HTML Form sending data to SQL table

Question

When submitted, a new row gets added to the 'servers' table, but every data says '0' instead of the data I inputted.. I'm using VARCHAR64 for the rows..

Form.html

<html>
<head>
</head>
<body>
<form action="db.php" method="post">
server id: <input type="text" name="post_serverid">
server ip: <input type="text" name="post_serverip">
<input type="submit>
</body>
</html>

db.php

<?php

$con=mysqli_connect("localhost","root","","toplist");

//Checking the connection
if(mysqli_connect_errno($con))
{
  echo "Cold not connect to SQL Database: " + mysqli_connect_error();
}

mysqli_query($con, "INSERT INTO servers (serverid, serverip) VALUES ('$_POST['post_serverid']', '$_POST['post_serverip']')");

?>

Strangely enough, **mysqli_query($con,"INSERT INTO form (name, dob) VALUES ('$_POST[post_name]', '$_POST[post_dob]')"); works**. But when I replace NAME with SERVERID, and replace DOB with SERVERIP, the inputted data doesn't insert.. — Gang Don It, Jan 28 '14 at 17:40
@GangDonIt, in the future, please do not post screen captures of your code. Please copy and paste the code into the body of the question. — Matt Clark, Jan 28 '14 at 17:47
*"But when I replace NAME with SERVERID, and replace DOB with SERVERIP, the inputted data doesn't insert.."* --- that's because you need to change your column names accordingly. @GangDonIt - Rename your `SERVERID` column to `NAME` and `SERVERIP` to `DOB` or vice-versa. — Funk Forty Niner, Jan 28 '14 at 17:50
Well you wrote in your comment above that it works. @GangDonIt — Funk Forty Niner, Jan 28 '14 at 17:57

score 1 · Answer 1 · answered Jan 28 '14 at 17:47

1

First: NEVER just throw user data straight into your database without validating / cleansing it first.

Next, you've got some odd punctuation going on in your mysqli_query(). Try this:

$serverid = $mysqli->real_escape_string($_POST['serverid']);
$serverip = $mysqli->real_escape_string($_POST['serverip']);

$sql = "INSERT INTO servers (serverid, serverip) VALUES('$serverid', '$serverip');";

mysqli_query($con, $sql);

answered Jan 28 '14 at 17:47

TunaMaxx

1,782
12
18

I receive the error: Undefined:mysqli and Call to a member function real_escape_string() on line 10. Line 10 is "$serverid = $mysqli->real_escape_string($_POST['serverid']);" – Gang Don It Jan 28 '14 at 17:54
It's because you need to change `$mysqli->real_escape_string` to `$con->real_escape_string` @GangDonIt – Funk Forty Niner Jan 28 '14 at 18:00
Yeah, my bad. Sorry. @Fred-ii-is right about $con vs $mysqli. – TunaMaxx Jan 28 '14 at 18:29

score 0 · Answer 2 · answered Jan 28 '14 at 17:40

0

You might want to use $_POST['key'] instead of $_POST[key]

answered Jan 28 '14 at 17:40

Martin149

23
4

This is comment, not answer – Arthur Yakovlev Jan 28 '14 at 17:43
Thanks for trying, but this brought up more errors. – Gang Don It Jan 28 '14 at 17:45

score 0 · Answer 3 · answered Jan 28 '14 at 17:43

0

$_POST is an associative array, you need to access the keys with single or double quotes.

Example:

change your query to

$query = "INSERT INTO servers (serverid, serverip) VALUES ('".$_POST['post_serverid']."','".$_POST['post_serverip']."')";

mysqli_query($con, $query);

Also, you are currently volunerable to SQL injection. I'd suggest to use a prepared statement or at least escape the $_POST variables before inserting it to the DB.

Hope this helps!

answered Jan 28 '14 at 17:43

dev7

6,259
6
32
65

Actually, you can access values with either single or double quotes - it's just that double quotes allow the contents to be interpreted so using `$` and similar can be problematic if not escaped properly – Basic Jan 28 '14 at 17:47

score 0 · Answer 4 · answered Jan 28 '14 at 17:49

0

$serverip=$_POST['post_serverid'];
$serverid=$_POST['post_serverip'];
$query = mysqli_query($con,"INSERT INTO servers (serverid, serverip) VALUES ('$serverid','$serverid')");

Try this, it should work

answered Jan 28 '14 at 17:49

Akash Kumar

642
7
20

score 0 · Accepted Answer · edited May 23 '17 at 10:29

From OP's comment:

"Strangely enough, mysqli_query($con,"INSERT INTO form (name, dob) VALUES ('$_POST[post_name]', '$_POST[post_dob]')"); works."

"But when I replace NAME with SERVERID, and replace DOB with SERVERIP, the inputted data doesn't insert."

The problem is, you need to change your POST variables and column names accordingly.

Rename your NAME column to SERVERID and DOB column to SERVERIP.

and post_name to serverid and post_dob to serverip

The new query can now be done this way:

$serverid = mysqli_real_escape_string($con,$_POST['serverid']);
$serverip = mysqli_real_escape_string($con,$_POST['serverip']);

$sql = "INSERT INTO `servers` (`serverid`, `serverip`) VALUES ('$serverid', '$serverip');";

mysqli_query($con, $sql);

Using this method will help prevent against SQL injection.

HTML Form sending data to SQL table

5 Answers5