Php: Inserting Values from the Form into MySQL

PHP: Inserting Values from the Form into MySQL

The following code just declares a string variable that contains a MySQL query:

$sql = "INSERT INTO users (username, password, email)
VALUES ('".$_POST["username"]."','".$_POST["password"]."','".$_POST["email"]."')";

It does not execute the query. In order to do that you need to use some functions but let me explain something else first.

NEVER TRUST USER INPUT: You should never append user input (such as form input from $_GET or $_POST) directly to your query. Someone can carefully manipulate the input in such a way so that it can cause great damage to your database. That's called SQL Injection. You can read more about it here

To protect your script from such an attack you must use Prepared Statements. More on prepared statements here

Include prepared statements to your code like this:

$sql = "INSERT INTO users (username, password, email)
VALUES (?,?,?)";

Notice how the ? are used as placeholders for the values. Next you should prepare the statement using mysqli_prepare:

$stmt = $mysqli->prepare($sql);

Then start binding the input variables to the prepared statement:

$stmt->bind_param("sss", $_POST['username'], $_POST['email'], $_POST['password']);

And finally execute the prepared statements. (This is where the actual insertion takes place)

$stmt->execute();

NOTE Although not part of the question, I strongly advice you to never store passwords in clear text. Instead you should use password_hash to store a hash of the password

Insert data into MySQL database from PHP form with (SELECT) and (INSERT INTO)

The error directly relates to the fact that there are the wrong amount of variables supplied for the SQL statement parameters. Alternatively, you are trying to update a column which does not exist in the table.

Check the column names match exactly with the supplied column names in the statement, and make sure you supply data only for columns which exist in the table.

Also, if you want PHP to interpolate values iinto variables within your SQL statement, you MUST use double quotes instead of single quotes for your SQL statement. PHP will only interpolate values into variables if you use double quotes.

Inserting HTML Form data into MySQL with PHP

Your HTML attribute syntax is incorrect. Its missing = sign between attribute and value.

Change name "name" to name="name" and name "title" to name="title"

<input type="text" name="name" id = "name"><br />
Title of Review:<br />
<input type="text" name="title" id = "title"><br />

Also during insert you aren't using escaped values.

Use $name instead of $_POST["name"] in insert query. Same goes for title and body values.

Insert Data to MySQL db from HTML form using PHP

Make sure all post values are getting correctly. You should make a condition check before inserting the data, For ex:

$id = isset($_POST['id']) ? $_POST['id'] : '';
$name = isset($_POST['name']) ? $_POST['name'] : '';
$year = isset($_POST['year']) ? $_POST['year'] : '';

if($id && $name && $year){
$sql = "INSERT INTO cars (id, name, year)
VALUES ($id, '$name', '$year')";
}else{
return "required fields are missing";
}

NB: Please post your html if possible.

Insert Form data to MySQL in Php

You're open to SQL injection. I recommend you to use prepared statement.

<?php
if(isset($_POST['create'])){
$chartType = $_POST['chartType'];
$apilink = $_POST['apilink'];
$conn = new mysqli("localhost", "root", "123456", "activiti_report");
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$stmt = $conn->prepare("INSERT INTO chartinfo (link, typeChart) VALUES (?,?)");
$stmt->bind_param("ss", $apilink, $chartType);
$stmt->execute();
$stmt->close();
$conn->close();
}else{
echo "Form not sended";
}

Insert form data into MySQL database table

Besides the other answer,

Firstly, this part of your query:

INSERT INTO test-table (id, name, lastname, radio, drop, check)

should read as

INSERT INTO `test-table` (id, name, lastname, radio, `drop`, `check`)

MySQL is interpreting your table as "test minus table". Use ticks, or rename it using an underscore test_table which is a safe seperator.

Then you're using two MySQL reserved words, "drop" and "check". Use ticks for those also.

Reference:

  • http://dev.mysql.com/doc/refman/5.6/en/keywords.html

See how MySQL is telling you where the syntax error begins?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'drop, check)

and it would have shown you another one after that being

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'check)

Just to clarify, you are mixing MySQL APIs with

mysql_query("INSERT ...

which those mysql_ functions do not intermix with your present method. Use the same from connection to query

mysqli_query($connect, "INSERT ...

and of course the fact that you're open to SQL injection. Use a prepared statement:

  • https://en.wikipedia.org/wiki/Prepared_statement

You should also check for empty fields against your POST arrays such as !empty().

Sidenote: If an apostrophe or any other character is to be inserted that MySQL will complain about, then you must escape them. Either way, you should.

Plus, remember to add exit; after header. Otherwise and if you have more code below that, it may want to continue and execute.

header("location: indextest1.php");
exit;

Inserting values into database that depends on other inputs in a PHP form

So you need to get the count from the Employees table added for a compagny this year.

A SQL query will do it :

SELECT COUNT(Emp_set_id) FROM Employees WHERE Emp_set_id LIKE "QWE2020%";

Php sample (not tested) :

$dbh = new PDO("_________");
$sth = $dbh->prepare('SELECT COUNT(Emp_set_id) as countEmployees FROM Employees WHERE Emp_set_id LIKE :clause;');
$sth->execute([':clause' => $compagnyChar . date('Y').'%']);
$countEmployees = $sth->fetchColumn();
$employeeId = $compagnyChar . date('Y') . str_pad($countEmployees +1, 2, '0', STR_PAD_LEFT);


Related Topics



Leave a reply



Submit