I've created a simple login form. I'm not able to store user input values at the back-end. Here's the full code for your reference:
dp.php
<?php
$dbc = mysqli_connect('localhost', 'root', '', 'list') or trigger_error(mysqli_error());
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$email = $_POST['email_id'];
$password = $_POST['password'];
$query = "INSERT INTO login_list (first_name, last_name, email,password) VALUES ('$first_name', '$last_name', '$email','$password')";
mysqli_query($dbc, $query) or trigger_error(mysqli_error($dbc));
echo 'login created';
mysqli_close($dbc);
?>
remove single quote from php variable
$query = "INSERT INTO login_list (first_name, last_name, email,password) VALUES
($first_name, $last_name, $email,$password)";
if your data contain string that will put in "" or ''
$query = "INSERT INTO login_list (first_name, last_name, email,password) VALUES
('".$first_name."','".$last_name."', '".$email."','".$password."')";
i hope this will solve your problem if $_POST get correct data . you have to concat string at that time
Related
Here is my main PHP code:
<?php
define('dbServer', 'localhost');
$dbUsername = 'root';
$dbPassword = '';
define('dbName', '1');
$dbConnection = mysqli_connect(dbServer, $dbUsername, $dbPassword, dbName);
if(!$dbConnection){
die("Unsuccessful Connection: " . mysqli_connect_error());
}
// All user data will be taken from the form //
$emailAddress = $_POST['emailaddress'];
$firstName = $_POST['firstname'];
$lastName = $_POST['lastname'];
$streetAddress = $_POST['streetaddress'];
$phoneNumber = $_POST['phonenumber'];
$comments = $_POST['comments'];
$sql = "INSERT INTO user-submission (email, firstName, lastName, address, phoneNumber, comment) VALUES ('$emailAddress', '$firstName', '$lastName', '$streetAddress', '$phoneNumber', '$comments')";
$result = mysqli_query($dbConnection, $sql);
if (!$result){
die('Error: ' . mysqli_connect_error());
}
?>
My SQL database contains the rows ID, email, firstName, lastName, address, phoneNumber, comment. They are in a database called '1' (for testing purposes) and a table called 'user-submission'.
I have been unable to query this information into my table. I have been successful prior to this on other SQL and PHP pairings. What am I doing wrong this time?
Add this right below the opening php tag at the top then the server will tell you what the error is. Copy the error here if you need help decyfering
error_reporting( E_ALL );
First you need to make changes so hackers don't abuse your code.
Just wait till johnny;drop tables; comes by and wipes out your database.
// All user data will be taken from the form //
$emailAddress = mysqli_real_escape_string($dbConnections,$_POST['emailaddress']);
$firstName = mysqli_real_escape_string($dbConnections,$_POST['firstname']);
$lastName = mysqli_real_escape_string($dbConnections,$_POST['lastname']);
$streetAddress = mysqli_real_escape_string($dbConnections,$_POST['streetaddress']);
$phoneNumber = mysqli_real_escape_string($dbConnections,$_POST['phonenumber']);
$comments = mysqli_real_escape_string($dbConnections,$_POST['comments']);
$sql = "INSERT INTO `user-submission` (email, firstName, lastName, address, phoneNumber, comment) VALUES (?,?,?,?,?,?)";
$prep=$dbConnections->prepare($sql);
$prep->bind_param("ssssss",$emailAddress,$firstName,$lastName,$streetAddress,$phoneNumber,$comments);
#actually puts everything together, and puts it in the database
$prep-execute();
I'm writing PHP code to send user input to the database. And http://fwtest.ga/register.php is my URL. every time I click the URL or check the JSON data in JSONLint website I get "mysqli_stmt_bind_param(): "Number of variables doesn't match a number of parameters in prepared statement" here is Mycode
<?php
$con = mysqli_connect("hostname", "username", "password", "dbname");
$first_name = $_POST["first_name"];
$last_name = $_POST["last_name"];
$email = $_POST["email"];
$password = $_POST["password"];
$user_id = $_POST["user_id"];
$statement = mysqli_prepare($con, "INSERT INTO `user` (first_name, last_name, email, password) VALUES
('$first_name', '$last_name', '$email', '$password')");
mysqli_stmt_bind_param($statement, 'ssss', $first_name, $last_name, $email, $password);
mysqli_stmt_execute($statement);
$response = array();
$response["success"] = true;
echo json_encode($response);
?>
You are injecting the params and you are preparing the query at the same time, use ? to tell mysql where to place the data,remove the variables from the sql string
$statement = mysqli_prepare($con, "INSERT INTO `user` (first_name, last_name, email, password) VALUES
(?, ?, ?, ?)");
I declared the five variables after a $con, and use only four of them mysqli_prepare function. Now it's working.
