Member Avatar for shivya_1

Hello to all,

I am working on a project of job posting. There is a table in database. I have a html form and postcode.php (there will be code) ,
I am facing a problem with this code.

My html form code:-

 <form name="posting"  action="postcode.php"> <table class="table"> <h4>Job Details: <span>specify details of the position/job you are going to post.</span> <tbody></h4> <tr> <td>Job title / Designation : </td> <td><input type="text" name="title" placeholder="E.g. Php Developer, Web Designer"></td> </tr> <tr> <td>No. of Vacancies : </td> <td><input type="number" name="vacancy" ></td> </tr> <tr> <td>Keywords : </td> <td><input type="text" name="keywords" placeholder="E.g. Php Developer, Web Designer"></td> </tr> <tr> <td>Location of the job : </td> <td><input type="text" name="location" placeholder="E.g. Delhi, Noida, Gurgaon, Kolkata, Pune"></td> </tr> <tr> <td>Industry type : </td> <td><select name="industry"><option>Select Industry Type</option><option>Accounting/Finance</option><option>Agents</option><option>Analytics & Business Intelligence</option><option>Architecture/Interior Design</option><option>Banking/Finance</option><option>BPO</option><option>IT Services</option></select></td> </tr> <tr> <td>Functional Area : </td> <td><input type="text" name="area"></td> </tr> <tr> <td colspan="2"><input type="submit" name="submit" value="save"/></td> </tr> </tbody> </table> </form>

** Postcode.php:-**

<?php

include ("../connection.php");

 if(isset($_POST['submit']))
 {
$title = $_POST['title'];
$vacancy = $_POST['vacancy'];
$keywords = $_POST['Keywords'];
$location = $_POST['location'];
$industry = $_POST['industry'];
$area = $_POST['area'];

$sql = "INSERT INTO 'jobposting'('job_title', 'vacancies', 'keywords', 'location', 'indutry_type', 'Functional_Area') values('$title', '$vacancy', '$keywords', '$location', '$industry', '$area')";

if($conn->query($sql) === true)
{
    echo "Job Posted.";
}
else
{
    echo "Error posting job:".$conn->error;
}
}

?>

**Sql table columns:-**

SELECT `job_title`, `vacancies`, `keywords`, `location`, `industry_type`, `functional_area` FROM `job_detail` WHERE 1

There are not any error but my values are not inserting.
Please help me out and sorry for any grammatical mistake.

Edited by shivya_1
  • 2 Contributors
  • 7 Replies
  • 259 Views
  • 3 Hours Discussion Span
  • Latest Post Latest Post by Traevel

Recommended Answers

All 7 Replies

Member Avatar for Traevel

You're inserting user input directly into the database. In other words, any user who uses that form can do whatever they want inside your database. You should use mysqli or PDO instead of mysql.

You're also inserting into the jobposting table, but selecting from the job_detail table. Also, we can't see what's in include ("../connection.php");. But because it's using the unsafe mysql there's no real point in fixing this issue until you've switched to either mysqli or PDO. A lot of people here will help you with that if you run into problems converting to one of the two safer methods.

Member Avatar for shivya_1 
<?php

include ("../connection.php");

 if(isset($_POST['submit']))
 {

$title=mysqli_real_escape_string($_POST['title']);
$keywords=mysqli_real_escape_string($_POST['keywords']);
$location=mysqli_real_escape_string($_POST['location']);
     $industry=mysqli_real_escape_string($_POST['industry']);
     $area=mysqli_real_escape_string($_POST['area']);

$sqli = "INSERT INTO 'job_detail'('job_title', 'vacancies', 'keywords', 'location', 'indutry_type', 'Functional_Area') values('$title', '$vacancy', '$keywords', '$location', '$industry', '$area')";

if($conn->query($sqli) == true)
{
    echo "Job Posted.";
}
else
{
    echo "Error posting job:".$conn->error;
}
}

?>

"connection.php"

<?php 
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "shivya";

$conn = new mysqli($servername, $username, $password, $dbname);

if($conn -> connect_error)
{
echo "error occured: ".$conn -> connect_error;
}
else
{
    echo "connection established.";
}

?>
Edited by shivya_1
Member Avatar for Traevel

In your insert statement I'm seeing indutry_type, which I think should be industry_type and Functional_Area which should probably be functional_area.

