Why won't this Insert INTO Work ? Php

Question

// This is the file that is giving the error, not the form below

       <?php
        // Insert Comments into Database that user provides

<?php
// Insert Comments into Database that user provides
$comm = mysql_real_escape_string($_POST['addComment']);

// following line has changed:
$pID4 = filter_var( $_POST['pID'], FILTER_SANITIZE_STRING );

$cID = mysql_real_escape_string($_POST['courseInfoDD']);
$username = "###";
$password = "###";
$pdo4 = new PDO('mysql:host=localhost;dbname=###', $username, $password);
$pdo4->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$sth4 = $pdo4->prepare('INSERT INTO Comment (info, pID, cID) VALUES(?,?,?);'); 
$sth4->execute(array($comm, $pID4, $cID ));

?>

Form

<input type='text' id='addComment' name='addComment' tabindex='3' value='Enter comment' />
<input type='hidden' name='pID' value='<?php echo $pID ?>'>
</form>

ERROR Received:

*No error is received upon load, but once I type something in and press enter it gives me a blank page saying 'no pID specified' ?? Please help!*

Answer 1

To directly answer your question, you'll need to add the pID to the request data either via the form action, though this parameter will show in the $_GET array instead of $_POST

<form action="inc/q/prof.php?pID=<?php echo $pID ?>" method="post">

or via a form element (will be part of the $_POST array)

<input type="hidden" name="pID" value="<?php echo $pID ?>">

Now, a further consideration...

You don't need to apply db string escaping ( mysql_real_escape_string() ) when using PDO prepared statements with bound parameters. The act of binding a parameter or value takes care of that for you.

---

To clarify my comments below, you need something like this...

Given a URL like http://example.com/index.php?pID=842 , your form on that page should have the following hidden element

<input type="hidden" name="pID" value="<?php echo (int) $_GET['pID'] ?>" />

Answer 2

Two words: GET FIREBUG . Before checking your PHP script, you should check your HTML form. It's possible you're not echoing the form correctly.

I don't thinks it's safer to go with POST submissions, but definitely it's cleaner.

After you checked your form it should look like this:

<form method="POST" action="form-process.php">
    <input type='text' id='addComment' name='addComment' tabindex='3' value='Enter comment' />
    <input type="hidden" name="courseInfoDD" value="XXX" id="courseInfoDD">
    <input type="hidden" name="pID" value="XXX" id="pID">
</form>

On your submit script, you can access those parameters with $_POST. But remeber, if you have an empty value on your HTML form, it would become an empty variable.

You can do a quick echo on $pID to see their content.

@Phil Brown is right about PDO. You don't have to escape variables before sending it to the handler.

Hope it helps!