I am trying to INSERT data into a table and I am using mysqli API executing query.
$insert = "INSERT INTO pdhp_patient
(username, password, email, first_name,
last_name, dob, gender, s_s_n, i_n)
VALUES ('$username', '$password', '$email', '$first_name',
'$last_name', '$dob', '$gender', '$s_s_n', '$i_n');";
This is the query I am trying to execute.
mysqli_query($connection, $insert);
The previous line of code is for executing the query. This time the query returns false. I am unable to understand what the mistake is I Have even tried without the single quotes in the query. This however does not work.
Editted:
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$dob = $_POST['dob'];
$dob = date("m-d-Y", strtotime($dob));
$gender = $_POST['gender'];
$cid = $_POST['country'];
$sid = $_POST['city'];
$s_s_n = $_POST['s_s_n'];
$i_n = $_POST['i_n'];
global $connection;
if(isset($_POST['type']) && $_POST['type']==="patient"){
$insert = "INSERT INTO pdhp_patient (username, password, email, first_name, last_name, dob, gender, s_s_n, i_n) VALUES ('$username', '$password', '$email', '$first_name', '$last_name', '$dob', '$gender', '$s_s_n', '$i_n');";
$insert = mysql_prep($insert);
$result = mysqli_query($connection, $insert);
if ( $result === false ) {
echo mysqli_error($connection);
exit;
}
if($val){
echo "This must be working";
}else{
echo "This was not working";
}
}elseif(isset($_POST['type']) && $_POST['type']==="doctor"){
$insert = "INSERT INTO pdhp_doctor (username, password, email, first_name, last_name, dob, gender, s_s_n, i_n) VALUES ($username, $password, $email, $first_name, $last_name, $dob, $gender, $s_s_n, $i_n);";
$insert = mysql_prep($insert);
mysqli_query($connection, $insert);
}elseif(isset($_POST['environment_radio']) && $_POST['type']==="environment"){
$insert = "INSERT INTO pdhp_environmentalist (username, password, email, first_name, last_name, dob, gender, s_s_n, i_n) VALUES ($username, $password, $email, $first_name, $last_name, $dob, $gender, $s_s_n, $i_n);";
$insert = mysql_prep($insert);
mysqli_query($connection, $insert);
}
Some more code for proper info. This code chunk is what I wanna achieve. this is the full code.
Thanks.
Give a man a fish, he eats today. Teach a man to fish, he eats everyday
Add some error checking
$insert = "INSERT INTO pdhp_patient
(username, password, email, first_name,
last_name, dob, gender, s_s_n, i_n)
VALUES ('$username', '$password', '$email', '$first_name',
'$last_name', '$dob', '$gender', '$s_s_n', '$i_n');";
$result = mysqli_query($connection, $insert);
if ( $result === false ) {
echo mysqli_error($connection);
exit;
}
Then you can probably fix your own errors
Per your update and comment your issue is that you are escaping the whole query, and not the values that you are passing in. That is not how escaping works, with escaping you escape the values going in incase they contain 's which would break the SQL encapsulation. So instead do..
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$first_name = mysqli_real_escape_string($connection, $_POST['first_name']);
$last_name = mysqli_real_escape_string($connection, $_POST['last_name']);
$dob = mysqli_real_escape_string($connection, $_POST['dob']);
$dob = mysqli_real_escape_string($connection, date("m-d-Y", strtotime($dob)));
$gender = mysqli_real_escape_string($connection, $_POST['gender']);
$cid = mysqli_real_escape_string($connection, $_POST['country']);
$sid = mysqli_real_escape_string($connection, $_POST['city']);
$s_s_n = mysqli_real_escape_string($connection, $_POST['s_s_n']);
$i_n = mysqli_real_escape_string($connection, $_POST['i_n']);
and get rid of mysql_prep. You should probably read up a bit more on SQL injections:
http://php.net/manual/en/security.database.sql-injection.php
https://www.owasp.org/index.php/SQL_Injection
The more secure approach is using parameterized queries with prepared statements.
