This is my html:


Cross Site Scripting Security
<form action="komentar5.php" method="POST">
<input type= "textbox" name="nama" /><br />
<input type= "textbox" name="email" /><br />

Komentar:<textarea name="comments" rows=10 cols=40></textarea><br />
<input type="submit" />




$nama = isset($_POST['nama']) ? $_POST['nama'] : '';
$comments = isset($_POST['comments']) ? $_POST['comments'] : '';
$email = isset($_POST['email']) ? $_POST['email'] : '';

// escape output

$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
$newemail = htmlspecialchars($email,  ENT_QUOTES);

// filter input

echo $newnama.'<br>';
echo $newcomments.'<br>';
echo $newemail;

$con = mysql_connect("localhost","root","");
if (!$con)
  die('Could not connect: ' . mysql_error());

mysql_select_db("phpexercise", $con);

mysql_query("INSERT INTO komentar (nama, email, komentar)
VALUES ($newnama, $newemail, $newcomments)");



For the result I only see them printed on screen but not in the database. The table still remains empty.

What's wrong with the codes?


mysql_query("INSERT INTO komentar (nama, email, komentar)VALUES ($newnama, $newemail, $newcomments)");

Should be:

mysql_query("INSERT INTO komentar (nama, email, komentar) VALUES ('$newnama', '$newemail', '$newcomments')");
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.