Inserting datafrom form into mysql with POST method

Question

I havent do php for some time, but i dont really see what am I missing. I am trying to insert some datas from FORM into MYSQL , but it still fail. This is the file with FORM :

  <html>
  <head>
  <link type="text/css" rel="stylesheet" href="stylesheet.css"/>
  <title>registrace</title>
  </head>

  <body>
  <H1>  The Best Page! </H1>
  <p>


  "Please registrate"


  <form action="zpracovani.php" method="post">  
          Name <input type="text" size="20" name="Name" value=""><br>
          Surname <input type="text" size="30" name="Surname" value=""><br>
          Username <input type="text" size="30" name="username" value=""><br>
          Password <input type="text" size="10" name="password" value=""><br>
          Retype password <input type="text" size="10" name="password2" value=""><br>
          <input type="image" name="button" value="submit" class="button"     src="button.jpg">

   </form>

   </p>
   </body>
   </html>

As you can see i am sending data to proceed into file "zpracovani.php". I did test if i am connected to mysql server ( It passes ) and also a check if i am connected to the right database ( Also passes with no probs ).

<html>
   <?php
   echo "Wait please";
   $con=mysql_connect ('localhost','root','');

   if (!$con)  
   {
   die ( 'Could not connect: ' . mysql_error());

      }
      mysql_select_db ('registrace') or die("cannot select DB");
      echo @mysql_ping() ? 'true' : 'false';

      $sql="INSERT INTO 'registrace'(Name, surname, username, password).
      VALUES('$_POST[Name]','$_POST[Surname]','$_POST[username]','$_POST[password]')";
      $result=mysql_query($sql);
      if($result){

      echo("<br>Input data is succeed");

      }else{

      echo("<br>Input data is fail");`
      }
      mysql_close($con);
      ?>
      </html> 

Below is overwiev of mysql table I made.

ID          int(11)         
Name        varchar(20) latin1_swedish_ci       
Surname     varchar(30) latin1_swedish_ci       
username    varchar(30) latin1_swedish_ci       
password    varchar(10) latin1_swedish_ci   

However I am connected to the database and to correct table it still is unable to insert anyone into the database. Can anyone look into this and help me out, please?

Thanks in advance!

Answer 1

Either remove the quotes in 'registrace' or use backticks in INSERT INTO 'registrace'

Example:

INSERT INTO `registrace`

Using backticks is better.

Also remove the dot in:

$sql="INSERT INTO 'registrace'(Name, surname, username, password).

It should read as:

$sql="INSERT INTO `registrace` (Name, surname, username, password)

Reformatted:

$sql="INSERT INTO `registrace` (Name, surname, username, password)
VALUES 
('{$_POST['Name']}','{$_POST['Surname']}','{$_POST['username']}','{$_POST['password']}')";

Or follow this convention:

$unsafe_variable = $_POST["user-input"]
$safe_variable = mysql_real_escape_string($unsafe_variable);

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

NOTE: I also noticed that you are using the same name for both your DB and your table.

Make sure that this is in fact the case.

Your DB:

mysql_select_db ('registrace')

and your table?

INSERT INTO `registrace`

Plus, it would be a good idea to increase the values for your VARCHAR's and consider using MySQLi_ and prepared statements or PDO. MySQL_ functions are deprecated.

Do read the following articles:

• How can I prevent SQL injection in PHP?
• On owasp.org

Answer 2

First: use mysqli

Second: get rid of mysql ping

Third: change:

"......'$_POST[xxx]'......"

into:

"......'{$_POST['xxx']}'....."

Answer 3

Thanks guys it is working now.

By the way the mysql ping was just a check to see if i am well connected as i wrote in my original post :)

Anyway it was very helpful thx