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I am trying to INSERT a new row into table using variables, like this-
$name = $_POST['name'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$password = $_POST['password'];
$gender = $_POST['gender'];
if($name && $surname && $email && $password){
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';
$db = '_erica';
$conn = new mysqli($dbhost, $dbuser, $dbpass,$db);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
};
$sql = 'INSERT INTO login(id, name, surname, email, sex, password) VALUES (Null,$name,$surname,$email,$gender,$password)';
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
}else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}else{
die('All fields requiret!');
};
But it does not work, I have tried to add quotes around variables like this
$sql = 'INSERT INTO login(id, name, surname, email, sex, password) VALUES(Null,"$name","$surname","$email","$gender","$password")';
still nothing... what could I do?
Use this. Just change single quotes with double quotes
$sql = "INSERT INTO login(id, name, surname, email, sex, password) VALUES (Null,$name,$surname,$email,$gender,$password)";
Try this,
$sql = 'INSERT INTO login(id, name, surname, email, sex, password) VALUES(NULL,"'.$name.'","'.$surname.'","'.$email.'","'.$gender.'","'.$password.'")';
Or (use double quotes outside instead of single quotes)
$sql = "INSERT INTO login(id, name, surname, email, sex, password) VALUES(NULL,$name,$surname,$email,$gender,$password)";
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
I have create a sign-up form which receives username, email and password.
I coded like this:
include_once 'sqlConnect.php';
$userName = $_POST['userName'];
$eMail = $_POST['eMail'];
$passWord = $_POST['passWord'];
$day = date("d-m-Y");
$time = date("h:i:sa");
$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
VALUE ('$userName', '$eMail', '$passWord', '$time')';
$result = mysql_query($dbINSERTuser);
if ($result) {
echo "New record created successfully";
}
else {
echo mysql_error($dbINSERTuser);
}
In the end, it gave me this error:
Parse error: syntax error, unexpected '$userName' (T_VARIABLE) in G:\XAMPP\htdocs\Project EVO 1.0\signup.php on line 17
I have been looking at this for hours and still not finding any solution. Please help!
PHP will evaluate variables values in the string, only when your string is wrapped with double quotes.
Change this:
$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
VALUE ('$userName', '$eMail', '$passWord', '$time')';
To this:
$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
VALUE ('$userName', '$eMail', '$passWord', '$time')";
But be aware - this code is vulnerable to SQL injections!
UPDATE:
Learn how to use PHP's PDO and prepared statements to make you queries safe.
Just replace ' with " in your insert query
$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
VALUE ('$userName', '$eMail', '$passWord', '$time')";
To prevent sql injection use
$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
VALUE ('".$userName."', '".$eMail."', '".$passWord."', '".$time."')";
IN mysqli you can use like that way
<?php
$link = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$userName = $_POST['userName'];
$eMail = $_POST['eMail'];
$passWord = $_POST['passWord'];
$day = date("d-m-Y");
$time = date("h:i:sa");
$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
VALUE ('".$userName."', '".$eMail."', '".$passWord."', '".$time."')";
mysqli_query($link, $query);
Read mysqli manual
you forgot to concat string
change
$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
VALUE ('$userName', '$eMail', '$passWord', '$time')';
to
$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
VALUE (' . $userName . ', ' . $eMail . ', ' . $passWord . ', ' . $time .')';
$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
VALUE (''.$userName.'', ''.$eMail.'', ''.$passWord.'', ''.$time.'')';
Change as above
Try This.
<?php
$userName = mysql_real_escape_string($_POST['userName']);
$eMail = mysql_real_escape_string($_POST['eMail']);
$passWord = mysql_real_escape_string($_POST['passWord']);
$day = mysql_real_escape_string(date("d-m-Y"));
$time = mysql_real_escape_string(date("h:i:sa"));
?>