So I've been wrestling with this issue all day. I can't seem to post anything into my table and I'm not sure why.
I've got a form built that has all the values that are being transferred for the _POST. Any pointers would be great.
elseif ($request == 'POST') {
include 'header_post.php'; include 'topmain.php';
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$dlnum = $_POST['dlnum'];
$dob = $_POST['dob'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
$height = $_POST['height'];
$weight = $_POST['weight'];
$hair = $_POST['hair'];
$eyes = $_POST['eyes'];
$ethnicity = $_POST['ethnicity'];
}
$query3 = "insert into ".$db_prefix."customer_det (fname, lname, dlnum, dob, address, city, state, zip, phone, height, weight, hair, eyes, ethnicity)
values ('".$fname."', '".$lname."', '".$dlnum."', '".$dob."', '".$address."', '".$city."', '".$state."',
'".$zip."', '".$phone."', '".$height."', '".$weight."', '".$hair."', '".$eyes."', '".$ethnicity."')";
Using MySQL connection in PHP:
mysql_connect('DB_HOST','DB_USER','DB_PASS');
#mysql_select_db('DB_NAME');
$query='insert into ...';
mysql_query($query);
But your query is prone to SQL injections, and you are advised to use MySQLi extension.
$mysql = new mysqli('DB_HOST', 'DB_USER', 'DB_PASS', 'DB_NAME');
$query = 'insert into customer_det (
fname,
lname,
dlnum,
.......
) values (?,?,?,....,?)';
$statement = $mysql->prepare($query);
$statement->bind_param('sss...', //How many ever fields are there, those many sssss. For Integer use i. s is for string fields. Example ssssisssi....
$fname,
$lname,
$dlnum,
.....);
$statement->execute();
$statement->close();
$mysql->close();
you should use mysql_query :
$query3 = mysql_query("insert..");
you should also add this before $fname = $_POST['fname']; to prevent the query at page load :
if(isset($_POST['fname'])){
$fname = $_POST['fname'];
....
$query3 = mysql_query("insert..");
}
You are not performing query
use $result=mysql_query($query3);
There must be a query called.
use mysql_query();
As mentioned above, any variable using user inputted text that is stored in a database should be contained within the mysql_real_escape_string() to prevent SQL Injection.
Related
Here is my main PHP code:
<?php
define('dbServer', 'localhost');
$dbUsername = 'root';
$dbPassword = '';
define('dbName', '1');
$dbConnection = mysqli_connect(dbServer, $dbUsername, $dbPassword, dbName);
if(!$dbConnection){
die("Unsuccessful Connection: " . mysqli_connect_error());
}
// All user data will be taken from the form //
$emailAddress = $_POST['emailaddress'];
$firstName = $_POST['firstname'];
$lastName = $_POST['lastname'];
$streetAddress = $_POST['streetaddress'];
$phoneNumber = $_POST['phonenumber'];
$comments = $_POST['comments'];
$sql = "INSERT INTO user-submission (email, firstName, lastName, address, phoneNumber, comment) VALUES ('$emailAddress', '$firstName', '$lastName', '$streetAddress', '$phoneNumber', '$comments')";
$result = mysqli_query($dbConnection, $sql);
if (!$result){
die('Error: ' . mysqli_connect_error());
}
?>
My SQL database contains the rows ID, email, firstName, lastName, address, phoneNumber, comment. They are in a database called '1' (for testing purposes) and a table called 'user-submission'.
I have been unable to query this information into my table. I have been successful prior to this on other SQL and PHP pairings. What am I doing wrong this time?
Add this right below the opening php tag at the top then the server will tell you what the error is. Copy the error here if you need help decyfering
error_reporting( E_ALL );
First you need to make changes so hackers don't abuse your code.
Just wait till johnny;drop tables; comes by and wipes out your database.
