PHP and sql issue

Question

I have been trying to make my scoreboard system for some online game , It works correctly , So I have added an HTML form that interacts with a php script that connects to my sql database and inserts a name with a percentage into my sql scoreboard table , If I add the names/percentages manually via phpMyAdmin , It works perfectly on the scoreboard , But when I made the html form that asks the user to insert his name and then adds his name into the scoreboard with a percent , IT doesn't add , So here's my html form .

<center><form method="post" action="">
<font color="green">Your name Max length is 15</font> <input type="text" name="username" maxlength="15">
<button style="background-color:red; name="Enter" type="submit" value="HTML">Enter</button></center>
</form>

My PHP Form

<?php
if (isset($_POST['username'])) 
{
$getname = $_POST['username'];
$percentage = "10";
$link = mysqli_connect("myhost","myusername","mypw","mydatabase") or die("Error " . mysqli_error($link));

$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage');" or die("Error in the consult.." . mysqli_error($link));

$result = mysqli_query($link, $query);
}
?>

Scoreboard is the name of my table , Columns are name/percent , Name accepts texts and Percent accepts Integers , Thanks in advance :) .

Sort of unrelated, but you forgot to close your `style` attribute on your form's button — TheNytangel, Sep 30 '13 at 02:34
`$result = mysqli_query($link, $query) or die("Error in the consult.." . mysqli_error($link));` — undone, Sep 30 '13 at 02:34
Closed it already , I don't think It's about the style attribute at all . — Ahmed Magdy, Sep 30 '13 at 02:35
use `$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage')"; $result = mysqli_query($link, $query) or die("Error in the consult.." . mysqli_error($link));` — Tamil Selvan C, Sep 30 '13 at 02:36
try echoing your query and then run the query generated in phpmyadmin before `$result = mysqli_query($link, $query);` type `echo $query; exit;` you will get the query on your screen now you can execute it to see where r u going wrong — Prince Singh, Sep 30 '13 at 02:37
Here , I ran this INSERT INTO scoreboard VALUES ('Devnull1','10') Into phpMyAdmin , And it worked , I think it's all about adding the php variables in the sql query , I still don't know what to do though . — Ahmed Magdy, Sep 30 '13 at 02:43
@AhmedMagdy I do believe your semi-colon is not in the right place. You have `$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage');"` try `$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage')";` — Funk Forty Niner, Sep 30 '13 at 02:53
@AhmedMagdy Or try `$query = $link->query("INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage')");` — Funk Forty Niner, Sep 30 '13 at 03:00
@AhmedMagdy I tested and debugged your code and found the problem is with your submit button. Use `` and then use `if (isset($_POST['submit']))` instead of `if (isset($_POST['username']))` and it will work. — Funk Forty Niner, Sep 30 '13 at 03:22
**By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started, and [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. — Andy Lester, Sep 30 '13 at 03:55

score 2 · Accepted Answer · edited May 23 '17 at 12:29

2

I tested your code and found that your submit button was one of the things at fault, including an improperly place semi-colon in:

$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage');"

Which should read as:

$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage')";

Tested using the following form and PHP

<form method="post" action="">
<center>
<font color="green">Your name Max length is 15</font>
<input type="text" name="username" maxlength="15">
<input type="submit" name="submit" value="Submit">
</center>
</form>

<?php
if (isset($_POST['username']))
{
$link = mysqli_connect("myhost","myusername","mypw","mydatabase") or die("Error " . mysqli_error($link));
// $getname = $_POST['username'];
$getname = mysqli_real_escape_string($link,$_POST['username']);
$percentage = "10";
$query = ("INSERT INTO scoreboard (name,percent) VALUES ('$getname',$percentage)");
$result = mysqli_query($link, $query);
if(!$result){
  printf("Error message: %s", mysqli_error($link));
}
else {
echo "Data properly inserted with the value of <b>$getname</b> and <b>$percentage</b>";
     }
}
?>

NOTE: You will be better off using the code below in order to check if the field is empty. Otherwise, clicking on the submit button without anything inside, will produce an entry in DB with a blank name field.

if (empty($_POST['username'])) {

die("<div align='center'>Enter your name</div>");

}

else

{
// rest of code

Plus as stated by Hanky 웃 Panky, you should sanitize your variables like this, as done in my working example:

$getname = mysqli_real_escape_string($link,$_POST['username']);

Here is a safer (parametrized) method as taken from an example on SO here

Quick note: If you are going to use $percentage = 10; instead of $percentage = "10";

then you will need to use $stmt->bind_param("si", $unsafe_variable,$percentage); otherwise, your percentage will be treated as a string, as opposed to an integer and will be thrown an error. s is for string and i is for integer.

<form method="post" action="">
<center>
<font color="green">Your name Max length is 15</font>
<input type="text" name="username" maxlength="15">
<input type="submit" name="submit" value="Submit">
</center>
</form>

<?php
if (empty($_POST['username'])) {
die("<div align='center'>Enter your name</div>");
}
else
{
    $mysqli = new mysqli("myhost","myusername","mypw","mydatabase");
    // Check that connection was successful.

    if($mysqli->connect_errno > 0) {
      die('Connection failed [' . $mysqli->connect_error . ']');
    }

