0

When I save a form from html to php and finally store it in MySQL somewhere in that line it save the var= including what comes after the =

Here is my html:

   <form action="searchResultsSave.php" method="POST">
     What are we looking for? <input type="text" name="searchVar" />
     <input type="submit" value="Submit">
   </form>

Php: 

    $searchVar = file_get_contents('php://input');

    $sql = "INSERT INTO g_information(searchVar) VALUES ('$searchVar')";

    if ($conn->query($sql) === TRUE) {
        echo "New record created successfully";
    } else {
        echo "Error: " . $sql . "<br>" . $conn->error;
    }

Finally my output in mysql is: "searchVar=cars" when it should just be "cars".

Where do you think I went wrong?

Improve this question
4
  • 5
    You have a SQL injection vulnerability. Commented Nov 10, 2017 at 16:21
  • 4
    I am not a PHP person, it should be $_POST['searchVar'] not all the post params.... Commented Nov 10, 2017 at 16:24
  • 1
    Why use the input stream? Use parameterized queries would be better. Please only tag languages being used. Commented Nov 10, 2017 at 16:25
  • 1
    What is the purpose of file_get_contents() and "php://input" where no file object is submitted? Commented Nov 10, 2017 at 16:28

2 Answers 2

Reset to default
1 
$searchVar = file_get_contents('php://input');

should be

$searchVar = $_POST['searchVar'];

This way you get the value of the search term.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You should read input variable from the form 

    <?php
    $_POST["searchVar"];
    ?>

Then do some validation on the input, making sure no illegal characters are entered and data is safe to store in MySQL database

    <?php
    $_POST['searchVar'] = filter_var($_POST['searchVar'], FILTER_SANITIZE_STRING);
    $sql = "INSERT INTO g_information(searchVar) VALUES ("'.$_POST['searchVar'].'")"; 
    ?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.