1

I make a pop-up form like this, in home.php :

<script src="js/submit.js"></script>

.........
.........
.........

<div id="abc">
<!-- Popup Div Starts Here -->

<div id="popupContact">
<!-- Form -->

<form action="#" id="form" method="post" name="form">

    <input id="month" name="month" placeholder="MONTH" type="text">
    <a href="javascript:%20check_empty()" id="submit">ADD</a>

</form>

</div>
<!-- Popup Div Ends Here -->
</div>

I fill the form. When I click 'ADD' button, it runs javascript function. The code in submit.js :

function check_empty() {
    if (document.getElementById('month').value == ""){
        alert("Fill column!");
    } else {
        document.getElementById('form').submit();   
        $.get("application/insertdata.php");
        return false;
    }
}

//Function To Display Popup
function div_show() {
document.getElementById('abc').style.display = "block";
}

//Function to Hide Popup
function div_hide(){
document.getElementById('abc').style.display = "none";
}

I want to run query in insertdata.php as below. It needs the value from 'month'.

<?php 
require("phpsqlajax_dbinfo.php");

$conn = mysqli_connect('localhost', $username, $password, $database);

if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
} 

$data = isset($_POST['month']);
$monthstring = mysqli_real_escape_string($conn, $data);

$sql = "INSERT INTO `databasea`.`tablea` (`MONTH`, `TEST`) VALUES ('". $monthstring ."', 'xxx');";

mysqli_query($conn, $sql);
mysqli_close($conn);
?>

The query run successfully, and row is added in my table. 'TEST' column is added with 'xxx'. But in 'MONTH' column, it generates no value, just empty.

So, how to get the 'month' value? Thank you.

Improve this question
7
  • 1
    First of all you need to study $.get function. See this link for $.get() api.jquery.com/jquery.get Commented Jun 24, 2016 at 12:57
  • 1
    Because of you did not pass data in post. Commented Jun 24, 2016 at 12:58
  • 3
    Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Commented Jun 24, 2016 at 12:58
  • 3
    You are posting the form with: document.getElementById('form').submit(); but you got no URL in the forms action, which means that it will post to itself. Then you do a $.get to the correct file... but $.get does a GET-request, not POST... and you're not sending any data. Commented Jun 24, 2016 at 12:59
  • 1
    I'm guessing your MONTH field is a string, but your $monthstring variable is a boolean because it's defined as the escaped version of $data = isset($_POST['month']); which is a boolean Commented Jun 24, 2016 at 13:01

3 Answers 3

Reset to default
2

Since you're using JavaScript/jQuery there is no real need for inline code in your HTML, so let's start there by removing the inline JavaScript:

<script src="js/submit.js"></script>

.........
.........
.........

<form action="#" id="form" method="post" name="form">

<input id="month" name="month" placeholder="MONTH" type="text">
<a href="#" id="submit">ADD</a>

</form>

Much cleaner, no? You weren't passing any data in your function call which may have caused problems for you down the line.

Now a simpler setup in your JavaScript/jQuery in which we'll capture the click event and pass the data via $.post:

$('#submit').click(function(event) {
    event.preventDefault(); // prevent the default click action
    var month = $('#month').val();
    if('' == month) {
        alert('fill the column!');
    } else {
        $.post("application/insertdata.php", {month: month}); // notice how the data is passed
    }
});

So far, so good, the code is much tighter and more readable and it actually posts the data from the form to the AJAX call.

Finally the PHP, testing to see if the variable month is set properly:

<?php 
    require("phpsqlajax_dbinfo.php");

    $conn = mysqli_connect('localhost', $username, $password, $database);

    if (!$conn) {
        die("Connection failed: " . mysqli_connect_error());
    } 

    if(isset($_POST['month'])) {
        $data = $_POST['month'];
        $monthstring = mysqli_real_escape_string($conn, $data);
        $sql = "INSERT INTO `databasea`.`tablea` (`MONTH`, `TEST`) VALUES ('". $monthstring ."', 'xxx');";
        mysqli_query($conn, $sql);
    }

    mysqli_close($conn);
?>

NOTE: I am concerned that you might have more than one of these forms on your page and you may be duplicating ID's which will not work and the duplicate ID's will need to be removed. If this is the case the jQuery code I've written needs to be changed. Here is one way to do that:

$('a').click(function(event) {
    event.preventDefault(); // prevent the default click action
    var month = $(this).prev('input').val(); // get the input next to the link
    if('' == month) {
        alert('fill the column!');
    } else {
        $.post("application/insertdata.php", {month: month}); 
    }
});

As I stated in comments Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Changing to prepared statements will make your code cleaner and safer.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Just one small suggestion. Validate the $_POST['month'] before you open the DB-connection. No need to open it if the variable isn't set. :)
That's not a bad idea @MagnusEriksson, I was just trying not to modify the OP's code too much.
And $sql won't be set if the validation fails, but is used after. :) mysqli_query($conn, $sql); should be in the IF-statement.
Good catch @MagnusEriksson, I changed the code a little to reflect that.
hi @JayBlanchard thank you. I tried your code, but when I click ADD button, my pop-up form doesn't show up now. (I have edited my full code above in home.php and submit.js, take a look)
|
2

Hi use $data = $_POST['month'];

isset will return true or false not value of month

Improve this answer

Comments

2

Replace 

$data = isset($_POST['month']);

by

if(isset($_POST['month'])) {
   $data=$_POST['month'];
}
Improve this answer

1 Comment

There are so many other things wrong with the code before things even get here.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.