This is my html:
<html>
Cross Site Scripting Security
<form action="komentar5.php" method="POST">
Nama:
<input type= "textbox" name="nama" /><br />
Email:
<input type= "textbox" name="email" /><br />
Komentar:<textarea name="comments" rows=10 cols=40></textarea><br />
<input type="submit" />
</form>
</html>
komentar5.php
<?php
$nama = isset($_POST['nama']) ? $_POST['nama'] : '';
$comments = isset($_POST['comments']) ? $_POST['comments'] : '';
$email = isset($_POST['email']) ? $_POST['email'] : '';
// escape output
$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES);
$newemail = htmlspecialchars($email, ENT_QUOTES);
// filter input
echo $newnama.'<br>';
echo $newcomments.'<br>';
echo $newemail;
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("phpexercise", $con);
mysql_query("INSERT INTO komentar (nama, email, komentar)
VALUES ($newnama, $newemail, $newcomments)");
mysql_close($con);
?>
For the result I only see them printed on screen but not in the database. The table still remains empty.
What's wrong with the codes?
Thanks.