Jump to content

help inserting into database


Go to solution Solved by benanamen,

Recommended Posts

I have made a database and have been able to connect to it. I have a web form for inserting records. When I fill out the form and submit, I find that the database is empty. I don't see any errors. What am I doing wrong

$con = new MySQLi("localhost", "user", "password", "database" );


if(mysqli_connect_errno()){
	die( "Failed to connect to MySQL" . mysqli_connect_error() );
	
} else {
	echo "Connection Established!";
}
?>



		 <form id="insert" name="insert" method="post">
        	<fieldset>
            <legend>Resident Info:</legend>
            Name: <input type="text" name="name" id="name"><br>
            Address: <input type="text" name="address"><br>
            Telephone: <input type="text" name="telephone"><br>
            Email: <input type="text" name="email"><br>
            Date Paid: <input type="text" name="date"><br>
            Method: <input type="text" name="method"><br>
            Amount: <input type="text" name="amount"><br>
            Amount Owed: <input type="text" name="amountOwed">
            <button type="submit" name="submit">Submit</button>
          </fieldset>
        </form>
        
        <?php 
		if( $_SERVER['REQUEST_METHOD'] == 'POST') {
				$name = $_POST["name"];
				$address = $_POST["address"];
				$telephone = $_POST["telephone"];
				$email = $_POST["email"];
				$date = $_POST["date"];
				$method = $_POST["method"];
				$amount = $_POST["amount"];
				$amountOwed = $_POST["amountOwed"];
				$name = strtolower($name);
				echo ucwords($name);
			
		    $query = "INSERT INTO residents (name, address, telephone, email, datepaid, method, amount, amountowed)
						VALUES ('$name','$address','$telephone','$email','$date','$method','$amount','$amountOwed')"; 
						
					
		$con->query($query);
		if(!$con->query($query)){		
			
			die( 'Error: ' . $con->error );
		} 
		}
		?>
Link to comment
https://forums.phpfreaks.com/topic/302695-help-inserting-into-database/
Share on other sites

  • Solution

You need to use prepared statements. You never ever send user supplied data directly to the database. Your code is just waiting for an SQL Injection Attack. Get rid of all those variables for nothing.  Turn on error reporting and check your logs.

 

I suggest you use PDO instead of Mysqli

https://phpdelusions.net/pdo

 

* Good job on using if( $_SERVER['REQUEST_METHOD'] == 'POST')

Edited by benanamen

FYI: name is a mysql reserved word. If you're going to stick with bad column naming using reserved words you need to use backticks. You should be using something better like first_name, last_name.

 

`name`

Edited by benanamen

Ok, So it is a Mysql Keyword. Nevermind on the back ticks OP. name is still not a good column name anyways. What kind of name is name? Who knows? It is not descriptive enough. Thanks @Barand. I missed the line "Reserved keywords are marked with ®. ".

 

Per the manual:

 

Nonreserved keywords are permitted as identifiers without quoting. Reserved words are permitted as identifiers if you quote them as described in Section 9.2, “Schema Object Names”:

Edited by benanamen
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.