0

I'm making a register form in html and I can't make it save the data to the database, everything I send is an empty string! I don't know what's so bad with the code, I don't think the syntax is wrong, hope someone here can help me to see here I have gone wrong:

<?php

$con = mysqli_connect("localhost", "neosoftw_lambda", "7s3684129", "neosoftw_lambdaMovil");

if(mysqli_connect_errno()){
        echo "Error al conectar con MySQL: " . mysqli_connect_error();
}

$sql = "INSERT INTO usuarios VALUES(NULL, '$_POST[txt_empresa]', '$_POST[txt_usuario]', PASSWORD('$_POST[txt_password]'), '$_POST[txt_email]');";

if(!mysqli_query($con, $sql)){
        die('Error: ' . mysqli_error($con));
 }

 echo "1 registro a&ntilde;adido.";

 mysqli_close($con);

?>

Is it maybe because of the HTML form?

<form id = "registro_usuarios" action="grabar.php" method="post">
    <font color="#897687"<p><label> Nombre empresa: </label><br/><input type="text" name="empresa" id="txt_empresa" title="Aqu&iacute; usted introducir&aacute; el nombre de la empresa."><br/><hr bgcolor="blue"/></p>
    <p><label> Nombre usuario: </label><br/><input type="text" name="usuario" id="txt_usuario"><br/><hr bgcolor="blue"/></p>
    <p><label> Contrase&ntilde;a: </label><br/><input type="password" name="password" id="txt_password"><br/><hr bgcolor="blue"/></p>
    <p><label> Verificar contrase&ntilde;a: </label><br/><input type="password" name="ver_password" id="txt_ver_password"><br/><hr bgcolor="blue"/></p>
    <p><label> E-mail empresa: </label><br/><input type="text" name="mail_empresa" id="txt_email"><br/><hr bgcolor="blue"/></p>
    <input type="submit" value="Registrar usuario">
</form>

I don't see an error there neither...

Thanks in advance.

EDIT

I solved it by using the name of the HTML form input instead of its ID.

Thank you for your help, and I will take a look at SQL Injection to protect my queries.

Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
Bryan Silva
  • 1
  • 2
  • First error is something like `$_POST[txt_empresa]`: unless `txt_empresa` is a defined constant, then it should be `$_POST['txt_empresa']`. – Mark Baker Nov 05 '13 at 09:36
  • 4
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Nov 05 '13 at 09:36
  • Second error is injecting $_POST values directly into a SQL statement without validation or even escaping - google "little bobby tables" – Mark Baker Nov 05 '13 at 09:36
  • also you should replace the '$_POST['txt_empresa']' string with {$_POST['txt_empresa']} – Stormsson Nov 05 '13 at 09:36
  • Try this $sql = "INSERT INTO usuarios VALUES(NULL, '".$_POST['txt_empresa']."', '".$_POST['txt_usuario']."', PASSWORD('".$_POST['txt_password']."'), '".$_POST['txt_email']."')"; – Nanhe Kumar Nov 05 '13 at 09:42
  • It didn't work, the columns are still empty. – Bryan Silva Nov 05 '13 at 09:47
  • @Mark What version of PHP is everyone running?! `"$foo[bar]"` is perfectly valid *simple string interpolation syntax*. http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing.simple http://3v4l.org/PHU6A – deceze Nov 05 '13 at 09:47
  • I don't know how that can happen, can someone explain? It's just that I don't see the error in the query! And people have told me that the query and the PHP code is OK, the same with the HTML. – Bryan Silva Nov 05 '13 at 09:48
  • @deceze - forgive my stupidity, but how can "$foo[bar]" be valid unless `bar` is a defined constant? – Mark Baker Nov 05 '13 at 09:51
  • @infectionslaugh - What would happen if (for example) `$_POST[txt_empresa]` contained a value that included a quote character (') such as "My name is Thomas O'Brian" or 'The Daily Planet reported that "Superman saved the world"'? – Mark Baker Nov 05 '13 at 09:52
  • @Mark In a string there are no implicit constants. A string is a string. It's parsed by the string parsing rules, not by the PHP tokeniser. `echo $foo[bar]` is a constant, `echo "bar"` and `echo "$foo[bar]"` are not. – deceze Nov 05 '13 at 09:58
  • @BryanSilva The syntax is `INSERT INTO TABLE_NAME [ (col1, col2, col3,...colN)] VALUES (value1, value2, value3,...valueN);` you are not telling it "what" to [**insert into**](http://beginner-sql-tutorial.com/sql-insert-statement.htm). That is why you are not getting anything entered in your DB. Why hasn't anyone else pick up on this? – Funk Forty Niner Nov 05 '13 at 14:41

2 Answers2

3

Your html tag is wrong . Remove title attribute within input tag.

correct:

 <font color="#897687"<p><label> Nombre empresa: </label><br/><input type="text" name="empresa" id="txt_empresa"><br/><hr bgcolor="blue"/></p>
SKM
  • 71
  • 5
-2

try this:

$sql = "INSERT INTO usuarios VALUES(NULL, '{$_POST['txt_empresa']}', '{$_POST['txt_usuario']}', PASSWORD('{$_POST['txt_password']}'), '{$_POST['txt_email']}');";

obviously,as stated,this is a very unprotected query

Stormsson
  • 1,391
  • 2
  • 16
  • 29
  • That doesn't change anything, the original is just as valid. http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing.simple – deceze Nov 05 '13 at 09:42