Inserting data from html to php to mysql database - php

I have done my research but have found nothing specific enough to my problem
I have an HTML form, asking for data, then a php script that is suppose to put the data in a mysql database
When i try it on my localhost, i dont get any errors
but when i check on phpmyadmin, there is no new data
the html:
<html>
<head>
<form action="insert.php" method="post">
ID: <input type="text" name="ID"><br>
Family ID: <input type="text" name="Family_ID"><br>
First Name: <input type="text" name="First_Name"><br>
Last Name: <input type="text" name="Last_Name"><br>
Gender: <input type="text" name="Gender"><br>
Birthday: <input type="text" name="Birthday"><br>
Birthplace: <input type="text" name="Birthplace"><br>
Father ID: <input type="text" name="Father_ID"><br>
Mother ID: <input type="text" name="Mother_ID"><br>
Maiden Name: <input type="text" name="Maiden_Name"><br>
Mariage ID: <input type="text" name="Mariage_ID"><br>
Deathdate: <input type="text" name="Deathdate"><br>
Deathplace: <input type="text" name="Deathplace"><br>
Grave Location: <input type="text" name="Grave_Location"><br>
Email: <input type="text" name="Email"><br>
Phone: <input type="text" name="Phone"><br>
Address: <input type="text" name="Adress"><br>
Bio: <input type="text" name="Bio"><br>
Studies: <input type="text" name="Travail"><br>
Travail: <input type="text" name="Travail"><br>
Photo: <input type="text" name="Photo"><br>
Fete: <input type="text" name="Fete"><br>
<input type="Submit">
</form>
</head>
<body>
</body>
</html>
the php:
$username='root';
$password='121395';
$database='genealogy';
mysql_connect("localhost",$username,$password);
#mysql_select_db($database) or die( 'Unable to select database');
echo "Connected to MySQL";
$ID=mysql_real_escape_string($_POST['ID']);
$Family_ID=mysql_real_escape_string($_POST['Family_ID']);
$First_Name=mysql_real_escape_string($_POST['First_Name']);
$Last_Name=mysql_real_escape_string($_POST['Last_Name']);
$Gender=mysql_real_escape_string($_POST['Gender']);
$Birthday=mysql_real_escape_string($_POST['Birthday']);
$Birthplace=mysql_real_escape_string($_POST['Birthplace']);
$Father_ID=mysql_real_escape_string($_POST['Father_ID']);
$Mother_ID=mysql_real_escape_string($_POST['Mother_ID']);
$Maiden_Name=mysql_real_escape_string($_POST['Maiden_Name']);
$Mariage_ID=mysql_real_escape_string($_POST['Mariage_ID']);
$Deathdate=mysql_real_escape_string($_POST['Deathdate']);
$Deathplace=mysql_real_escape_string($_POST['Deathplace']);
$Grave_Location=mysql_real_escape_string($_POST['Grave_Location']);
$Email=mysql_real_escape_string($_POST['Email']);
$Phone=mysql_real_escape_string($_POST['Phone']);
$Address=mysql_real_escape_string($_POST['Adress']);
$Bio=mysql_real_escape_string($_POST['Bio']);
$Travail=mysql_real_escape_string($_POST['Travail']);
$Photo=mysql_real_escape_string($_POST['Photo']);
$Fete=mysql_real_escape_string($_POST['Fete']);
$query = "INSERT INTO bouan (ID, Family_ID, First_Name, Last_Name, Gender, Birthday,
Birthplace, Father_ID, Mother_ID, Maiden_Name, Mariage_ID,Deathdate, Deatchplace,
Grave_Location, Email, Phone, Adress, Bio, Travail, Photo, Fete) VALUES
('$ID','$Family_ID','$First_Name','$Last_Name','$Gender','$Birthday','$Birthplace',
'$Father_ID','$Mother_ID','$Maiden_Name','$Mariage_ID','$Deathdate','$Deathplace',
'$Grave_Location','$Email','$Phone','$Address','$Bio','$Travail','$Photo','$Fete')";
mysql_query($query) or die ("Error updating database");
mysql_error();
mysql_close();
All i get in return is:
Connected to MySQLError updating database
whats wrong? (i HAVE done my research, over 2 days fyi)
im sorry that im new to this, cant help it


You should probably
provide mysql_query with the real query
sanitize data before feeding it to sql
use {$_POST['whatever']} when you want to embed it into a string
check the return value of mysql_query
learn a thing or two.


