This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Reference - What does this error mean in PHP?
(38 answers)
Can I mix MySQL APIs in PHP?
(4 answers)
PHP code is not being executed, but the code shows in the browser source code
(35 answers)
Why shouldn't I use mysql_* functions in PHP?
(14 answers)
Closed 4 years ago.
I'm trying to set up a very simple form to submit data to a MySQL database (I've never actually set up a MySQL database or the connections required to interact with it via a web form myself before).
I have a simple HTML form in my web page, to allow the user to enter a name, email address, and a question that they want to ask:
<!DOCTYPE html>
<html>
<head>
<meta content="text/html;charset=utf-8" http-equiv="Content-Type">
<meta content="utf-8" http-equiv="encoding">
Page title
</head>
<body>
<h1>Customer Information</h1>
<form id="customerInfoForm" accept-charset = "utf-8" action = "insert.php" method = "post" >
<table id = "customerInfoTable">
<tr><td>Name: </td><td><input type = "text" name = "customerName" ></input></td></tr>
<tr><td>Email: </td><td><input type = "text" name = "customerEmail"></input></td></tr>
<tr><td>Enquiry: </td><td><input type = "text" name = "enquiryText"></input></td></tr>
</table>
<br>
<input type = "submit" value = "Sumit"></input>
</form>
</body>
</html>
<?php
$con = mysql_connect('localhost','[retracted]','[retracted]');
if(!$con) {
echo 'Not connected to server!';
}
$Name = $_POST['customerName'];
$Email = $_POST['customerEmail'];
$Query = $_POST['enquiryText'];
$sql = "INSERT INTO Enquiries(Name, Email, Query) VALUES ('$Name', '$Email', '$Query')";
if(!mysql_query($con, $sql)) {
echo 'Data not inserted';
} else {
echo 'Data inserted';
}
?>
In the insert.php file that's called when clicking the 'Submit' button on the form, I have the following:
<?php
//Check if data has been entered
if( isset( $_POST['data'] ) && !empty( $_POST['data'] ) )
{
$data = $_POST['data'];
} else {
header( 'location: form.html' );
exit();
}
//set up mysql
$sql_server = 'localhost';
$sql_user = 'user';
$sql_pwd = 'password';
$sql_db = 'database';
//Connect to sql database
$mysqli = new mysqli( $sql_server, $sql_user, $sql_pwd, $sql_db) or die( $mysqli->error );
//Insert details into table
$insert = $mysqli->query( "INSERT INTO Enquiries ('data') VALUE ( '$data' )" );
//Close mysqli connection
$mysqli->close;
?>
However, currently, when I click the 'Submit' button on my form, I get an error displayed in my browser:
error ); //Insert details into table $insert = $mysqli->query( "INSERT INTO Enquiries ('data') VALUE ( '$data' )" ); //Close mysqli connection $mysqli->close; ?>
i.e. the above error is displayed as the content of the webpage, so it seems I'm doing something wrong with the database connection, but I'm not sure what... Can anyone point me in the right direction?
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 months ago.
So basically I have a working HTML Form that when filled out and submitted goes tomy SQL database, I have check multiple times and it works as should unless there is a ' character in the data being submitted. If there is a ' it simply won't submit the form. I don't know why this is and was hoping someone would know and potentionally help my resolve the problem so that that character can be used. I am using PHP to connect my HTMLform to my SQL server.
All the columns in my SQL Table are VARCHAR(no.)
EDIT:
This is the code on my php file.
<?php
// database connection code
// $con = mysqli_connect('localhost', 'database_user', 'database_password','database');
$con = mysqli_connect('localhost', 'root', '7520NHOj','db_connect');
// get the post records
$txtName = $_POST['txtName'];
$txtEmail = $_POST['txtEmail'];
$txtPhone = $_POST['txtPhone'];
$txtMessage = $_POST['txtMessage'];
// database insert SQL code
$sql = "INSERT INTO `tbl_contact` (`fldName`, `fldEmail`, `fldPhone`, `fldMessage`) VALUES ('$txtName', '$txtEmail', '$txtPhone', '$txtMessage')";
// insert in database
$rs = mysqli_query($con, $sql);
if($rs)
{
echo "Your Contact form has been submitted, we will get back to you as soon as possible!";
}
?>
Use mysqli_real_escape_string function for solving problem.
Use the following code.
<?php
// database connection code
// $con = mysqli_connect('localhost', 'database_user', 'database_password','database');
$con = mysqli_connect('localhost', 'root', '7520NHOj','db_connect');
// get the post records
$txtName = mysqli_real_escape_string($con,$_POST['txtName']);
$txtEmail = mysqli_real_escape_string($con,$_POST['txtEmail']);
$txtPhone = mysqli_real_escape_string($con,$_POST['txtPhone']);
$txtMessage = mysqli_real_escape_string($con,$_POST['txtMessage']);
// database insert SQL code
$sql = "INSERT INTO `tbl_contact` (`fldName`, `fldEmail`, `fldPhone`, `fldMessage`) VALUES ('$txtName', '$txtEmail', '$txtPhone', '$txtMessage')";
// insert in database
$rs = mysqli_query($con, $sql);
if($rs)
{
echo "Your Contact form has been submitted, we will get back to you as soon as possible!";
}
?>
This question already has answers here:
Can I mix MySQL APIs in PHP?
(4 answers)
Reference - What does this error mean in PHP?
(38 answers)
How to enable PHP short tags?
(21 answers)
Closed 4 years ago.
I’m having trouble successfully INSERTing information into a database I created. I tried several different alternatives I found on the internet and I was hoping someone could help. From what I can tell I’m connecting to the database without a problem, the data is just not being submitted into it. I kept it very simple just for testing purposes to no avail. It’s probably something simple that a more experienced programmer could help out easily.
