I'm trying to add revived form input into database.
<form action="index.php" method="post">
<input type="text" name="firstname" id="firstname">
<br>
<input type="text" name="lastname" id="lastname">
<br>
<input type="submit" name="submit" value="Submit">
if(isset($_POST['submit'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$query = "INSERT INTO users (firstname, lastname) VALUES ($firstname, $lastname)";
if($conn->query($query) === true) {
echo "added";
}else {
echo $con->error;
}
Example : Firstname = Jason / Lastname = Haw
After clicking on submit button, i see error message : Unknown column 'Jason' in 'field list'
Where is the wrong thing to do?
$query = "INSERT INTO users (firstname, lastname) VALUES ('$firstname', '$lastname')";
put single quote for $firstname.
but this is not a proper approach, you should use prepared statement.
your query is risk of sql injection, because no escaping the input.
I'm currentely working on some project for my school in which I have to create a profile page where people can put their information throught the input form. The data is send to database and after that displayed in some nice table.
But on my way I have encountered some problems - this is an error that I'm echoing:
INSERT INTO info (name, surname, gender, birth, street, postal, city, country, citizenship, phone, mail) VALUES (Michael, xxx, male, 20-04-93, Skolegade, 4690, Copenhagen, Denmark, Polish, 22222222, admin#admin.com WHERE email = xxx#gmail.com) Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE email = xxx#gmail.com)' at line 1
This is my file index.html with the form
<body>
<h1>Update record <?php echo $user->email; ?></h1>
<form action="insertdata.php" method="post">
<label>Your name: </label><input type="text" name="name" /><br />
<label>Your surname: </label><input type="text" name="surname" /><br />
<label>Gender: </label><input type="text" name="gender" /><br />
<label>Date of birth: </label><input type="text" name="birth" /><br />
<label>Street name: </label><input type="text" name="street" /><br />
<label>Postal: </label><input type="text" name="postal" /><br />
<label>City: </label><input type="text" name="city" /><br />
<label>Country: </label><input type="text" name="country" /><br />
<label>Citizenship: </label><input type="text" name="citizenship" /><br />
<label>Phone number: </label><input type="text" name="phone" /><br />
<label>E-mail address: </label><input type="text" name="mail" /><br />
<input type="submit" value="submit" />
</form>
<?php
if($sql){//if the update worked
echo "<b>Update successful!</b>";
}
?>
And this is the code of file insertdata.php in which it finds an error:
<?php
// To protect any php page on your site, include main.php
// and create a new User object. It's that simple!
require_once '../includes/main.php';
$user = new User();
if(!$user->loggedIn()){
redirect('index.php');
}
require_once('functions.php');
connect_db();
$name = mysqli_real_escape_string($con, $_POST['name']);
$surname = mysqli_real_escape_string($con, $_POST['surname']);
$gender = mysqli_real_escape_string($con, $_POST['gender']);
$birth = mysqli_real_escape_string($con, $_POST['birth']);
$street = mysqli_real_escape_string($con, $_POST['street']);
$postal = mysqli_real_escape_string($con, $_POST['postal']);
$city = mysqli_real_escape_string($con, $_POST['city']);
$country = mysqli_real_escape_string($con, $_POST['country']);
$citizen = mysqli_real_escape_string($con, $_POST['citizen']);
$phone = mysqli_real_escape_string($con, $_POST['phone']);
$mail = mysqli_real_escape_string($con, $_POST['mail']);
$email = $user->email;
$sql = "INSERT INTO `info` (`name`, `surname`, `gender`, `birth`, `street`, `postal`, `city`, `country`, `citizenship`, `phone`, `mail`) VALUES (`$name`, `$surname`, `$gender`, `$birth`, `$street`, `$postal`, `$city`, `$country`, `$citizen`, `$phone`, `$mail` WHERE email = `$email`)";
echo $sql;
//$result = mysql_query($con,$sql);
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 ercord added";
mysqli_close($con);
?>
?>
Check
I tried to remove the " from the code at the end of the line but then code is messed up and it is displaying other errors
WHERE email = `$email`); "
e.g. that it can not read echo from the next line:
Parse error: syntax error, unexpected 'echo' (T_ECHO) in /data/home/vizionwe/public_html/try/insertdata.php on line 35
My deadline is until Tuesday, so I have to figure it out quick.
