Member Avatar for davy_yg

This is my html:

<html>

Cross Site Scripting Security
<form action="komentar5.php" method="POST">
Nama:
<input type= "textbox" name="nama" /><br />
Email:
<input type= "textbox" name="email" /><br />

Komentar:<textarea name="comments" rows=10 cols=40></textarea><br />
<input type="submit" />
</form>

</html>

komentar5.php

<?php

$nama = isset($_POST['nama']) ? $_POST['nama'] : '';
$comments = isset($_POST['comments']) ? $_POST['comments'] : '';
$email = isset($_POST['email']) ? $_POST['email'] : '';

// escape output

$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
$newemail = htmlspecialchars($email,  ENT_QUOTES);

// filter input

echo $newnama.'<br>';
echo $newcomments.'<br>';
echo $newemail;

$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("phpexercise", $con);

mysql_query("INSERT INTO komentar (nama, email, komentar)
VALUES ($newnama, $newemail, $newcomments)");

mysql_close($con);

?>

For the result I only see them printed on screen but not in the database. The table still remains empty.

What's wrong with the codes?

Thanks.

  • 2 Contributors
  • 1 Reply
  • 140 Views
  • 13 Minutes Discussion Span
  • Latest Post Latest Post by pritaeas
Member Avatar for pritaeas

mysql_query("INSERT INTO komentar (nama, email, komentar)VALUES ($newnama, $newemail, $newcomments)");

Should be:

mysql_query("INSERT INTO komentar (nama, email, komentar) VALUES ('$newnama', '$newemail', '$newcomments')");
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.