1

trying to setup a warranty registration page for a friends company and I'm not great at Mysql or PHP (Read: Noob). I've scoured the web for answers and have tried several variations to the code below with no success.

I have the table setup with the matching column names. The form submission is also setup correctly I believe.

Just not certain as to what is stopping it from actually posting the data to the database. Any help would be greatly appreciated.

Here's my post code.

<?php
error_reporting(-1);


$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$country = $_POST['country'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$ordernumber = $_POST['ordernumber'];
$receivedate = $_POST['receivedate'];
$placeofpurchase = $_POST['placeofpurchase'];
$newsletter = $_POST['newsletter'];
?>

<?php
$con = mysqli_connect("localhost","DB_Username","PASSWORD","DB_NAME");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$sql = ("INSERT INTO warrantyregistration (firstname, lastname, address, city, state, zipcode, country, phone, email, ordernumber, receivedate, placeofpurchase, newsletter)
VALUES
($firstname, $lastname, $address, $city, $state, $zipcode, $country, $phone, $email, $ordernumber, $receivedate, $placeofpurchase, $newsletter)");


if (mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "Success!";

mysqli_close($con)
?>
xxkinetikxx
  • 29
  • 1
  • 7

4 Answers4

0

Change this line:

if (mysqli_query($con,$sql))

to:

if (!mysqli_query($con,$sql))

and you should see an error message.

Scott Saunders
  • 29,840
  • 14
  • 57
  • 64
  • Thanks for the tip, I'm now seeing an error message but cannot make any sense of it. "Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , , , , , , , , , , )' at line 3" – xxkinetikxx Sep 04 '13 at 20:32
  • That means that your query contains a bunch of commas in a row. It looks like your variables are all null or empty. Make sure you've actually posted some content to that script. As others noted above, you will need to wrap those variables in quotes to make a valid query. A good trick is to echo out the query when you're having trouble with it, and then try to run it directly in MySQL or phpMyAdmin. It's often easier to see the problem in the whole query than the error message. – Scott Saunders Sep 04 '13 at 20:37
0

You should be paramaterizing your queries and using prepared statements. This would protect you from the SQL injection and fix your issues. An abridged version of what you need to do is:

$stmt = mysqli_prepare($con, "INSERT INTO warrantyregistration
    (firstname, lastname, address) VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sss", $firstname, $lastname, $address);
mysqli_stmt_execute($stmt);
Alexander Farber
  • 21,519
  • 75
  • 241
  • 416
Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
0

You got the wrong syntax for the SQL statement. You have to set your Php variables into ´$variable´

See my working code here:

insert into user
  (
    userid,
    signedin_at,
  )
  values
  (
    '$vp_userid',
    now()
  );
davidev
  • 7,694
  • 5
  • 21
  • 56
-2

I got the same error. Without the paramaterizing you can fix that error in your sql statement:

...
$sql = "INSERT INTO warrantyregistration VALUES ($firstname, $lastname, $address, $city, $state, $zipcode, $country, $phone, $email, $ordernumber, $receivedate, $placeofpurchase, $newsletter)";
...
Darius Miliauskas
  • 3,391
  • 4
  • 35
  • 53
  • That query is highly vulnerable for SQL injection. Also, how should it even work if you don't encapsulate any value in quotes? – Nico Haase Mar 11 '22 at 09:08