// All user data will be taken from the form //
$emailAddress = mysqli_real_escape_string($dbConnections,$_POST['emailaddress']);
$firstName = mysqli_real_escape_string($dbConnections,$_POST['firstname']);
$lastName = mysqli_real_escape_string($dbConnections,$_POST['lastname']);
$streetAddress = mysqli_real_escape_string($dbConnections,$_POST['streetaddress']);
$phoneNumber = mysqli_real_escape_string($dbConnections,$_POST['phonenumber']);
$comments = mysqli_real_escape_string($dbConnections,$_POST['comments']);
$sql = "INSERT INTO `user-submission` (email, firstName, lastName, address, phoneNumber, comment) VALUES (?,?,?,?,?,?)";
$prep=$dbConnections->prepare($sql);
$prep->bind_param("ssssss",$emailAddress,$firstName,$lastName,$streetAddress,$phoneNumber,$comments);
#actually puts everything together, and puts it in the database
$prep-execute();
I've created a simple login form. I'm not able to store user input values at the back-end. Here's the full code for your reference:
dp.php
<?php
$dbc = mysqli_connect('localhost', 'root', '', 'list') or trigger_error(mysqli_error());
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$email = $_POST['email_id'];
$password = $_POST['password'];
$query = "INSERT INTO login_list (first_name, last_name, email,password) VALUES ('$first_name', '$last_name', '$email','$password')";
mysqli_query($dbc, $query) or trigger_error(mysqli_error($dbc));
echo 'login created';
mysqli_close($dbc);
?>
remove single quote from php variable
$query = "INSERT INTO login_list (first_name, last_name, email,password) VALUES
($first_name, $last_name, $email,$password)";
if your data contain string that will put in "" or ''
$query = "INSERT INTO login_list (first_name, last_name, email,password) VALUES
('".$first_name."','".$last_name."', '".$email."','".$password."')";
i hope this will solve your problem if $_POST get correct data . you have to concat string at that time
I hope this isn't a repeat question. I have searched all over to find an answer to no avail.
I want to insert into a row of a table. It sounds simple enough, but if the table is empty, it will not work. I can't figure out why. As long as there is one row in the table, it works fine. Any help is appreciated. Thanks.
My code:
<?php
$fname = $_POST['fname'];
$mi = $_POST['mi'];
$lname = $_POST['lname'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$add1 = $_POST['add1'];
$add2 = $_POST['add2'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$con = mysqli_connect("localhost","database_username","database_password","database");
$sql1 = "INSERT INTO employee (fname, mi, lname, phone, email, add1, add2, city, state, zip) VALUES ('$fname', '$mi', '$lname', '$phone', '$email', '$add1', '$add2', '$city', '$state', '$zip')";
mysqli_query($con,$sql1);
mysqli_close($con);
?>
Your code is correct but it may some times data have some special characters such as \ / ? etc. thus suggest you to change all variable of the code from
$fname = $_POST['fname'];
to
$fname = addslashes($_POST['fname']);
then try it it will be done
You are not escaping the values. If any value contains an apostrophe, your query will faile. Since they come from post you must use mysqli_real_escape_string.
use following execute to insert a row
mysqli_query($con,$sql1);
musqli_execute($sql1);
I made it work after many hours of trying everything I could think of to do... Ultimately, I ended up checking for an empty table first, and then re-creating the table if it was empty.
I'm not sure why this works, but this is my code... it's a bit inelegant, but I could find no better solution. I know that I have not escaped my values. I will later. For now, I simply wanted to solve this problem that I have been wracking my brain about for days.
<?php
$fname = $_POST['fname'];
$mi = $_POST['mi'];
$lname = $_POST['lname'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$add1 = $_POST['add1'];
$add2 = $_POST['add2'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$con = mysqli_connect("localhost","username","password","database");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
$sql = 'CREATE TABLE employee'
. ' ('
. ' fname text,'
. ' mi varchar(1),'
. ' lname text,'
. ' email varchar(100),'
. ' phone varchar(15)'
. ' add1 varchar(100),'
. ' add2 varchar(100),'
. ' city varchar(100),'
. ' state varchar(25)'
. ' zip varchar(10),'
. ' );';
$sql1 = "INSERT INTO employee (fname, mi, lname, phone, email, add1, add2, city, state, zip,) VALUES ('$fname', '$mi', '$lname', '$phone', '$email','$add1', '$add2', '$city', '$state', '$zip')";
$sql2 = "SELECT * FROM employee";
$sql3 = mysqli_query($con,"SELECT count(*) FROM employee");
if ($sql3 == FALSE) {
trigger_error(mysql_error()." in ".$sql3);
exit();
}
else
{
$result = mysqli_fetch_array($sql3);
}
if($result[0] != 0)
{
mysqli_query($con,$sql1);
}
else
{
mysqli_query($con,$sql);
mysqli_query($con,$sql1);
}
mysqli_close($con);
?>
if variable is a string use '".$fname."' foreach variable in query
I am having a tough time figuring out how to write an if function in my code. I am trying to prevent my PHP form from allowing duplicates being submitted to my MySQL database. I am wanting to prevent a submission based on the email address being inputted into my form. Can someone guide me in the right direction? Thanks.
