Write JS to the database with $ _POST

0

Hello.

I have a PHP script that executes an INSERT in a table in my database.

The $ _POST array [txt_message] shown in the code should accept JS content, but it gets empty after the submit. It should accept for example a simple alert ('ola')

I looked in the PHP manual how to accept an unsafe string in POST but did not find anything about it.

Thank you in advance for your attention.

<?php
session_start();
include("dados_conexao.php"); 

if ($_POST)
{
    echo 'valor: ' . $_POST['txt_mensagem'];
    try { // tenta fazer a conexão e executar o INSERT
        $conecta = new PDO("mysql:host=$servidor;dbname=$banco", $usuario , $senha); //istancia a classe PDO
        $comandoSQL = "INSERT INTO tb_mensagens (de, para, mensagem) VALUES ('$_POST[txt_de]', '$_POST[txt_para]', '$_POST[txt_mensagem]');";
        echo $comandoSQL;
        $grava = $conecta->prepare($comandoSQL); //testa o comando SQL
        $grava->execute(array());           
    } catch(PDOException $e) { // casso retorne erro
        echo('Deu erro: ' . $e->getMessage()); 
    }
}?> 

Form

<form method="POST" >
			<label for="de">Para: </label>
			<input type="text" name="de">
  
            <label for="para">Para: </label>
			<input type="text" name="para">

			<label for="mensagem">Mensagem: </label>
			<input type="text" name="mensagem">		

			<button type="submit"> Enviar </button>
</form>
    
asked by anonymous 28.09.2016 / 19:28

1 answer

0

First, to detect if the form has been posted, use:

if ($_SERVER['REQUEST_METHOD'] === 'POST'){

The name of your field in the form is mensagem and not txt_mensagem , so the echo 'valor: ' . $_POST['txt_mensagem']; line does not work.

In the QUERY assembly, in addition to the wrong names, arrays in a string must be enclosed in parentheses, and the quotation marks in the field names are also missing ...

Replace:

$comandoSQL = "INSERT INTO tb_mensagens (de, para, mensagem) VALUES ('$_POST[txt_de]', '$_POST[txt_para]', '$_POST[txt_mensagem]');";

By:

$comandoSQL = "INSERT INTO tb_mensagens (de, para, mensagem) VALUES ('{$_POST['de']}', '{$_POST['para']}', '{$_POST['mensagem']}');";

Your revised PHP code:

<?php
session_start();
include("dados_conexao.php"); 

if ($_SERVER['REQUEST_METHOD'] === 'POST'){
     $_POST['de'] = addslashes($_POST['de']);
     $_POST['para'] = addslashes($_POST['para']);
     $_POST['mensagem'] = addslashes($_POST['mensagem']);
    echo 'valor: ' . $_POST['mensagem'];
    try { // tenta fazer a conexão e executar o INSERT
        $conecta = new PDO("mysql:host=$servidor;dbname=$banco", $usuario , $senha); //istancia a classe PDO

        $comandoSQL = "INSERT INTO tb_mensagens (de, para, mensagem) VALUES ('{$_POST['de']}', '{$_POST['para']}', '{$_POST['mensagem']}');";

        echo $comandoSQL;

        $grava = $conecta->prepare($comandoSQL); //testa o comando SQL
        $grava->execute(array());           
    } catch(PDOException $e) { // casso retorne erro
        echo('Deu erro: ' . $e->getMessage()); 
    }
}
?> 

Any questions or errors, regarding this question, just comment here below.

    
29.09.2016 / 15:26