Your first approach looks fine, but for security reasons fetch the posted variables like below $ID=mysql_real_escape_string($_POST['ID']);
mysql_real_escape_string() method will remove the unwanted characters and makes it secure.
At the end try to print the query which you are executing using echo or print statement.
echo $query;
Execute the result on your phpmyadmin. Phpmyadmin will let you know what are the errors in your mysql query and following those instructions you can change your query.
Debugging can be done by printing the results after each line execution wherever you feel something is going wrong.


Use mysql_error() to receive last error. Also I see potential bug in your query:
'`$ID`','`$Family_ID`','`$First_Name`' -- you may try to remove ` sign


try to do these 2 things, first add value attribute to your all input elements
e.g)
<input type="text" name="Family_ID" value="">
because it will not get into $_POST variable if you send blank value in the text box with no value attribute
try to add filed names so that you can track map with values and remove
`
from your field and value.

Related

I am trying to insert form data into database but its give error(undefine index: name and fname)

THis is my html code i have checked multiple time but again its not working.
<form action="insert.php" method="POST">
<input type="text" name="name"><br>
<input type="text" name="fname"><br>
<input type="submit" name=""><br>
</form>
This is my php code i think code is correct but don't know its not working.
<?php
//include("php\DB.php");
$connection=new mysqli("localhost","root","","sms");
if($connection){
echo "Connected";
}else{echo "Sorry";}
$username=$_POST["name"];
$fname=$_POST["fname"];
$query="INSERT INTO student(name,fname)VALUES('".$username."','".$fname."')";
$connection->query($query);
?>

according to my little knowledge please give space between insert statement
insert into student(name,fname) values('$username','$fname');

PHP and mySQL not working

PHP CODE :
<?php
// Create connection
$con=mysqli_connect("localhost","root","root","demo1");
echo "Connection was successful";
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysql_select_db("demo1",$con);
$sqli="INSERT INTO employee (Employee ID,NAME,Date Hired,Position,Salary,Department Code,Can HIRE,BOSSID)
VALUES('$_POST[EMPID]','$_POST[NAME]','$_POST[DATEHIRED]','$_POST[POSITION]','$_POST[SALARY]','$_POST[D EPTCODE]','$_POST[CANHIRE]','$_POST[BOSSID]')";
if (!mysqli_query($con,$sqli))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
HTML CODE
<!DOCTYPE html>
<html>
<body>
<h1> EMPLOYEE </h1><br>
<form action="LAB5.php" method="post">
Employee ID: <input type="text" name="EMPID" ><br>
NAME: <input type="text" name="NAME" ><br>
Date Hired <input type="text" name="DATEHIRED" ><br>
Position: <input type="text" name="POSITION" ><br>
Salary: <input type="text" name="SALARY" ><br>
Department Code: <input type="text" name="DEPTCODE" ><br>
Can HIRE <input type="text" name="CANHIRE" ><br>
BOSSID: <input type="text" name="BOSSID" ><br>
<input type="image" src="Submit.gif" alt="Submit" width="100" height="50"><br>
</body>
</html>
ERROR MESSAGE:
Connection was successfulError: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near 'ID, NAME, Date Hired, Position, Salary, Department Code, Can HIRE, BOSSID) VALU' at line 1
Table Screenshot : http://tinypic.com/r/vni4bc/8

Fields can't have spaces like Employee ID, double check the db table column names.
Also, your code is susceptible to SQL Injection. You should escape any user input that is going to be used in a SQL query. Try wrapping mysql_escape_string($_POST['value']) around all $_POST, $_GET, and $_REQUEST input.

You've mixed your code with MySQL and MySQLi. I've made your code into MySQLi only. And please avoid using (spaces) in your Column name. And you can prevent some SQL injection using mysqli_real_escape_string:
LAB5.php:
<?php
/* CHECK CONNECTION */
$connection=mysqli_connect("localhost","root","root","demo1");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$empID=mysqli_real_escape_string($connection,$_POST['EMPID']);
$name=mysqli_real_escape_string($connection,$_POST['NAME']);
$datehired=mysqli_real_escape_string($connection,$_POST['DATEHIRED']);
$position=mysqli_real_escape_string($connection,$_POST['POSITION']);
$salary=mysqli_real_escape_string($connection,$_POST['SALARY']);
$deptcode=mysqli_real_escape_string($connection,$_POST['DEPTCODE']);
$canhire=mysqli_real_escape_string($connection,$_POST['CANHIRE']);
$bossID=mysqli_real_escape_string($connection,$_POST['BOSSID']);
/* MYSQLI REAL ESCAPE STRING WOULD PREVENT A BIT OF SQL INJECTION */
mysqli_query($connection,"INSERT INTO employee (EMPID, NAME, DATEHIRED, POSITION, SALARY, DEPTCODE, CANHIRE, BOSSID) /* DOUBLE CHECK YOUR COLUMN NAME */
VALUES('$empID','$name','$datehired','$position','$salary','$deptcode','$canhire','$bossid')";
mysqli_close($con);
?>
Your HTML code:
<html>
<body>
<h1> EMPLOYEE </h1><br>
<form action="LAB5.php" method="post">
Employee ID: <input type="text" name="EMPID" ><br>
Name: <input type="text" name="NAME" ><br>
Date Hired <input type="date" name="DATEHIRED" ><br>
Position: <input type="text" name="POSITION" ><br>
Salary: <input type="number" name="SALARY" ><br>
Department Code: <input type="text" name="DEPTCODE" ><br>
Can HIRE <input type="text" name="CANHIRE" ><br>
BOSSID: <input type="text" name="BOSSID" ><br>
<input type='submit'>
</form>
</body>
</html>

