I am trying to make an incredibly basic form that adds First name, last name, and age to a very basic database called Test. Here is my HTML code:
<html>
<head>
</head>
<body>
<h1>Welcome!</h1>
<br>
<form action="insert.php" method="post">
Firstname: <input type="text" name="firstname">
Lastname: <input type="text" name="lastname">
Age: <input type="text" name="age">
<input type="submit">
</form>
<input type="submit">
</form>
</body>
</body>
</html>
And this is my PHP code, with the DB name, host, and login info hidden:
<?php
$con=mysqli_connect("HOST","USER","PASS","DB");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql= "INSERT INTO Test ('First Name', 'Last Name', 'Age')
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
This is my error when I type data in to the form and submit it. I am directed to this page:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''First Name', 'Last Name', 'Age') VALUES ('Robert','Maxwell','18')' at line 1
Change
$sql= "INSERT INTO Test ('First Name', 'Last Name', 'Age')
for
$sql= "INSERT INTO Test (`First Name`, `Last Name`, `Age`)
;-)
Your query is incorrect, you wont have spaces in your column tables - they must be camel case (FirstName) or underscore (first_name)
$sql= "INSERT INTO Test (`First_Name`, `Last_Name`, `Age`)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
or
$sql= "INSERT INTO Test (`FirstName`, `LastName`, `Age`)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
NB: Do NOT use in production, your queries are exposed. Look into protecting your queries against SQL injection.
Related
I'm trying to add revived form input into database.
<form action="index.php" method="post">
<input type="text" name="firstname" id="firstname">
<br>
<input type="text" name="lastname" id="lastname">
<br>
<input type="submit" name="submit" value="Submit">
if(isset($_POST['submit'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$query = "INSERT INTO users (firstname, lastname) VALUES ($firstname, $lastname)";
if($conn->query($query) === true) {
echo "added";
}else {
echo $con->error;
}
Example : Firstname = Jason / Lastname = Haw
After clicking on submit button, i see error message : Unknown column 'Jason' in 'field list'
Where is the wrong thing to do?
$query = "INSERT INTO users (firstname, lastname) VALUES ('$firstname', '$lastname')";
put single quote for $firstname.
but this is not a proper approach, you should use prepared statement.
your query is risk of sql injection, because no escaping the input.
I'm new to PHP I have put together a simple form to input data into a database but the data doesn't seem to be inserting into the database. I've been trying to get it working all day.
shows the error Error to Inserting into database at the end of the code.
html
<div id="wrapper">
<section id="top_area">
<article class="box-right">
<form action="script/data.php" method="post">
<p>
<label>Company Name:</label>
<input name="company_name" required="required" placeholder="Joes Cleaners" type="text">
</p>
<p>
<label>Ref:</label>
<input name="ref_num" required="required" placeholder="D123" type="text">
</p>
<p>
<label>Website:</label>
<input name="website" required="required" placeholder="joescleaner.co.uk" type="text">
</p>
<p>
<label>Email:</label>
<input name="email" required="required" placeholder="joescleanersm#gmail.com" type="email">
</p>
<p>
<label>Telephone:</label>
<input name="tel" required="required" placeholder="0712345678" type="number">
</p>
<p>
<label>Message:</label>
<input name="message" required="required" placeholder="hello" type="text">
</p>
<p>
<input value="Submit" type="submit">
</p>
</form>
</article>
</section>
</div>
PHP
<?php
$db_hostname = 'localhost';
$db_database = 'form';
$db_username = 'user';
$db_password = 'password';
// Connect to server.
$db_server = mysql_connect($db_hostname, $db_username, $db_password)
or die("Unable to connect to MySQL: " . mysql_error());
// Select the database.
mysql_select_db($db_database)
or die("Unable to select database: " . mysql_error());
// Select the database.
mysql_select_db("form")
or die("Unable to select database: " . mysql_error());
// Get values from form
$company_name = $_POST['company_name'];
$ref_num = $_POST['ref_num'];
$website = $_POST['website'];
$email = $_POST['email'];
$tel = $_POST['tel'];
$message = $_POST['message'];
// Insert data into mysql
$sql="INSERT INTO users (company_name, ref_num, website, email, tel, message)
VALUES ('$company_name', '$ref_num', '$website', '$email', $tel, $message, NOW())";
$result = mysql_query($sql);
// if successfully insert data into database, displays message "Successful".
if($result){
header('Location: ../thankyou.php');
}
else {
echo "Error to Inserting into database";
}
// close mysql
mysql_close();
?>
You should start using PDO for DB access, mysql_query is deprecated.
PDO let's you make prepared statements. These are secured against SQL Injections (your code isn't).
$stmt = $dbh->prepare("INSERT INTO users (company_name, ref_num, website, email, tel, message) VALUES (:company_name, :ref_num, :website, :email, :tel, :message, NOW())");
$stmt->bindParam(':company_name', $company_name);
$stmt->bindParam(':ref_num', $ref_num);
// And bind the remaining parameters
[...]
