PHP & MYSQL Database Insertion Blank

OK so I am new to php,ajax and mysql and I have searched the forum trying everything but still nothing..I know it's some simple mistake but as it stands my code is entering blank info into the database through my forms but when I type the string directly in the query it appears in the database, please help me

PS I know it might not be the most secure code but that's not the issue at hand

                  function message(){


    alert("You are about to compose a message");
    var stuff=[
        '<div id ="compose_window">',
        '<div id="new_message">',
        '<div id="header"><strong> New Message </strong></div>',
        '</div>',

    '<form action="" method= "post">',
    '<fieldset>',
    '<strong>To</strong><br> <input type="text" id ="recipient" name="recipient" class="textfield"> <br>',
    '<strong>Subject</strong><br> <input type="text" id="subject" name="subject" class="textfield"> <br><br>',
    '<strong>Message</strong><br> <textarea  id = "content" name="content" cols="40" rows="5"></textarea> <br>',
    '<button id="send" type="button" onclick= loadXMLDoc()> <strong> Send </strong> </button>',
    '</fieldset>',
        '</form>',
        '</div>',
        '<div id="Response"></div>',

    ].join('');

    document.getElementById("area").innerHTML= stuff;




}
    function loadXMLDoc()
{
var xmlhttp;
if (window.XMLHttpRequest)
  {// code for IE7+, Firefox, Chrome, Opera, Safari
  xmlhttp=new XMLHttpRequest();
  }

xmlhttp.onreadystatechange=function()
  {
  if (xmlhttp.readyState==4 && xmlhttp.status==200)
    {
    document.getElementById("ajaxResponse").innerHTML=xmlhttp.responseText;
    }
  }
xmlhttp.open("GET","send.php",true);
xmlhttp.send();
}

and this is the php for the insertion

<?php
$con=mysqli_connect("127.9.52.129","boballen","","cheapomail");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$sql="INSERT INTO messages (subject, recipient_ids, body)
VALUES
('$_POST[subject]','$_POST[recipient]','$_POST[content]')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "Message Sent 1 record added";

mysqli_close($con);
?>

Answers


Your code is vulnerable to SQL injection, please use prepared statements or escape the variables before using them in the query. The reason, why you get empty row when inserting, is this:

you are using $_POST array in your query, while sending the data through GET request in Ajax:

xmlhttp.open("GET","send.php",true);

use $_GET instead of $_POST:

$sql = "INSERT INTO messages (subject, recipient_ids, body)
VALUES (?,?,?)";

if ($stmt = $mysqli->prepare($sql)) {

    /* bind parameters for markers */
    $stmt->bind_param("sss", $_GET['subject'],$_GET['recipient'],
                      $_GET['content']);

    /* execute query */
    $stmt->execute();
}
Ajax

You are also not sending GET parameters in Ajax request. Try adding them, using something like this:

subject = encodeURIComponent(document.getElementById("subject").value);
recipient = encodeURIComponent(document.getElementById("recipient").value);
content = encodeURIComponent(document.getElementById("content").value);
xmlhttp.open("GET","send.php?subject=" + subject + "&recipient=" 
             + recipient + "&content=" + content,true);

Where you get subject, recipient and content variables from the appropriate inputs on your page.


In the query use the check mark:

if(isset($_POST[subject]) && isset($_POST[recipient]) && isset($_POST[content])) {
$sql="INSERT INTO messages (subject, recipient_ids, body)
VALUES
('$_GET[subject]','$_GET[recipient]','$_GET[content]')";
}

And you are not sending any data in the xmlhttp.send(); you need to send the data to get the data on posted page.


Need Your Help

Defining a function with multiple implicit arguments in Scala

scala

How can I define a function with multiple implicit arguments.