Jump to content

Recommended Posts

I am trying to build a customer form which will submit information to a mysql table using simple PHP and html. I've tried for hours with no luck. I'm really stumped on what I'm doing wrong. I am not getting any errors back which is a step up before but I am not seeing my updates to my table in mysql. I am a beginner in PHP so my code definitely needs work. Any advice would be greatly appreciated.

 

here is my html



<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Grooming Appointment</title>
</head>
<body>
    <form action="submit.php" method="post">
    <p>
        <label for="FirstName">First Name:</label>
        <input type="text" name="Firstname" id="FirstName">
    </p>
    <p>
        <label for="LastName">Last Name:</label>
        <input type="text" name="LastName" id="LastName">
    </p>
      <p>
        <label for="Address">Address:</label>
        <input type="text" name="Address" id="Address">
    </p>
     <p>
        <label for="City">City:</label>
        <input type="City" name="City" id="City">
    </p>
      <p>
        <label for="State">State:</label>
        <input type="State" name="State" id="State">
    </p>
     <p>
        <label for="Zip">Zip:</label>
        <input type="Zip" name="Zip" id="Zip">
    </p>
      <p>
        <label for="PhoneNumber">Phone Number:</label>
        <input type="PhoneNumber" name="PhoneNumber" id="PhoneNumber">
    </p>
     <p>
        <label for="Email">Email:</label>
        <input type="Email" name="Email" id="Email">
    </p>
      <p>
        <label for="PetType">Pet Type:</label>
        <input type="PetType" name="PetType" id="PetType">
    </p>
      <p>
        <label for="Breed">Breed:</label>
        <input type="Breed" name="Breed" id="Breed">
    </p>
        <p>
        <label for="PetName">PetName:</label>
        <input type="PetName" name="PetName" id="PetName">
    </p>
       <p>
        <label for="NeuteredOrSpayed">Neutered or Spayed:</label>
        <input type="NeuteredOrSpayed" name="NeuteredOrSpayed" id="NeuteredOrSpayed">
    </p>
    <p>
        <label for="PetBirthday">Pet Birthday:</label>
        <input type="PetBirthday" name="PetBirthday" id="PetBirthday">
    </p>
    <input type="submit" id="Submit" action="submit.php" name="Submit">
</form>
</form>
</body>
</html>

and here is my php 

<?php
$host="";
$port=3306;
$socket="";
$user="";
$password="";
$dbname="pet_shop3";

$con = new mysqli($host, $user, $password, $dbname, $port, $socket)
	or die ('Could not connect to the database server' . mysqli_connect_error());

//$con->close();

if( isset( $_POST['submit'])){
	
  $FirstName = $_POST['FirstName'];
  $LastName = $_POST['LastName'];
  $Address = $_POST['Address'];
  $City = $_POST['City'];
  $State = $_POST['State'];
  $Zip = $_POST['Zip'];
  $PhoneNumber = $_POST['PhoneNumber'];
  $Email = $_POST['Email'];
  $PetType = $_POST['PetType'];
  $Breed = $_POST['Breed'];
  $PetName = $_POST['PetName'];
  $NeuteredOrSpayed = $_POST['NeuteredOrSpayed'];
  $PetBirthday = $_POST['PetBirthday'];

$con = "INSERT INTO `grooming` (`GroomingID`, `FirstName`, `LastName`, `Address`, `City`, `State`, `Zip`, `PhoneNumber`, `Email`, `PetType`, `Breed`, `PetName`, `NeuteredOrSpayed`, `PetBirthday`) VALUES ('$_POST[FirstName]','$_POST[LastName]','$_POST[Address]','$_POST[City]','$_POST[State]','$_POST[Zip]','$_POST[PhoneNumber]','$_POST[Email]','$_POST[PetType]','$_POST[City]','$_POST[Breed]','$_POST[PetName]','$_POST[NeuteredOrSpayed]','$_POST[PetBirthday]')";

}
?>
Edited by help1990
Link to comment
https://forums.phpfreaks.com/topic/303166-connecting-to-mysql-database-using-php/
Share on other sites

Before you jump to complex applications, learn the basics. Since almost nobody bothers to learn mysqli properly, I recommend you just drop it and switch to PDO.

 

You must never insert user input directly into SQL query or any other language context. Never. This is extremely dangerous, because it allows anybody on the Internet to obtain sensitive data, manipulate data or even take over the entire server. Do not let that happen. Use prepared statements and start thinking about security.

 

Your query is also broken. You claim to provide data for the ID column, but then you don't. This isn't valid. If you want to use the default value of the column (e. g. an auto-incremented integer), leave it out. Otherwise you must specify a value.

 

Copying all POST parameters into separate variables doesn't make sense either. You already have those values in the $_POST array. Just use them.

Having created a mysqli connection object and stored it in $con the next thing you do is destroy that object by overwriting it with a string value (your sql code).

 

Secondly, just creating a string of sql code does not execute it. You need to use mysqli::query()

 

eg

$sql = "SELECT whatever ..."
$con->query($sql);

but you can do it if you protect the data. For example have the field only allow alpha/numeric so no special characters can get into the query value.

 

Yeah, no. NEVER EVER put variables in a query. ALWAYS use prepared statements.

Edited by benanamen

The library has no security concept whatsoever and is bordering on malware, because it systematically produces SQL injection vulnerabilities.

 

I'm not going to assume that you've done this on purpose, but this definitely isn't ready for production. I strongly recommend you don't use this forum for marketing.

Edited by Jacques1

@ClipboardCode,

I just checked out your Data Grab code. It is EXTREMELY dangerous. It would be wise to stop promoting it until you have it right. If you want to talk more about it and get help on it start another thread so we don't hijack this one.

@ClipboardCode,

I just checked out your Data Grab code. It is EXTREMELY dangerous. It would be wise to stop promoting it until you have it right. If you want to talk more about it and get help on it start another thread so we don't hijack this one.

 

Yeah I have just started the 'PHP Data Grab' project and adding onto it as I go. I do plan of re-doing to dynamic query part to use prepared statements style later. I would love any other feedback to help make the project a success. I currently tend to code internal intranet small utilities for my company and security has been low on my radar and the information is not that sensitive. I will create another topic in just a few seconds so we can get all the suggestions.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.