It's even better if instead of mysqli_real_escape_string you used prepared statements.

Like:

// prepare the query statement
$stmt = $conn->prepare("INSERT INTO 'job_detail' ('job_title', 'vacancies', 'keywords', 'location', 'industry_type', 'functional_area') values(?, ?, ?, ?, ?, ?)");

// 6 string params, so 6 times 's' and 'strval'
$stmt->bind_param('ssssss', strval($title), strval($vacancy), strval($keywords), strval($location), strval($industry), strval($area));

// execute the query statement
$stmt->execute();

// close statement
$stmt->close();
Member Avatar for shivya_1 
<?php

include ("../connection.php");

 if(isset($_POST['submit']))
 {

$vacancy=$_POST['vacancy'];
$title=$_POST['title'];
$keywords=$_POST['keywords'];
$location=$_POST['location'];
     $industry=$_POST['industry'];
     $area=$_POST['area'];

$stmt = $conn->prepare("INSERT INTO 'job_detail' ('job_title', 'vacancies', 'keywords', 'location', 'industry_type', 'functional_area') values('$title','$vacancy','$keywords','$location','$industry','$area')");

$stmt->execute();

if($conn->query($sqli) == true)
{
    echo "Job Posted.";
}
else
{
    echo "Error posting job:".$conn->error;
}
 $stmt->close();    
}

?>
Member Avatar for Traevel

Now you went back a step again, directly inserting the $_POST variables into the query. Replace the variables in the query with ? and bind them like:

$stmt->bind_param('ssssss', strval($title), strval($vacancy), strval($keywords), strval($location), strval($industry), strval($area));

Is it still not working without giving you errors?

Member Avatar for shivya_1 
 <?php
    include ("../connection.php");
     if(isset($_POST['submit']))
     {
    $vacancy=$_POST['vacancy'];
    $title=$_POST['title'];
    $keywords=$_POST['keywords'];
    $location=$_POST['location'];
         $industry=$_POST['industry'];
         $area=$_POST['area'];

             $stmt->bind_param('ssssss', strval($title), strval($vacancy), strval($keywords), strval($location), strval($industry), strval($area));
    $stmt = $conn->prepare("INSERT INTO 'job_detail' ('job_title', 'vacancies', 'keywords', 'location', 'industry_type', 'functional_area') values('$title','$vacancy','$keywords','$location','$industry','$area')");
    $stmt->execute();
    if($conn->query($sqli) == true)
    {
        echo "Job Posted.";
    }
    else
    {
        echo "Error posting job:".$conn->error;
    }
     $stmt->close();    
    }
    ?>

My problem is still same.

Member Avatar for Traevel

This

$stmt->bind_param('ssssss', strval($title), strval($vacancy), strval($keywords), strval($location), strval($industry), strval($area));
$stmt = $conn->prepare("INSERT INTO 'job_detail' ('job_title', 'vacancies', 'keywords', 'location', 'industry_type', 'functional_area') values('$title','$vacancy','$keywords','$location','$industry','$area')");

Needs to be 

$stmt = $conn->prepare("INSERT INTO 'job_detail' ('job_title', 'vacancies', 'keywords', 'location', 'industry_type', 'functional_area') values(?,?,?,?,?,?)");
$stmt->bind_param('ssssss', strval($title), strval($vacancy), strval($keywords), strval($location), strval($industry), strval($area));

Also, you should be getting a general PHP error because in if($conn->query($sqli) == true) you're sending an object that doesn't exist anymore: $sqli;

Did you add a line like display_errors = on to your php.ini? Otherwise you won't see errors of any kind.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.