use mysqli why "mysql_select_db"? mysqli will be:
bool mysqli_select_db ( mysqli $link , string $dbname )

You should switch to prepared statements to get rid of the sql injection problem that you have now.
Also, if your field- or table-names contain spaces, you need to enclose them in backticks:
INSERT INTO employee (`Employee ID`,NAME, ....
And you cannot mix mysqli_* with mysql_* functions like that, stick to mysqli_*.

You're mixing the database object up.
mysql_select_db("demo1",$con);
Should be
mysqli_select_db("demo1", $con);
This line:
$sqli="INSERT INTO employee (Employee ID, NAME, Date Hired, Position,Salary, Department Code, Can HIRE ,BOSSID)
VALUES('$_POST[EMPID]','$_POST[NAME]','$_POST[DATEHIRED]','$_POST[POSITION]','$_POST[SALARY]','$_POST[D EPTCODE]','$_POST[CANHIRE]','$_POST[BOSSID]')";
is also a major security risk, since you don't appear to be escaping the data you're inserting into the database.
Have a look at prepared statements

Updating a Row in PostgreSQL with PHP

I was wondering what the syntax was in PHP to update a row in a PostgreSQL database. I have made a login page that checks a UserName and Password from a database, then it goes to a page where it displays all the user info from the database for that user name. I am trying to allow the user to change some of the columns, like password, name, etc. So I added another page that has fields for each of the columns I want to change.
This is the code I have for the query:
if(array_key_exists('save',$_POST))
{
$firstname=$_POST['ifirstname'];
$lastname=$_POST['ilastname'];
$email=$_POST['iemail'];
$password=$_POST['ipassword'];
$conn_string='host=#### port=#### dbname=###### user=####### password=######';
$dbconn=pg_connect($conn_string) or die('Connection failed');
$query="UPDATE project.customer SET FirstName='$firstname',
LastName='$lastname',Email='$email',Password='$password')
WHERE UserName=$1";
$result=pg_query($dbconn,$query);
$row_count= pg_num_rows($result);
pg_free_result($result);
pg_close($dbconn);
}
This is for the fields:
<div id="header">UPDATE USER INFO</div>
<form id="testform" name="testform" method="post" action="" >
<p> <label for="ifirstname">First Name:</label>
<input name="ifirstname" type="text" id="ifirstname"/>
</p>
<p> <label for="ilastname">Last Name:</label>
<input name="ilastname" type="text" id="ilastname"/>
</p>
<p> <label for="iemail">E-Mail:</label>
<input name="iemail" type="text" id="iemail"/>
</p>
<p>
<label for="ipassword">Password:</label>
<input name="ipassword" type="password" id="ipassword"/>
</p>
<p>
<label for="iconfpass">Confirm Password:</label>
<input name="iconfpass" type="password" id="iconfpass"/>
</p>
<p>
<input type="submit" name="save" value="Register"/>
</p>
</form>

I think it must be like this. Also make user to write old password when changing data for security reason. Also dont forget to filter your data before using in query to avoid sql injection attacks
$query="UPDATE project.customer
SET (FirstName,LastName,Email,Password) =
('$firstname','$lastname','$email','$password')
WHERE UserName= '$1' and Password = '$oldpassword'";

Why not just use standard SQL syntax?
Update project.customer Set
"FirstName" = '$firstname',
...
Where ...
The main difference in Postgres is that you usually quote the column names.

