I'm new to PHP and MySQL. I cannot figure this simple system out

Question

    <?php
        $db = new mysqli("localhost","root","password","eme");

        if($db->connect_errno){ echo "Not connected."; exit();}

        echo $db->query("SELECT * FROM users") . "<br>";
        echo $_POST[FirstName] . " " . $_POST[LastName];
        $db->query("INSERT INTO users (FirstName, LastName) VALUES ('$_POST[FirstName]','$_POST[LastName]')");
        echo $db->query("SELECT * FROM users") . "<br>";

    ?>

I cannot figure out why this code doesn't work. The only line that outputs anything is "echo $_POST[FirstName] . " " . $_POST[LastName];"

My database has a "users" table and the database is called eme. The database connects properly.

There is currently no data in the database. I figured I could add some with "INSERT," but it's failing.

score 1 · Answer 1 · edited May 23 '17 at 11:50

1

Try this...

$db->query("INSERT INTO users (FirstName, LastName) VALUES('".$_POST['FirstName']."','".$_POST['LastName']."')");

For more info on Quotes, look over this link - What is the difference between single-quoted and double-quoted strings in PHP?

edited May 23 '17 at 11:50

Community

1
1

answered Jul 06 '13 at 04:58

Ashwini Agarwal

4,828
2
42
59

Why are there extra periods. Why are there single quotes encapsulating double quotes? And is the W3 site wrong? (http://www.w3schools.com/php/php_mysql_insert.asp) Also, when I edited to that, the line `echo $_POST[FirstName] . " " . $_POST[LastName];` now does not output anything, even if I comment out the $db->query line or reverse it back to the original. This makes no sense at all. – JVE999 Jul 06 '13 at 05:21
Now try `echo '$_POST[FirstName]' . " " . '$_POST[LastName]';`. Go to the link I have pasted, it has a nice explanation. – Ashwini Agarwal Jul 06 '13 at 05:24
That echo worked! It turned out, I could write `$db->query("INSERT INTO users (FirstName, LastName) VALUES ('$_POST[FirstName]' , '$_POST[LastName]')")` – JVE999 Jul 06 '13 at 17:21

score 1 · Accepted Answer · answered Jul 06 '13 at 05:18

You have several problems:

The query() method of mysqli returns a mysqli_result object. you need to use one of it's methods to get the actual data back from the query. For instance fetch_assoc()

In your insert, you need to either assign $_POST['FirstName'] to a variable, or explicitly add it to the string.

ie.

"INSERT INTO users (FirstName, LastName) VALUES ('" . $_POST['FirstName'] . "','" . $_POST['LastName'] . "')"

or

$first = $_POST['FirstName'];
$last = $_POST['LastName'];
"INSERT INTO users (FirstName, LastName) VALUES ('" . $first . "', '" . $last . "')"

You should also sanitize the data before inserting it to prevent major security threats.

Lastly, it's not a bug per se, but you should always use a string or integer value for an array index.

ie. You have $_POST[FirstName], it should be either $_POST['FirstName'] or $_POST["FirstName"]

It will still work, but the interpreter thinks it's a constant, which isn't defined, so assumes the literal value, throwing a warning (maybe notice, can't remember offhand). It's unnecessary overhead.

That's very helpful. I did not know about mysqli_result objects and using fetch_assoc. Now I am well versed in it. Also, security will be a concern, so thanks for mentioning that. I tried assigning the values to variables first and it works fine without the periods or nested quotes. However, if I try to use $_POST[] in the query, I need the periods. Why do I need the periods? — JVE999, Jul 06 '13 at 18:24
It has to do with how strings work in PHP. If you have `$var = "something"; echo "$var";` PHP will parse $var in the string. However if you have `echo "$_POST['var']";`, it is ambiguous if PHP should parse `"$_POST"` or `"$_POST['var']"`. iirc you can do `"{$_POST['var']}"` instead of doing `"" . $_POST['var'] . " post";` ("" being used for demonstrating, you don't need to put blank string like that anyway) — cwurtz, Jul 12 '13 at 11:53

I'm new to PHP and MySQL. I cannot figure this simple system out

2 Answers2