<?php
$dbc = mysqli_connect('n/a', 'n/a', 'n/a', 'n/a')
or die('Error connecting to MySQL server.');
$store_name = $_POST['storename'];
$full_name = $_POST['fullname'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
$fax = $_POST['fax'];
$email = $_POST['email'];
$url = $_POST['url'];
$query = "INSERT INTO store_location (store_name, full_name, address, city, state, zip, phone, fax, email, url) VALUES ('$store_name', '$full_name', '$address', '$city', '$state', '$zip', '$phone', '$fax', '$email', '$url')";
mysqli_query($dbc, $query)
or die('Error querying database.');
echo 'New TeachPro store added.';
echo '<br/><br/>';
mysqli_close($dbc);
?>
You should use a unique key on the email column on your database table. Now, if you try to insert the same email address twice, the MySQL responds with an according error message. You may catch those error message and present a useful error message text to the user.
I used that approach for checking usernames:
try
{
/** #var $userInsertUpdateStmt PDOStatement */
$userInsertUpdateStmt->execute();
}
catch(PDOException $e)
{
if($e->errorInfo[1] == 1062)
{
/* username already used */
return User::ERR_USERNAME_ASSIGNED;
}
return User::ERR_SQL;
}
SELECT count(*) FORM ... WHERE store_name = ... OR full_name=...
If you have 0 rows as a result of this query, you're good to go.
Also, your query is vulnerable to SQL-injection (google that).
Have a simple registration form that is being linked to a php file in order to send the info to a database but everytime i try it the data isnt showing up in the phpMyAdmin database??
<?php
$name = $_POST['name'];
$address = $_POST['address'];
$number = $_POST['number'];
$email = $_POST['email'];
$details = $_POST['details'];
$user="root";
$password="secure";
$database="darrenweircharity";
mysql_connect("localhost",$user,$password);
#mysql_select_db($database) or die ("Unable to select database");
$query = "INSERT INTO registrationdetails(name, address, number, email, details)".
"VALUES('$name', '$address', '$number', '$email', '$details' NOW())";
mysql_query($query);
mysql_close();
?>
Please, don't use mysql_* functions in new code. They are no longer maintained and the deprecation process has begun on it. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
Try with:
$query = "INSERT INTO registrationdetails(name, address, number, email, details)".
"VALUES('" . $name . "', '" . $address . "', '" . $number . "', '" . $email . "', '" . $details . "');";
You have NOW() at the end of the query that shouldn't be there.
Also note that your code has an SQL injection vulnerability (see mysql_real_escape_string()), I suggest you to prepare queries via PDO.
protect from possible SQL injection:
$name = mysql_real_escape_string($name);
$address = mysql_real_escape_string($address);
$number = mysql_real_escape_string($number);
$email = mysql_real_escape_string($email);
$details = mysql_real_escape_string($details);
replace with:
$query = "
INSERT INTO registrationdetails (`name`, `address`, `number`, `email`, `details`)
VALUES ('$name', '$address', '$number', '$email', '$details')");
$query = "
INSERT INTO registrationdetails (name, address, number, email, details, date_time)
VALUES ('{$name}', '{$address}', '{$number}', '{$email}', '{$details}', NOW())
";
Replace the date_time with your column_name. And remember to escape all submitted values with mysql_real_escape_string before inserting them into the database.