Help needed-mysql-php

General PHP Help
#1

So I am a highschooler and I have this subject something like an intro to programming.
And the other day we got an assignment to create a page which will send data from a form that is located on the page to MySQL database table and then read that sent data and write it on the page. It is something like a chat, you send your message and username and those get send to the database table and then written on the original page. Now my problem is that my database table will not accept any data which I type in the form. I mean I dont know is it the code or my database and my table in MySQL.
The programm did work until I deleted/dropped a few rows from my table, could that be the problem ? The variables and all the names are in my native language.
Could someone help my find the problem and a solution, please ?

Here is the code:

<body>
<?php
    error_reporting(0);
    $server= 'localhost';
    $korisnik='mojkorisnik';
    $pass='mojalozinka';
    $baza='mojabaza';
    $conn= mysqli_connect($server, $korisnik, $pass, $baza);
    if(!$conn){
        die("Connection failed:".mysql_error());
    }
    $por=$_POST["poruka"];
    $im=$_POST["ime"];

    
    $rezultat= mysqli_query($conn,"SELECT*FROM mojeporuke"); 
    $brojredova=mysqli_num_rows($rezultat);
?>
<div id="okolo">
<div id="zaglavlje"><img src="slike/logo.jpg" width="257" height="100" alt="logo" />
</div>
<div id="sadrzaj">
  <p>Dobro došli u našu knjigu gostiju!<br />
      Možete ostaviti i svoju poruku!</p>
    <?php 
        if($brojredova){
    ?>
<table width="630" border="0" cellspacing="1" class="tablica">
    <tr class="naslovni">
      <td width="20">ID</td>
      <td width="380">Poruka</td>
      <td>Poslao</td>
    </tr>
       <?php
        while ($red=mysqli_fetch_array($rezultat)){
            echo"<tr class=\"ostali\"><td>".$red['id']."</td><td>".$red['poruka']."</td><td>".$red['poslao']."</td></tr>"; } 
            ?>
  </table>
<?php 
        }else{
            echo'<p>Još nema poruka!</p>';
        }
    if($im=="" or $por==""){
        echo"Greška: Niste ispunili sva polja!";
        
    }else
        $upis=mysqli_query($conn,"INSERT INTO mojeporuke (id,poslao,poruka) VALUES ('$brojredova','$im', '$por')");
    ?>
  <form id="form1" name="form1" method="post" action="index.php">
    <p>
      <label for="poruka">Poruka</label>
      <textarea name="poruka" id="poruka" cols="35" rows="3"></textarea>
    </p>
    <p>
      <label for="ime"> Ime</label>
      <input name="ime" type="text" id="ime" size="35" />
      <input name="bio" type="hidden" id="bio" value="da" />
    </p>
    <p>
      <input type="submit" name="posalji" id="posalji" value=" Pošalji " onsubmit="return checkForm()" />
    </p>
  </form>
    
  <p>&nbsp;</p>
  <p>&nbsp;</p>
  
</div>
<div id="dole">
&copy;knjiga gostiju za laboratorijske vježbe 4.h i 3.F razreda </div>
</div>
<?php 
 mysqli_close($conn);
?>
</body>
</html>
#2

The two most important things you need to ALWAYS do when programming are -

  1. Have php’s error related settings set to report and display or log all errors, so that php will help you. Error_reporting should always be set to E_ALL and either display_errors should be set to ON or log_errors should be set to ON. These settings should be in the php.ini on your system.
  2. Have error handling for all statements that can fail. For database statements (connection, query, prepare, and execute), the easiest way of adding error handling, without having to add logic for each statement that can fail, is to simply enable exceptions for errors and in most cases let php catch and handle the exception where it will use its’ error related settings (see the above item) to control what happens with the actual error information. You should then remove any error related settings from your code (setting error_reporting to zero is the opposite thing you would want to do when trying to learn programming) and remove any existing error handling logic for the database statements (your connection error handling, converted from some old mysql_ based code, won’t work as written.)

To enable exceptions for errors for the mysqli extension, add the following line of code before the point where you make the database connection -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

Your program is doing something illogical, which the above items will let you find.

Next, security in a web application is actually more important than getting the code to function. You have to protect your server and protect the users on your site. Even if you are just starting to learn, it’s important that the code you write is secure. For the code you currently have, here are three points concerning security -

  1. You should NOT unconditionally output database statement errors on a live web page, as this gives hackers useful information when they intentionally trigger errors. You can accomplish this by using exceptions for errors, as mentioned above, and display errors only when learning, developing, and debugging code/queries or log errors when on a live/public server.
  2. You should NOT put external/unknown data directly into an sql query statement. Use prepared queries with place-holders in the sql query statement for each value, then supply the data when the query gets executed. Unfortunately, the php mysqli extension is overly complicated and inconsistent, especially when dealing with prepared queries, and you should switch to the much simpler php PDO extension.
  3. Any data that came from an external source should have htmlentities() applied to it when it is being output on a web page, to help prevent cross site scripting.

Each of these items is actually simple to learn and use and should have been covered before expecting you to write code that uses form data with a query and displays dynamic data on a web page.

1 Like
Login Application
Sponsor our Newsletter | Privacy Policy | Terms of Service