CyberShot Posted December 7, 2016 Share Posted December 7, 2016 I have made a database and have been able to connect to it. I have a web form for inserting records. When I fill out the form and submit, I find that the database is empty. I don't see any errors. What am I doing wrong $con = new MySQLi("localhost", "user", "password", "database" ); if(mysqli_connect_errno()){ die( "Failed to connect to MySQL" . mysqli_connect_error() ); } else { echo "Connection Established!"; } ?> <form id="insert" name="insert" method="post"> <fieldset> <legend>Resident Info:</legend> Name: <input type="text" name="name" id="name"><br> Address: <input type="text" name="address"><br> Telephone: <input type="text" name="telephone"><br> Email: <input type="text" name="email"><br> Date Paid: <input type="text" name="date"><br> Method: <input type="text" name="method"><br> Amount: <input type="text" name="amount"><br> Amount Owed: <input type="text" name="amountOwed"> <button type="submit" name="submit">Submit</button> </fieldset> </form> <?php if( $_SERVER['REQUEST_METHOD'] == 'POST') { $name = $_POST["name"]; $address = $_POST["address"]; $telephone = $_POST["telephone"]; $email = $_POST["email"]; $date = $_POST["date"]; $method = $_POST["method"]; $amount = $_POST["amount"]; $amountOwed = $_POST["amountOwed"]; $name = strtolower($name); echo ucwords($name); $query = "INSERT INTO residents (name, address, telephone, email, datepaid, method, amount, amountowed) VALUES ('$name','$address','$telephone','$email','$date','$method','$amount','$amountOwed')"; $con->query($query); if(!$con->query($query)){ die( 'Error: ' . $con->error ); } } ?> Quote Link to comment Share on other sites More sharing options...
Solution benanamen Posted December 7, 2016 Solution Share Posted December 7, 2016 (edited) You need to use prepared statements. You never ever send user supplied data directly to the database. Your code is just waiting for an SQL Injection Attack. Get rid of all those variables for nothing. Turn on error reporting and check your logs. I suggest you use PDO instead of Mysqli https://phpdelusions.net/pdo * Good job on using if( $_SERVER['REQUEST_METHOD'] == 'POST') Edited December 7, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
benanamen Posted December 7, 2016 Share Posted December 7, 2016 (edited) FYI: name is a mysql reserved word. If you're going to stick with bad column naming using reserved words you need to use backticks. You should be using something better like first_name, last_name. `name` Edited December 7, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
CyberShot Posted December 7, 2016 Author Share Posted December 7, 2016 ok. Thank you. Quote Link to comment Share on other sites More sharing options...
Barand Posted December 7, 2016 Share Posted December 7, 2016 FYI: name is a mysql reserved word. `name` Not according to the manual Quote Link to comment Share on other sites More sharing options...
benanamen Posted December 7, 2016 Share Posted December 7, 2016 (edited) Ok, So it is a Mysql Keyword. Nevermind on the back ticks OP. name is still not a good column name anyways. What kind of name is name? Who knows? It is not descriptive enough. Thanks @Barand. I missed the line "Reserved keywords are marked with ®. ". Per the manual: Nonreserved keywords are permitted as identifiers without quoting. Reserved words are permitted as identifiers if you quote them as described in Section 9.2, “Schema Object Names”: Edited December 7, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.