Why Isn't My PHP Comment System Saving Data to MySQL Database?

Click For Summary
SUMMARY

The discussion centers on a PHP comment system that fails to save data to a MySQL database. The user is utilizing Dreamweaver and MySQL but encounters issues with data not being stored. Key problems identified include incorrect form action attribute in the HTML form and the absence of executing the SQL insert statement in post_comment.php. Additionally, there are security vulnerabilities related to SQL injection due to improper handling of user input.

PREREQUISITES
  • Basic understanding of PHP scripting
  • Familiarity with MySQL database operations
  • Knowledge of HTML form handling
  • Awareness of SQL injection vulnerabilities
NEXT STEPS
  • Learn how to execute SQL queries in PHP using MySQLi or PDO
  • Research proper HTML form attributes and their significance
  • Understand how to implement prepared statements to prevent SQL injection
  • Explore debugging techniques for PHP and MySQL integration
USEFUL FOR

Web developers, particularly those working with PHP and MySQL, as well as anyone interested in building secure comment systems or troubleshooting database interactions.

Sumaya
Messages
29
Reaction score
0
i am making a comment system using dreamweaver and mysql ,
and the data i wrote it in the text area didnt not save in the mysql _db ,
below the index page contain the general fourm to let the user write comment
and post_comment.php to send the data
can you help me why the data didnt send to my db ??

index.php
<html>

<h1>comment</h1>
</html>

<?php
mysql_connect("localhost","root","");
mysql_select_db("comments");

$find_comments = mysql_query("SELECT * FROM comments ");
while($row = mysql_fetch_assoc ($find_comments))
{
$comment_name = $row['name'];
$comment = $row['comments'];
echo "$comment_name - $comment <p>";
}
if(isset($_GET['error']))
{
echo "<p>100 character limit";
}
?>


<html>
<body>
<form actio="post_comment.php" method="POST">
<input type="text" name="name" value="your name"><br>
<textarea name="comment" cols="50" rows="2" >enter a comment </textarea>
<input type="submit" value="comment">

</form>
</body>
</html>









post_comment.php
<?php

$con = mysql_connect("localhost","root","");
mysql_select_db("test");

$name = $_POST["username"];
$comment =$_POST["comments"];
$comment_length = strlen($comment);
if($comment_length > 100)
{
header("location: index.php?error=1");
}
else
{
$sql="INSERT INTO comments VALUES('$name','$comment')";
header("location: index.php");
}

?>
 
Computer science news on Phys.org
Code: 
$sql="INSERT INTO comments VALUES('$name','$comment')";
Because you did not execute the sql? Don't you need to mysql_execute() it?

Also note that I can now **** up your database by entering the following comment
Code: 
'); DELETE * FROM comments; INSERT INTO comments VALUES('You', 'have been hacked