I'm looking forward to see your answers and ideas.
Fix your sql line:
$sql = "INSERT INTO `info` ";
$sql.= "(`name`, `surname`, `gender`, `birth`, `street`, `postal`, `city`, `country`, `citizenship`, `phone`, `mail`) VALUES ";
$sql.= "('".$name."', '".$surname."', '".$gender."', '".$birth."', '".$street."', '".$postal."', '".$city."', '".$country."', '".$citizen."', '".$phone."', '".$mail."')";
It seems to me, that you should use ' instead of ` around the values you try to put into the database.
Like this:
$sql = "INSERT INTO `info` (`name`, `surname`, `gender`, `birth`, `street`, `postal`, `city`, `country`, `citizenship`, `phone`, `mail`) VALUES ('$name', '$surname', '$gender', '$birth', '$street', '$postal', '$city', '$country', '$citizen', '$phone', '$mail' WHERE email = '$email')";
"INSERT INTO info (name, surname, gender, birth, street, postal, city, country, citizenship, phone, mail) VALUES ('".$name."', '".$surname."', '".$gender."', '".$birth."', '".$street."', '".$postal."', '".$city."', '".$country."', '".$citizen."', '".$phone."', '".$mail."')"
I'm working from the W3Schools tutorial for MySQL and it seems either some of the code is outdated or I'm just missing something utterly stupid. In trying to pass on information to a database, I get this error:
Error: Unknown column 'd' in 'field list'
I'm attempting to pass info on from a form submission that then links to this page, where it grabs the info the user enters to create a new entry into the database.
Here is the code for the form submission.
<html>
<body>
<form action="3ainsert.php" method="post">
Firstname: <input type="text" name="firstname">
Lastname: <input type="text" name="lastname">
Age: <input type="text" name="age">
<input type="submit">
</form>
</body>
</html>
Here is the code for the other page:
<?php
$con=mysqli_connect();
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);
$sql="INSERT INTO persons (FirstName, LastName, Age)
VALUES ($firstname, $lastname, $age)";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
Your query isn't encasing the values in quotes:
$sql="INSERT INTO persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";
However please note that generally using prepared statements is preferred over directly inserting into a query.
I am inserting data in my WAMP database from user input:
PHP
<?php
$con=mysqli_connect("127.0.0.1","beni","2155","visitbulgaria");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$forename = mysqli_real_escape_string($con,$_POST['Forename']);
$surname = mysqli_real_escape_string($con,$_POST['Surname']);
$email = mysqli_real_escape_string($con,$_POST['Email']);
$username = mysqli_real_escape_string ($con,$_POST['Username']);
$password = mysqli_real_escape_string ($con,$_POST['Password']);
$sql="INSERT INTO `customer`(`Forename`, `Surname`, `Email`, `Username`, `Password`)
VALUES ('$forename', '$surname', '$email', '$username', '$password')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
HTML
<html>
<body>
<form action="insert.php" method="post">
Firstname: <input type="text" name="Forename">
Lastname: <input type="text" name="Surname">
Email: <input type="text" name="Email">
username: <input type="text" name="Username">
pass: <input type="text" name="Password">
<input type="submit">
</form>
</body>
</html>
whah happens here is that on submit it does work but when I look at the database in phpMyAdmin it has only added the first three record (forename, surname and email and then the username and password field are left blank, and I have no idea how to fix that and why it is doing it.
I want to write from my form to my database. I'm confused because this resembles the scripts from tutorials and there it works.
Form (w3schools example) extract:
<form action="insert.php" method="post">
Firstname: <input type="text" name="firstname">
Lastname: <input type="text" name="lastname">
Age: <input type="text" name="age">
<input type="submit">
</form>
php:
<?php
$con=mysqli_connect("localhost","XXX","AAA","databasename");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($_POST['firstname']);
$lastname = mysqli_real_escape_string($_POST['lastname']);
$age = mysqli_real_escape_string($_POST['age']);
$sql="INSERT INTO test (firstname, lastname, age)
VALUES ('$firstname', '$lastname', '$age')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
This adds a new row to my database with each submission. The problem: this added row is empty, except for the age column which is always 0, regardless of what I submit.
Where is my mistake?
Refer to php document you must give two values to mysqli_real_escape_string.
try this:
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);