$stmt->execute();
If this fails, you can get detailed informations by running
print_r($stmt->errorInfo());
That should help you with finding errors in your SQL.
$dbh is a new PDO instance (see PDO::__construct)
As in your query you are trying to insert more than column values.
Your query is :
$sql="INSERT INTO users (company_name, ref_num, website, email, tel, message) VALUES ('$company_name', '$ref_num', '$website', '$email', $tel, $message, NOW())"
Either remove NOW() data or add another column for NOW() data
Also you can try below query.
$sql="INSERT INTO users (company_name, ref_num, website, email, tel, message) VALUES ('$company_name', '$ref_num', '$website', '$email', $tel, $message)"
When fixed column errors like Programming Student says, you should modify your mysql_query command:
it needs the db connection you opened before.
Try this:
$result = mysql_query($db_server, $sql);
Why don't try Object Oriented syntax ?
if ($db_server->query($sql) === TRUE) {
header('Location: ../thankyou.php'); } else {
echo "Error: " . $conn->error;
}
}
So I'm trying to allow a form to add data to a mySQL table. I have this form
<form name="addBook" action="addBook.php" method="post" >
ISBN: <input type="text" name="isbn"><br />
Name: <input type="text" name="name"><br />
Edition: <input type="text" name="edition"><br />
Author: <input type="text" name="author"><br />
Class: <input type="text" name="class"><br />
Department: <input type="text" name="department"><br />
Condition: <input type="text" name="condition"><br /><br />
<input type="submit" value="Add Book">
</form>
Where addBook.php is...
<?php
$con=mysqli_connect("cclloyd.com","cclloyd","","Inventory");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$isbn = mysqli_real_escape_string($con, $_POST['isbn']);
$name = mysqli_real_escape_string($con, $_POST['name']);
$edition = mysqli_real_escape_string($con, $_POST['edition']);
$author = mysqli_real_escape_string($con, $_POST['author']);
$class = mysqli_real_escape_string($con, $_POST['class']);
$department = mysqli_real_escape_string($con, $_POST['department']);
$condition = mysqli_real_escape_string($con, $_POST['condition']);
$sql="INSERT INTO Books (isbn, name, edition, author, class, department, condition)
VALUES ('$isbn', '$name', '$edition', '$author', '$class', '$department', '$condition')";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
mysqli_close($con);
header('Location: http://umassd.cclloyd.com/bookadded.php' ) ;
?>
And when I executed it, I get this error.
"Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'condition) VALUES ('l', 'lk', 'l', 'k', 'j', 'h', 'h')' at line 1"
Where those were just random things I put in to fill the form. Where is the error? I looked online a lot and they all say to enter it like I have it.
condition is reserved word for Mysql. Check the reserved words here
Put the word in quotes.
Please use this
$sql="INSERT INTO Books (`isbn`, `name`, `edition`, `author`, `class`, `department`, `condition`)
VALUES ('$isbn', '$name', '$edition', '$author', '$class', '$department', '$condition')";
I'm working from the W3Schools tutorial for MySQL and it seems either some of the code is outdated or I'm just missing something utterly stupid. In trying to pass on information to a database, I get this error:
Error: Unknown column 'd' in 'field list'
I'm attempting to pass info on from a form submission that then links to this page, where it grabs the info the user enters to create a new entry into the database.
Here is the code for the form submission.
<html>
<body>
<form action="3ainsert.php" method="post">
Firstname: <input type="text" name="firstname">
Lastname: <input type="text" name="lastname">
Age: <input type="text" name="age">
<input type="submit">
</form>
</body>
</html>
Here is the code for the other page:
<?php
$con=mysqli_connect();
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);
$sql="INSERT INTO persons (FirstName, LastName, Age)
VALUES ($firstname, $lastname, $age)";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
Your query isn't encasing the values in quotes:
$sql="INSERT INTO persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";
However please note that generally using prepared statements is preferred over directly inserting into a query.
I am inserting data in my WAMP database from user input:
PHP
<?php
$con=mysqli_connect("127.0.0.1","beni","2155","visitbulgaria");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$forename = mysqli_real_escape_string($con,$_POST['Forename']);
$surname = mysqli_real_escape_string($con,$_POST['Surname']);
$email = mysqli_real_escape_string($con,$_POST['Email']);
$username = mysqli_real_escape_string ($con,$_POST['Username']);
$password = mysqli_real_escape_string ($con,$_POST['Password']);
$sql="INSERT INTO `customer`(`Forename`, `Surname`, `Email`, `Username`, `Password`)
VALUES ('$forename', '$surname', '$email', '$username', '$password')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
HTML
<html>
<body>
<form action="insert.php" method="post">
Firstname: <input type="text" name="Forename">
Lastname: <input type="text" name="Surname">
Email: <input type="text" name="Email">
username: <input type="text" name="Username">
pass: <input type="text" name="Password">
<input type="submit">
</form>
</body>
</html>
whah happens here is that on submit it does work but when I look at the database in phpMyAdmin it has only added the first three record (forename, surname and email and then the username and password field are left blank, and I have no idea how to fix that and why it is doing it.