 
?>
<?php
// _POST Query for sending entered info to database
         if (isset($_POST['title'])) {
         $title = $_POST['title'];
         $description = $_POST['description'];
         $fullstory = $_POST['fullstory'];
         $author = $_POST['author'];
         $date = $_POST['TIMESTAMP'];
         mysql_real_escape_string($_POST);
         $sql = "INSERT INTO News SET
        title='$title',
        description='$description',
        fullstory='$fullstory',
        author='$author'";
        
         if (@mysql_query($sql)) {
         header( 'Location: http://www.mysite.com/home.html' ) ;
         } else {
             echo '<p>Error Please go back and try again' .
             mysql_error() . '</p>';
         }
 }
    ?>
Very new to all this, and i guess i am going to have to add the escape to other stuff i have done that does work.