insert data form to mysql table

Question

somebody tell me where's the mistake please

html code is :

<form action="insert.php" method="POST">
<label>Firstname:</label> <input type="text" name="firstname" value="first name" /><br />
<label>Lastname:</label> <input type="text" name="lastname" value="last name" /><br />
<label>email:</label> <input type="text" name ="email" value="email" /><br />

php code is :

<?php
 if(isset($_POST['submit'])!='')
    {
    $fname=$_POST ['firstname'];
    $lname=$_POST ['lastname'];
    $email=$_POST ['email'];
    mysql_connect ("localhost","root","mydatabase") or die (mysql_error ());
    mysql_select_db ("my_db") or die (mysql_error ());
    mysql_query ("ISERT INTO userinfo (`firstname`,`lastname`,`email`)
    VALUES ('$fname','$lname','$email')");
    echo "successfully updated" ;
    }

?>

The code is a ripe target for SQL Injection, I recommend reading this ASAP - http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — iTom, Mar 23 '14 at 14:54

Shankar Narayana Damodaran · Accepted Answer · 2014-03-23T14:48:12.033

It is INSERT not ISERT.. You have a typo there

mysql_query ("ISERT INTO userinfo (`firstname`,`lastname`,`email`)
              ^^^^^

Modified Code..

<?php
if(isset($_POST['submit'],$_POST['firstname'],$_POST ['lastname'],$_POST ['email']))
{
    $fname=$_POST['firstname'];
    $lname=$_POST['lastname'];
    $email=$_POST['email'];
    mysql_connect ("localhost","root","mydatabase") or die (mysql_error ());
    mysql_select_db ("my_db") or die (mysql_error ());
    $result=mysql_query ("INSERT INTO userinfo (`firstname`,`lastname`,`email`)
    VALUES ('$fname','$lname','$email')");
    if($result){     echo "Successfully Updated" ; } else {die(mysql_error());}
}

This(mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Switching to PreparedStatements is even more better to ward off SQL Injection attacks !

could you please tell me how to switch to preparedstatements and should i edit in html code too to switch to preparedstatements ? — user3452363, Mar 23 '14 at 15:05
Nope you don't have to edit in the HTML. Here's the link how you use Prepared Statements. If you have any questions come, back. http://www.php.net/manual/en/pdo.prepare.php — Shankar Narayana Damodaran, Mar 23 '14 at 15:13

score 0 · Answer 2 · answered Mar 23 '14 at 14:43

Try this

if ($_POST) {
    $fname = $_POST['firstname'];
    $lname = $_POST['lastname'];
    $email = $_POST['email'];
    mysql_connect ("localhost","root","mydatabase") or die (mysql_error ());
    mysql_select_db ("my_db") or die (mysql_error ());
    mysql_query ("INSERT INTO userinfo (firstname,lastname,email)
    VALUES ('$fname','$lname','$email')");
    echo "successfully updated" ;
}

In your example I don't see $_POST['submit'] and you have mistake with INSERT

insert data form to mysql table

2 Answers2

Modified Code..