    $percentage = "10";
    $unsafe_variable = $_POST["username"];
    $stmt = $mysqli->prepare("INSERT INTO scoreboard (name,percent) VALUES (?,?)");
    // TODO check that $stmt creation succeeded
    // "s" means the database expects a string
    $stmt->bind_param("ss", $unsafe_variable,$percentage);
    $stmt->execute();
    $stmt->close();
    $mysqli->close();
    echo "<div align='center'>Data written to DB</div>";
}
?>

edited May 23 '17 at 12:29

Community

1
1

answered Sep 30 '13 at 03:48

Funk Forty Niner

74,450
15
68
141

I'm going to try it right away and give you a feedback :) , Thanks for your expensive time man . – Ahmed Magdy Sep 30 '13 at 05:28
@AhmedMagdy You're very much welcome. I just made a quick edit for the `parametrized` method. Both were fully tested and working for me. Cheers – Funk Forty Niner Sep 30 '13 at 05:34
It didn't work for me :S , echo "Data that you properly inserted with the value of $getname and $percentage has been added to the ScoreBoard."; This part doesn't get even executed , Maybe there's something wrong with my codes . – Ahmed Magdy Sep 30 '13 at 05:35
@AhmedMagdy Use the codes that I put on here to test, then edit as needed. Don't use any of yours for now (no includes etc). And check that your DB fields are correct. – Funk Forty Niner Sep 30 '13 at 05:37
I already copied your codes , It still doesn't work , And my DB entries are still the same without any modifications . – Ahmed Magdy Sep 30 '13 at 05:38
@AhmedMagdy Is your `name` field a `varchar` and `percentage` field `tinyint`? That's what I used in mine. – Funk Forty Niner Sep 30 '13 at 05:40
@AhmedMagdy Another thing, did you use my form in my answer? Yours had an error in it. – Funk Forty Niner Sep 30 '13 at 05:43
I used your Form , And changed my name field to a varchar and my percentage field to a tinyint , And still no luck . – Ahmed Magdy Sep 30 '13 at 05:47
@AhmedMagdy That just doesn't make any sense. As I said in my answer, I tested this and both methods shown. The only thing that's different from my answer and my actual test, are my login credentials. There must be something else going on besides this. – Funk Forty Niner Sep 30 '13 at 05:50
I really dunno this is pretty much the wiredest thing I have ever seen , I used your code in a new plain php file and It worked , But When I add it to my codes , It doesn't . – Ahmed Magdy Sep 30 '13 at 05:56
@AhmedMagdy It must have something to do with DB connection from another file, an include, not 100% sure since I don't know how you're incorporating it. Maybe the way it's placed in your other file(s). – Funk Forty Niner Sep 30 '13 at 05:57
I'm sure I emblemented it correctly in my codes , And yes I have another file that connects to the same database on my server , Would that be doing something wrong ? – Ahmed Magdy Sep 30 '13 at 06:00
@AhmedMagdy It may very well be the case. You'll need to further troubleshoot exactly where it's causing that fault. I noticed in your other question, that you're mixing HTML and PHP together. I'd try and stay away from that as much as possible, going in and out of PHP. I never use that method myself, too much room for errors. From what you saw, my answer(s) do in fact work. – Funk Forty Niner Sep 30 '13 at 06:02
Yes it does , Whatever , I'll figure out how to fix it , Thanks for your time though . – Ahmed Magdy Sep 30 '13 at 06:03
@AhmedMagdy You're very much welcome Ahmed, cheers. I wish you well *Peace* (I know you'll find it) ;-) – Funk Forty Niner Sep 30 '13 at 06:04
Cheers , I found it , I just wanted to let you know , One of my statements brackets wasn't opened/closed correctly , Which prevented this block of codes from running , fixed it now , Thanks man :) . – Ahmed Magdy Sep 30 '13 at 06:20
@AhmedMagdy Aaahhh I knew you would find it and I also had a feeling that's what it was. Thanks for letting me know, great news indeed :) – Funk Forty Niner Sep 30 '13 at 12:03

score 1 · Answer 2 · answered Sep 30 '13 at 02:54

Whenever in doubt about the correct usage of any function, take help from php.net first, it has so many examples on the pages about this. Have a look at

http://www.php.net/manual/en/mysqli.real-escape-string.php

http://php.net/mysqli_error

http://www.php.net/manual/en/mysqli.query.php

First sanitize your input value

$getname = mysqli_real_escape_string($link,$_POST['username']);
$percentage = 10;

Then

$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname',$percentage)";
$result = mysqli_query($link, $query);
if(!$result){
  printf("Error message: %s", mysqli_error($link));
}

score 0 · Answer 3 · answered Sep 30 '13 at 02:36

0

This line needs fixed

$query = "INSERT INTO scoreboard (name,percent) VALUES ('$getname','$percentage');" or die("Error in the consult.." . mysqli_error($link));

I've changed it to this

$query = "INSERT INTO scoreboard VALUES ('$getname','$percentage')";

then add or die("Error in the consult.." . mysqli_error($link)); to your query line.

You had a compiler line break in the middle of your variable and you don't need to state the order that your naming values, you just have to put the values in the correct places and it will automatically add them in order.

answered Sep 30 '13 at 02:36

George

2,371
4
13
15

$query = "INSERT INTO scoreboard VALUES ('$getname','$percentage')"; or die("Error in the consult.." . mysqli_error($link)); I did that already , But with no luck . – Ahmed Magdy Sep 30 '13 at 02:39
1

This seems so wrong. Why to remove the column names. Maybe they are not all of them? And why do use "or die()" after variable state? – Royal Bg Sep 30 '13 at 02:42
I ran this into phpMyAdmin INSERT INTO scoreboard VALUES ('Devnull1','10') and It worked , I think it's just about adding the php variables in the sql query . – Ahmed Magdy Sep 30 '13 at 02:44

PHP and sql issue

3 Answers3

Tested using the following form and PHP