I’m running a server through A2Hosting that is running
“Server version: 10.2.18-MariaDB-cll-lve - MariaDB Server”
“Php version: 5.6.30”
Here is the code I have running(for security I’m substituted in info):
I did the “dummy checks” with data base table and field names, username and case of letters too.
config.php:
<?php
$host = "server.a2hosting.com";
$userName = "username";
$password = "password";
$dbName = "Database";
// Create database connection
$conn = mysql_connect ($host, $userName, $password, $dbName);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
?>
Html file - index.html:
<html><body> <form method="post" action="index.php"> <input type='text' name='first_name' id='first_name'> <input type='text’ name='last_name'> <input type=submit value="Submit"> </form>
</body></html>
Php file - index.php
<? include("config.php");
// has the access info for the DB, how to connect
// create a variable
$first_name=$_POST['first_name'];
$last_name=$_POST['last_name'];
$query = "INSERT INTO Contact_Information (HOW_name, address) VALUES
('$first_name', '$last_name'); "; mysql_query($query); mysql_close();
?>
<html> <head> <meta HTTP-EQUIV="REFRESH" content="0; url=form1.php">
</head> </html>
$query = "INSERT INTO contact_inforamarion(how_name, address) VALUES('$first_name', '$last_name');";
$result = mysqli_query($conn, $query);
Query and result should be like this.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I have a PHP that I am unable to get it to work. Its function is to connect to my db and delete the input email address from the database. But for some reason, the result is always "Data Not Deleted". I am sure of all the details like db connect details and columns names etc. still the code doesn't work.
Code:
<?php
// php code to Delete data from mysql database
if(isset($_POST['delete']))
{
$hostname = "localhost";
$username = "root";
$password = "";
$databaseName = "newsletter";
// get id to delete
$email = $_POST['email'];
// connect to mysql
$connect = mysqli_connect($hostname, $username, $password, $databaseName);
// mysql delete query
$query = "DELETE FROM `email_user` WHERE `email` = $email";
$result = mysqli_query($connect, $query);
if($result)
{
echo 'Data Deleted';
}else{
echo 'Data Not Deleted';
}
mysqli_close($connect);
}
?>
<!DOCTYPE html>
<html>
<head>
<title> PHP DELETE DATA </title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<form action="unsub.php" method="post">
ID TO DELETE: <input type="text" name="email" required><br><br>
<input type="submit" name="delete" value="Clear Data">
</form>
</body>
</html>
Please point out what I am doing wrong in here?
Thanks
You need to add quotes around $email in your query as it is a string.
$query = "DELETE FROM `email_user` WHERE `email` = '$email'";
Note:- Your code is wide-open for SQL INJECTION.You have to use prepared statements
Help reference:-
mysqli::prepare
PDO::prepare
Try modifying the query to following:
"DELETE FROM `email_user` WHERE `email` = '$email'"
This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
Closed 5 years ago.
So I've looked up many tutorials on how to get variables like http://example.net/pb.php?id=1&affsub=stringhere&key=123abc and then when that page is accessed I want it to be put into my database. But I have tried doing so by using this piece of code. And when accessing the page using ?id=1&affsub=stringhere&key=123abc it doesn't show any errors on the page and it also doesn't put it in the database as well. Now I'm not sure what is happening or what I need to do for that to work.
<?
if( $_POST )
{
$con = mysql_connect("localhost","user","pass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("tbl", $con);
$id = $GET['id'];
$affsub = $_GET['affsub'];
$key = $_GET['key'];
$id = mysql_real_escape_string($id);
$affsub = mysql_real_escape_string($affsub);
$key = mysql_real_escape_string($key);
$query = "
INSERT INTO `tbl`.`users` (`id`, `affsub`, `key`) VALUES ('$id',
'$affsub', '$key');";
mysql_query($query);
echo "<h2>User added to system.</h2>";
mysql_close($con);
}
?>
Everything is inside if ($_POST) so you need to to retrieve the data from $_POST[] instead of $_GET[] (and the typo. error $GET['id']). In addition, the parameters should not be in the URL - that would normally indicate a form using the get method but for updating a database you normally want to use method="post" in your form.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
So, I am trying to validate whether username and email entered by a user in an html form are correct according to Database
I have a database called testing and a table called info which has two fields:
name and email.
this is the code
<html>
<body>
<form action="conn.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname="testing";
$name=$_POST['name'];
$mail=$_POST['email'];
// Create connection
$conn1 = new mysqli($servername, $username, $password, $dbname);
$query='select email from info where name= "$name"';
$results = mysqli_query($conn1,$query);
$row= mysqli_fetch_assoc($results);
echo $row["email"];
$email=$row["email"];
if($mail==$email){
echo " correct values";
}
else
echo " incorrect";
//echo $name, $email;
// Check connection
//if ($conn1->connect_error) {
// die("Connection failed: " . $conn1->connect_error);
//}
//echo "Connected successfully";
$conn1->close();
?>
but the result is always incorrect. The values that i enter in the text boxes match the values in the database.
You should use placeholders, the code would be something like this:
$query = 'SELECT emal FROM info WHERE name = ?';
$stmt = mysqli_stmt_prepare($conn1, $query);
mysqli_stmt_bind_param($stmt, 's', $name);
mysqli_stmt_execute($stmt);
$results = mysqli_stmt_get_result($stmt);
For better readable code, read up on the object-oriented mysqli-interface, or better yet use PDO.
alternatively you can use string concatenation like
Update this line
$query='select email from info where name= "$name"';
with
$query='select email from info where name= "'.$name.'" ';
or with
$query="select email from info where name= '".$name."' ";