1

So I am trying to create a form that puts data in a table, and I got it to work, but when it goes to the table, it just creates empty rows. Here is my code, please help me out.

form.php

<form action="tableinsert.php" method="post">
    First Name:<input type="text" name="fname"> <br/>
    Last Name:<input type="text" name="lname"><br/>
    Username:<input type="text" name="uname"><br/>
    Password:<input type="text" name="password"><br/>
    Email:<input type="text" name="email"><br/>
</form>

tableinsert.php

<?php
$sc = mysqli_connect ("localhost" , "dbname" , "password");

if (mysqli_errno($sc))
{
    echo "Sorry, I couldn't connect to the database. If you keep getting this error, please email the webmaster at natashaharrell@hotmail.com " . mysql_error;
}

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ('$_POST[fname]' , '$_POST[lname]' , '$_POST[uname]' , '$_POST[password]' , '$_POST[email]' )";

if (!mysqli_query($sc, $si))
{
    echo "Sorry there seems to be a problem: " . mysqli_errno($sc) ;
}

else
{
    echo "1 record added.";
}

    mysqli_close($sc);

?>
Natasha Harrell
  • 49
  • 2
  • 7
  • 1
    dont put array elements in a string! `$si = "INSERT ...('$_POST[fname]'` should be `$si = "INSERT ...('{$_POST[fname]}'` or split them off `$si = "INSERT ...('".$_POST[fname]."'` – Waygood May 13 '13 at 09:55
  • ALSO dont use constants as references to array elements $_POST[lname] you should use $_POST['lname'] AS php interprets you way as lname is a constant, and returns 'lname' IF ITS NOT DEFINED – Waygood May 13 '13 at 09:58
  • 2
    mysqli has something called `prepare()` which will do the santizing and inserting for you http://php.net/manual/en/mysqli.prepare.php – Waygood May 13 '13 at 10:00

6 Answers6

4

Try that

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ('".$_POST["fname"]."' , '".$_POST["lname"]."' , '".$_POST["uname"]."' , '".$_POST["password"]."' , '".$_POST["email"]."' )";
Jim SMith
  • 212
  • 3
  • 13
  • Now I am getting a 1046 error. Is this because the error stops the entire script so the mysql connection remains open? – Natasha Harrell May 13 '13 at 10:03
  • because you havent seelcted which database to use, use mysqli_select_db($sc,"db_name"); after your initial connection – Jim SMith May 13 '13 at 10:12
1

you might be getting empty row because the form is getting filled with empty values and gets submitted automatically each time you load the page. you should use submit button.

shubendrak
  • 2,038
  • 4
  • 27
  • 56
  • http://php.net/manual/en/language.types.string.php see Example #8 Simple syntax example and Complex (curly) syntax – Waygood May 13 '13 at 10:10
1

Use mysqli prepare() http://php.net/manual/en/mysqli.prepare.php to insert data into your SQL queries. There are a lot of simple mistakes that novices can make, to render their code vunerable to security issues, thats why mysql_* has been depreciated

<?php

/* create a prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO sdb_users (fname, lname, uname, password, email) VALUES ( ?, ?, ?, ?, ? )")) {

/* bind parameters for markers */
$stmt->bind_param("s", $_POST["fname"]);
$stmt->bind_param("s", $_POST["lname"]);
$stmt->bind_param("s", $_POST["uname"]);
$stmt->bind_param("s", $_POST["password"]);
$stmt->bind_param("s", $_POST["email"];

/* execute query */
$stmt->execute();
?>
Waygood
  • 2,657
  • 2
  • 15
  • 16
1

Replace this

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ('$_POST[fname]' , '$_POST[lname]' , '$_POST[uname]' , '$_POST[password]' , '$_POST[email]')";

With this:

$si = 'INSERT INTO sdb_users (fname, lname, uname, password, email)
VALUES ("' . $_POST['fname'] . '", "' . $_POST['lname'] . '" , "' . $_POST['uname'] . '", "' . $_POST['password'] . '", "' . $_POST['email'] . '")';

That fixes your actual problem, but as an aside, wrap each of those POST values in MySQLi's string escaping function (I'm a PDO user, but I believe it's MySQLi::real_escape_string). That helps protect you from SQL injection.

The reason it wasn't working is you didn't put the array key in quotes. I changed from double quotes to single, because it's easier to escape values and saves PHP having to process the magic-quoted string.

Lukey
  • 922
  • 1
  • 7
  • 9
1

Firstly, it is a a convention to store the values obtained from the form fields into variables. Do that. Then after that you must clean up the values you got from the text fields. Basically you must clear it of all unexpected stuff like SQL injections (complex stuff). To do that you must use MySQL real escape string. After that is done, substitute the variables in the place of your earlier variables such as $_POST['fname'] or $_POST['lname'].

Hopefully after this you will have a script that works fully.

Advait Saravade
  • 3,029
  • 29
  • 34
0

The values you are using in the query are not correct. Try it this way.

$fname = $_POST['fname'];
$lname = $_POST['lname'];
$uname = $_POST['uname'];
$pwd =   $_POST['password'];
$email = $_POST['email']

$si = "INSERT INTO sdb_users (fname, lname, uname, password, email)
        VALUES ('$fname' , '$lname' , '$uname' , '$pwd' , '$email' )";

EDIT: Use mysql_real_escape_string() function to sanatize the data before inserting.

Abhishek Saha
  • 2,564
  • 1
  • 19
  • 29
  • 1
    you can use extract() to convert to variables i.e extract($_POST) – Jim SMith May 13 '13 at 09:57
  • 2
    You should downvote an answer if its misguiding or wrong. Using extract() is not always a good practice - http://stackoverflow.com/questions/829407/what-is-so-wrong-with-extract – Abhishek Saha May 13 '13 at 10:01
  • Also, mysql_ functions are deprecated. I answered the op's question without rewriting his code too much (in case there's a reason not to use prepare()), but using prepared statements would certainly be preferred to using my approach and even more so than to using mysql_real_escape_string – Lukey May 13 '13 at 16:49