help1990 Posted February 12, 2017 Share Posted February 12, 2017 (edited) I am trying to build a customer form which will submit information to a mysql table using simple PHP and html. I've tried for hours with no luck. I'm really stumped on what I'm doing wrong. I am not getting any errors back which is a step up before but I am not seeing my updates to my table in mysql. I am a beginner in PHP so my code definitely needs work. Any advice would be greatly appreciated. here is my html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Grooming Appointment</title> </head> <body> <form action="submit.php" method="post"> <p> <label for="FirstName">First Name:</label> <input type="text" name="Firstname" id="FirstName"> </p> <p> <label for="LastName">Last Name:</label> <input type="text" name="LastName" id="LastName"> </p> <p> <label for="Address">Address:</label> <input type="text" name="Address" id="Address"> </p> <p> <label for="City">City:</label> <input type="City" name="City" id="City"> </p> <p> <label for="State">State:</label> <input type="State" name="State" id="State"> </p> <p> <label for="Zip">Zip:</label> <input type="Zip" name="Zip" id="Zip"> </p> <p> <label for="PhoneNumber">Phone Number:</label> <input type="PhoneNumber" name="PhoneNumber" id="PhoneNumber"> </p> <p> <label for="Email">Email:</label> <input type="Email" name="Email" id="Email"> </p> <p> <label for="PetType">Pet Type:</label> <input type="PetType" name="PetType" id="PetType"> </p> <p> <label for="Breed">Breed:</label> <input type="Breed" name="Breed" id="Breed"> </p> <p> <label for="PetName">PetName:</label> <input type="PetName" name="PetName" id="PetName"> </p> <p> <label for="NeuteredOrSpayed">Neutered or Spayed:</label> <input type="NeuteredOrSpayed" name="NeuteredOrSpayed" id="NeuteredOrSpayed"> </p> <p> <label for="PetBirthday">Pet Birthday:</label> <input type="PetBirthday" name="PetBirthday" id="PetBirthday"> </p> <input type="submit" id="Submit" action="submit.php" name="Submit"> </form> </form> </body> </html> and here is my php <?php $host=""; $port=3306; $socket=""; $user=""; $password=""; $dbname="pet_shop3"; $con = new mysqli($host, $user, $password, $dbname, $port, $socket) or die ('Could not connect to the database server' . mysqli_connect_error()); //$con->close(); if( isset( $_POST['submit'])){ $FirstName = $_POST['FirstName']; $LastName = $_POST['LastName']; $Address = $_POST['Address']; $City = $_POST['City']; $State = $_POST['State']; $Zip = $_POST['Zip']; $PhoneNumber = $_POST['PhoneNumber']; $Email = $_POST['Email']; $PetType = $_POST['PetType']; $Breed = $_POST['Breed']; $PetName = $_POST['PetName']; $NeuteredOrSpayed = $_POST['NeuteredOrSpayed']; $PetBirthday = $_POST['PetBirthday']; $con = "INSERT INTO `grooming` (`GroomingID`, `FirstName`, `LastName`, `Address`, `City`, `State`, `Zip`, `PhoneNumber`, `Email`, `PetType`, `Breed`, `PetName`, `NeuteredOrSpayed`, `PetBirthday`) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[Address]','$_POST[City]','$_POST[State]','$_POST[Zip]','$_POST[PhoneNumber]','$_POST[Email]','$_POST[PetType]','$_POST[City]','$_POST[Breed]','$_POST[PetName]','$_POST[NeuteredOrSpayed]','$_POST[PetBirthday]')"; } ?> Edited February 12, 2017 by help1990 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted February 12, 2017 Share Posted February 12, 2017 Before you jump to complex applications, learn the basics. Since almost nobody bothers to learn mysqli properly, I recommend you just drop it and switch to PDO. You must never insert user input directly into SQL query or any other language context. Never. This is extremely dangerous, because it allows anybody on the Internet to obtain sensitive data, manipulate data or even take over the entire server. Do not let that happen. Use prepared statements and start thinking about security. Your query is also broken. You claim to provide data for the ID column, but then you don't. This isn't valid. If you want to use the default value of the column (e. g. an auto-incremented integer), leave it out. Otherwise you must specify a value. Copying all POST parameters into separate variables doesn't make sense either. You already have those values in the $_POST array. Just use them. Quote Link to comment Share on other sites More sharing options...
Barand Posted February 12, 2017 Share Posted February 12, 2017 Having created a mysqli connection object and stored it in $con the next thing you do is destroy that object by overwriting it with a string value (your sql code). Secondly, just creating a string of sql code does not execute it. You need to use mysqli::query() eg $sql = "SELECT whatever ..." $con->query($sql); Quote Link to comment Share on other sites More sharing options...
benanamen Posted February 12, 2017 Share Posted February 12, 2017 (edited) but you can do it if you protect the data. For example have the field only allow alpha/numeric so no special characters can get into the query value. Yeah, no. NEVER EVER put variables in a query. ALWAYS use prepared statements. Edited February 12, 2017 by benanamen Quote Link to comment Share on other sites More sharing options...
ClipboardCode Posted February 12, 2017 Share Posted February 12, 2017 (edited) Yeah, no. NEVER EVER put variables in a query. ALWAYS use prepared statements. Yeah you are probably right since it is fairly easy to by bypass a input restriction. Edited February 12, 2017 by ClipboardCode Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted February 12, 2017 Share Posted February 12, 2017 (edited) The library has no security concept whatsoever and is bordering on malware, because it systematically produces SQL injection vulnerabilities. I'm not going to assume that you've done this on purpose, but this definitely isn't ready for production. I strongly recommend you don't use this forum for marketing. Edited February 12, 2017 by Jacques1 Quote Link to comment Share on other sites More sharing options...
benanamen Posted February 12, 2017 Share Posted February 12, 2017 @ClipboardCode, I just checked out your Data Grab code. It is EXTREMELY dangerous. It would be wise to stop promoting it until you have it right. If you want to talk more about it and get help on it start another thread so we don't hijack this one. Quote Link to comment Share on other sites More sharing options...
ClipboardCode Posted February 12, 2017 Share Posted February 12, 2017 @ClipboardCode, I just checked out your Data Grab code. It is EXTREMELY dangerous. It would be wise to stop promoting it until you have it right. If you want to talk more about it and get help on it start another thread so we don't hijack this one. Yeah I have just started the 'PHP Data Grab' project and adding onto it as I go. I do plan of re-doing to dynamic query part to use prepared statements style later. I would love any other feedback to help make the project a success. I currently tend to code internal intranet small utilities for my company and security has been low on my radar and the information is not that sensitive. I will create another topic in just a few seconds so we can get all the suggestions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.