data insertion in mysql by php

Question

In my code is just insert some data into mysql database by php. All data are inserted but only two column's data are not inserted. My code::

regi.php
// form design

 <html>
    <form action="regi_pp.php"  method="post">
      Student Name <input name="st_name" type="text" id="st_name">
       Father's Name  <input name="f_name" type="text" id="f_name">
      Mother's Name <input name="m_name" type="text" id="m_name">
      Faculty  <input name="faculty" type="text" id="faculty">
      Department <input name="department" type="text" id="department">
      Session <input name="session" type="text" id="session">  
     Dormitory  <input name="dormitory" type="text" id="dormitory">  
    Registration No <input name="regi_no" type="text" id="regi_no"> 
     Email  <input name="email" type="text" id="email"> 
     pass:<input name="pass" type="password" id="pass">  
     <input type="submit" name="Submit" value="Submit">
     </form>
 </html>

after submit ::

 <?php 
    $st_name=$_POST["st_name"];   // name
    $st_father=$_POST["f_name"];   // father name
    $st_mother=$_POST["m_name"];   // Mather name
    $faculty=$_POST["faculty"];     // faculty name
    $dept=$_POST["department"];     // department name
    $session=$_POST["session"];     // session  
    $dormitory=$_POST["dormitory"];  // dormitory 
    $regi_no=$_POST["regi_no"];     //regi number
    $email=$_POST["email"];         //  email
    $pass=$_POST["pass"];          // password

   $con = mysql_connect("localhost","root","");   // mysql connection

    mysql_select_db("ppp", $con);    // database connection

    // here all value insert but '$regi_no', '$email' are not inserted and '$pass' value only insert if $pass value is number 
    mysql_query("INSERT INTO regf            VALUES('$st_name','$st_father','$st_mother','$faculty','$dept','$session','$dormitory','$regi_no','$email','$pass')") or die(mysql_error());
     mysql_close($con);
 ?>

What happens when you print out your SQL statement and run it in the database? And your code is wide open for SQL injections, too - you should really look at using `PDO` or `mysqli_*` instead. — andrewsi, Sep 14 '12 at 14:30
it print actual value that i write, but it don't insert into database — user1671652, Sep 14 '12 at 14:31
Did you ever meet [little bobby tables](http://xkcd.com/327/)? — vascowhite, Sep 14 '12 at 14:31
Read about preventing SQL injection here: http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php — Niklas Modess, Sep 14 '12 at 14:32
Thanks my problem is solved, I assign regi_no, email as integer, now i assign this as varchar i hope it would be worked — user1671652, Sep 14 '12 at 14:34
Whatever you're doing here, **STOP** immediately and read up on how to use PDO or `mysqli` and proper SQL placeholders. What you're doing here is reckless and will lead to severe problems at some point in the future. It takes all of thirty minutes to absorb how to use `mysqli` correctly and it will save you from a whole world of hurt when someone uses a [SQL vulnerability exploit tool](http://sqlmap.org/) on your application. — tadman, Sep 14 '12 at 15:15

score 1 · Answer 1 · answered Sep 14 '12 at 14:38

What if in the dormitory I entered Saint Philip Dormitory'); DROP TABLE regfs;--? What do you think will happen?

Your code is prone to SQL Injection. Use PDO or MYSQLI Extensions instead.

Example of using PDO extension:

<?php

    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
    $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
    $stmt->bindParam(1, $name);
    $stmt->bindParam(2, $value);

    // insert one row
    $name = 'one';
    $value = 1;
    $stmt->execute();

?>

this will allow you to insert records with single quotes.

Disappointed you didn't use your example dormitory in your sample code, but nice demonstration of PDO. — tadman, Sep 14 '12 at 15:16

data insertion in mysql by php

1 Answers1