Insert data to database via html form in the same page

Question

<!doctype html>
<html>
<head>
<title>Lab03</title>
</head>
<form id="signin" action="lab_03.php" method="post">
Name: <input type="text" name="name">
<br />
First Name: <input type="text" name="fn">
<br />
SID: <input type="text" name="sid">
<br />
Email Address: <input type="text" name="email">
<input type="submit" value="Submit">
</form>

<?php
include ("connection.php");

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ($POST_[name], $POST_[fn], $POST_[sid], $POST_[email]");



?>
<body>
</body>
</html>

I want to insert data to database via html form. But i don't want to make another file to insert data. I the above code gives me the following error. enter image description here

Also, you need to wrap `$_POST['key']` in curly braces {}. And it's also a good idea to wrap the keys with single quotes, otherwise if you have a constant with the same name, it will be used instead. — NorthBridge, Apr 23 '14 at 07:30

score 4 · Accepted Answer · answered Apr 23 '14 at 07:30

4

Change your query part to this one:

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."',". $_POST['sid'].", '".$_POST['email']."'");

answered Apr 23 '14 at 07:30

kimbarcelona

1,136
2
8
19

2

Need to add single quotes around non-integers. – AyB Apr 23 '14 at 07:32

score 4 · Answer 2 · edited Apr 23 '14 at 07:37

4

your query should like this:

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."',". $_POST['sid'].", '".$_POST['email']."'");

edited Apr 23 '14 at 07:37

AyB

11,609
4
32
47

answered Apr 23 '14 at 07:36

Ketan Lathiya

732
2
8
23

score 1 · Answer 3 · edited May 23 '17 at 11:49

This is a good way to do it:

mysqli_query(
    $con,
    "INSERT INTO lab_03 (
        name, 
        fname, 
        sid, 
        email
    ) 
    VALUES (
        '{$_POST['name']}',
        '{$_POST['fn']}',
        '{$_POST['sid']}',
        '{$_POST['email']}'
    "
);

To make sure it works, remove the single quotes around {$_POST['something']} if your field in the database is an integer (or anything else not requiring quotes).

Also, keep in mind that currently your code is vulnerable to SQL injections, since you're not sanitizing the input data. Take a look at this question to see how to prevent it.

OK, I'd really really like to know the right syntax. – NorthBridge Apr 23 '14 at 07:44 — NorthBridge, Apr 23 '14 at 07:44

score 1 · Answer 4 · edited May 23 '17 at 11:57

1

Using this answer as a reference, I'd like to point out a major flaw in your code.

You need to put a check if your $_POST variable exists or not, else it'll still throw errors.

Put it like this:

if(isset($_POST['name'])) {
    mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."',". $_POST['sid'].", '".$_POST['email']."'");
}

Also, I suggest you call your PHP code before the form, cause that's the way to do it.

edited May 23 '17 at 11:57

Community

1
1

answered Apr 23 '14 at 07:36

Tzar

1,761
2
14
21

No idea why this was dv-ed, it's correct. Just that you should ask the OP to set a `name` attribute on the submit button because the textbox `name` may not be filled. – AyB Apr 23 '14 at 07:40
@ICanHasCheezburger Maybe someone dv-ed.. just so that his/her answer go higher.. Well, textbox name may not be filled... but `isset` will still return true for it. – Tzar Apr 23 '14 at 08:31

Keyur Mistry · Answer 5 · 2014-04-23T07:42:35.067

ry this way, your error will not be appear.

<!doctype html>
<html>
<head><title>Lab03</title></head>
<form id="signin" action="" method="post">
Name: <input type="text" name="name">
<br />
First Name: <input type="text" name="fn">
<br />
SID: <input type="text" name="sid">
<br />
Email Address: <input type="text" name="email">
<input type="submit" value="Submit">
</form>

<?php
if(isset($_POST)) {
include ("connection.php");
mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".$_POST['name']."', '".$_POST['fn']."', '".$_POST['sid']."', '".$_POST['email']."'");
}


?>
<body>
</body>
</html>

Let me know whats the wrong in it!? Thats not wrong, User has write some wrong syntax — Keyur Mistry, Apr 23 '14 at 07:40

train_fox · Answer 6 · 2021-09-02T06:34:20.283

Try this:

<!doctype html>
<html>
<head>
  <title>Lab03</title>
</head>
<body>
  <form id="signin" action="" method="post">
    Name: <input type="text" name="name"><br />
    First Name: <input type="text" name="fn"><br />
    SID: <input type="text" name="sid"><br />
    Email Address: <input type="text" name="email">
    <input type="submit" value="Submit" name="submit">
  </form>
<?php
  if (isset($_POST['submit'])) {
    include ("connection.php");
    $con = mysqli_connection('server', 'user', 'password', 'db');
    if (mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES  ({$_POST['name']}, {$_POST['fn']}, {$_POST['sid']}, {$_POST[email]}") === true) {
      echo "OK, Query Success";
    }
  }

?>
</body>
</html>

Although I m not downvoting, your code clearly shows that "it goes on another page" plz correct the code with relation to the question asked. — Muhammad Ali, Aug 28 '21 at 05:36

score 1 · Answer 7 · answered Apr 23 '14 at 07:41

Put all your PHP code above HTML, and you have used wrong variable for getting POST values. It should be $_POST not $POST_

It is ideal to use mysqli_real_escape_string to escapes special characters that may be in POST data values

<?php
include ("connection.php");

mysqli_query($con,"INSERT INTO lab_03 (name, fname, sid, email) VALUES ('".mysqli_real_escape_string($con, $_POST['name'])."', '".mysqli_real_escape_string($con, $_POST['fn'])."', '".mysqli_real_escape_string($con, $_POST['sid'])."', '".mysqli_real_escape_string($con, $_POST['email'])."'");
?>

Insert data to database via html form in the same page

7 Answers7

Linked