php mysql INSERT INTO mysql by using register form

I am php beginner and I am trying to make e-commerce by using php.
I am trying to make register form and I want to save these data into mysql server.
The coding looks like OK, but the data did not store in mysql server.
Could you give your answer for this? php language is first time that it is what I am struggled. Please give some advice. Thanks.
--registerForm.php--
<h4>Create a new account</h4>
<div class="box">
<form action="register.php" method="post">
<p>User ID: <input type="text" name="userId" size="30"/>*</p>
<p>Password: <input type="password" name="password" size="30"/>*</p>
<p>Retype Password: <input type="password" name="repassword" size="30"/>*</p>
<p>First Name: <input type="text" name="firstName" size="30"/>*</p>
<p>Last Name: <input type="text" name="lastName" size="30"/>*</p>
<p>Your Address (*):</p>
<p> <textarea name="address" rows="5" cols="30"></textarea></p>
<p>Phone: <input type="text" name="phone" size="20"/>*</p>
<p>E-mail: <input type="text" name="email" size="21"/>*</p>
<p><input type="submit" value="Create Account"/></p>
</form>
</div>
--register.php--
<?php
require "sql_connection.php";
if(isset($_POST['submit']))
{
if($_GET["userId"]==$_GET["repassword"]){
mysql_query("insert into customer (userId, password, firstName, lastName, address,
phone, email)
values
('$_GET[userId]','$_GET[password]','$_GET[firstName]','$_GET[lastName]','$_GET[address]','$_GET[phone]','$_GET[email]')")
or die(mysql_error());
}
echo "Done!!!!";
}
?>
--sql_connection.php--
<?php
$db_host = "localhost";
$db_username = "root";
$db_pass = "**MY_PASS**";
$db_name = "**MY_DB**";
#mysql_connect("$db_host", "$db_username", "$db_pass", "$db_name") or die("connection is fail.");
#mysql_select_db("$db_name") or die("database does not exsist.");
echo "Successfully connection!!";
?>

if($_GET["userId"]==$_GET["repassword"])
Why do you compare userid to a retype pssword field?
I think it should be :
if($_GET["password"]==$_GET["repassword"])
Also make sure you escape strings to prevent SQL Injection Attacks.
http://php.net/manual/en/function.mysql-real-escape-string.php
And Like Paul said, to correctly retrieve the data use $_POST

Few things. Your $_GET and $_POST are mixed up. and NEVER post your db_pass and uername in public. Also, you're suppressing errors using #. don't do that.
i.e.
if($_GET["userId"]==$_GET["repassword"]){
should be
if($_POST["userId"]==$_POST["repassword"]){
and changes all these to $_POST
Your code:
$_GET[userId]','$_GET[password]','$_GET[firstName]','$_GET[lastName]','$_GET[address]','$_GET[phone]','$_GET[email]')
Should be:
$_POST[userId]','$_POST[password]','$_POST[firstName]','$_POST[lastName]','$_POST[address]','$_POST[phone]','$_POST[email]')"

As your form method defined is POST so use $_POST to get values after submit instead of $_GET
require "sql_connection.php";
if(isset($_POST['submit']))
{
if($_POST["userId"]==$_POST["repassword"]){
mysql_query("insert into customer (userId, password, firstName, lastName, address,
phone, email)
values
('$_POST[userId]','$_POST[password]','$_POST[firstName]','$_POST[lastName]','$_POST[address]','$_POST[phone]','$_POST[email]')")
or die(mysql_error());
}
echo "Done!!!!";
}
?>
Values are not quoted properly. You should quote then before insert.
mysql_query("insert into customer (userId, password, firstName, lastName, address,
phone, email)
values
('".$_POST[userId]."','".$_POST[password]."','".$_POST[firstName]."','".$_POST[lastName]."','".$_POST[address]."','".$_POST[phone]."','".$_POST[email]."')")

I think that what you are trying to do is:
if($_GET["password"]==$_GET["repassword"]) {

Customized User Registration Form

i have made user-register.tpl.php file. And i have set many text field in that.
But now i need that....
i want to store the users information to the database. bcz i have created the customized registration page, so i need that my text field values should be store in the database.
like this.......
Username: <input type="text" name="myuser" id="myuser" />
Now i want to store the username, which will entered in this myuser text filed.
NitishPanchjanya Corporation

<form action="index.php" method="post" name="acc_info_form">
Username: <input type="text" name="myuser" id="myuser" /><br/>
First Name: <input type="text" name="name" id="name" /><br/>
<input type="submit" value="Save"/>
</form>
index.php
//Here you have to write database connection and then
<?PHP if ( $_POST){ ?>
mysql_query("INSERT INTO users (myuser, name) VALUES('".$_POST['myuser']."',".$_POST['name']."' )") or die(mysql_error());
<?PHP } ?>

Categories