Why can't I update my database when I submit a form?

Question

<form name="applyform" action="applyform.php" method="post">
    <fieldset>
        <legend>Application Details</legend>
        <p>Name :<?php echo $row ["Emp_Fname"]; ?></p>
        <p>ID number :<?php echo $row['Emp_ID']; ?></p>
        <p>Email :<?php echo $row['Emp_Email']; ?></p>
        <p>Address :<?php echo $row['Emp_Address']; ?></p>
        <p>Handphone Number :<?php echo $row['ContactNo_HP']; ?></p>
        <p>Phone Number :<?php echo $row['ContactNo_Home']; ?></p>
        <p>Date of application :<?php echo $row['Leave_RequestDate']; ?></p>
        <p>Type of leave:
           <select name="leave type">
              <option selected>Annual leave</option>
              <option>Sick leave</option>
              <option>Emergency leave</option>
              <option>Maternity leave</option>
            </select>
        </p>
        <p>Leave duration:<input type="date" name="leave_start">to<input type="date" name="leave_end"></p>
        <p>Reason:<textarea rows="4" cols="50" name="reason"></textarea></p>
        <p><input type="submit" name="submitbtn" value="Submit"/>

This is the code of my form. Is there anything wrong?

<?php

if(isset($_POST['submitbtn'])) {

  if(!$con)  {
    die("cannot connect : " .mysql_error());
  }
  $sql = ("INSERT INTO leave(Leave_Start,Leave_End,Leave_Reason)    VALUES('$_POST[leave_start]','$_POST[leave_end]','$_POST[reason]')");
  mysql_query($sql,$con);

  mysql_close($con);
}
?>

The above is my PHP code. When I try submitting the form the database just won't update, can anyone help me?

Use either MySQLi or PDO for connecting to a MySQL database. The `mysql_` functions are deprecated as per the warning on this page: http://php.net/manual/en/function.mysql-connect.php — Martin Bean, Aug 28 '13 at 11:58
Heard about SQL Injections? See : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Roy M J, Aug 28 '13 at 12:00

score 0 · Answer 1 · answered Aug 28 '13 at 11:58

0

Did you forget to include a mysql_connect around line 5 of your PHP code?

$con = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');

answered Aug 28 '13 at 11:58

Brian Showalter

4,321
2
26
29

score 0 · Answer 2 · answered Aug 28 '13 at 12:01

Instead of

$sql = ("INSERT INTO leave(Leave_Start,Leave_End,Leave_Reason) VALUES('$_POST[leave_start]','$_POST[leave_end]','$_POST[reason]')");

try

$sql = ("INSERT INTO leave(Leave_Start,Leave_End,Leave_Reason) VALUES('".$_POST["leave_start"]."','".$_POST["leave_end"]."','".$_POST["reason"]."')");

notice : doing a query like that is not secure as the $_POST is not check before

something like this should be better

$sql = ("INSERT INTO leave(Leave_Start,Leave_End,Leave_Reason) VALUES('".mysqli_real_escape_string($con,$_POST["leave_start"])."','".mysqli_real_escape_string($con,$_POST["leave_end"])."','".mysqli_real_escape_string($con,$_POST["reason"])."')");

`$_POST[leave_start]` will generate error. Rather it should be `$_POST['leave_start']` — Awais Qarni, Aug 28 '13 at 12:03

score 0 · Answer 3 · answered Aug 28 '13 at 12:07

You need to understand little bit about PHP variable passing and SQL injection. You final query must look like

 $sql = ("INSERT INTO leave(Leave_Start,Leave_End,Leave_Reason) VALUES('{".mysqli_real_escape_string($_POST['leave_start'])."}','{".mysqli_real_escape_string($_POST['leave_end'])."}','{".mysqli_real_escape_string($_POST['reason'])."}')");

score 0 · Answer 4 · answered Mar 27 '14 at 01:53

You can try MySQLi instead of predicated MySQL.

<?php

if(isset($_POST['submitbtn']))
{

$connection=mysqli_connect("Host","Username","Password","Database");

if(mysqli_connect_errno()){

echo "Error".mysqli_connect_error();
}

mysqli_query($connection,"INSERT INTO leave(Leave_Start, Leave_End, Leave_Reason)    VALUES('$_POST[leave_start]','$_POST[leave_end]','$_POST[reason]')");

}
?>

score -1 · Answer 5 · answered Aug 28 '13 at 09:08

-1

Your insert is incorrect:

$sql = ("INSERT INTO leave(Leave_Start,Leave_End,Leave_Reason)   VALUES('$_POST[leave_start]','$_POST[leave_end]','$_POST[reason]')");

should be this:

$sql = ("INSERT INTO leave(Leave_Start,Leave_End,Leave_Reason)    VALUES('{$_POST["leave_start"]}','{$_POST["leave_end"]}','{$_POST["reason"]}')");

You should always escape special characters in a string. Otherwise they get misinterpreted.

http://php.net/manual/en/language.types.string.php

by the way, I am assuming that $con is a valid connection object.

answered Aug 28 '13 at 09:08

ferd tomale

845
7
20

still the same result – Jacky ChickenChan Aug 28 '13 at 09:12
why not using a simple . to concat instead of `{$_POST[]}` ? – Aug 28 '13 at 11:55

Why can't I update my database when I submit a form?

5 Answers5