PHP error - Inserting a user form into a database

Question

I'm getting a strange error when I try to submit user-generated data to a database via PHP commands. When I hit the submit button below, instead of the PHP page running its' function I am presented with a display of the raw code on my browser. I have a command at the bottom of my HTML page that looks like this:

<form action="insert.php" method="post">
<input type="submit">
</form>

So that when the user hits the submit button, the PHP file insert.php (detailed below) is called to input the answers onto a database, separating each answer into it's own field.

Here is the code I'm working with:

<?php
$con=mysqli_connect("host","username","password","database");
// Check connection
if (mysqli_connect())
  {
  echo "Failed to connect to MySQL: " . mysqli_errno();
  }

$sql="INSERT INTO Persons (Name, Serif, Width, Height, Spacing, Weight)
VALUES
('$_POST[answer]','$_POST[answer]','$_POST[answer]','$_POST[answer]','$_POST[answer]','$_POST[answer]')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>

Right now, the questions are in a and not a (is there a functional difference in this case?). They look like:

<form class="testAns" id="widthAns">
<input type="radio" name="answer" value="skinny">-25%
<input type="radio" name="answer" value="skinny">-10%
<input type="radio" name="answer" value="mid">normal
<input type="radio" name="answer" value="fat">+10%
<input type="radio" name="answer" value="fat">+25%
</form>

<form class="testAns" id="spaceAns">
<input type="radio" name="answer" value="small">-25%
<input type="radio" name="answer" value="small">-10%
<input type="radio" name="answer" value="mid">normal
<input type="radio" name="answer" value="wide">+10%
<input type="radio" name="answer" value="wide">+25%
</form>

<form class="testAns" id="weightAns">
<input type="radio" name="wanswer" value="light">-25%
<input type="radio" name="answer" value="light">-10%
<input type="radio" name="answer" value="mid">normal
<input type="radio" name="answer" value="heavy">+10%
<input type="radio" name="answer" value="heavy">+25%
</form>


<form method="post" action="insert.php" class="testAns" id="heightAns">
<input type="radio" name="answer" value="short">-25%
<input type="radio" name="answer" value="short">-10%
<input type="radio" name="answer" value="mid">normal
<input type="radio" name="answer" value="tall">+10%
<input type="radio" name="answer" value="tall">+25%
</form>

The important part is for the "value" associated with each button to be logged into the database. For example, if a user selects "+10%" I want be able to log the word "heavy".And then there are two text input fields:

<form id="intro">
City: <input type="text" name="answer"><br>
Why you are using this tool:<input type="text" name="answer">
</form>

So for these text fields I need the user input logged as the answer.

You really needto escape your input to avoid SQL injecions. Have a look at *Prepared Statements* — juergen d, Mar 23 '14 at 23:58
Have you any web-server installed? And does it configured properly? I mean does it handle '.php' extension and process it through interpreter? — Paul Kotets, Mar 24 '14 at 00:00
Do you have a webserver installed? Raw php code sounds like you dont have a server running. — Bolli, Mar 24 '14 at 00:01
**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Mar 24 '14 at 00:04
I'm working off of the DreamHost server so it should handle .php just fine. I got that to work, but now it seems that none of my answers are logged correctly, they just show up blank in the data table. Do I need to have 'answer' in '$_POST[answer]' be a unique value for each question? I currently have them in order that they would be answered by a user — user3452790, Mar 24 '14 at 00:13
check if the insert.php is in the same directory as your HTML file otherwise double check your path...... — Tomazi, Mar 24 '14 at 00:21

score 0 · Answer 1 · answered Mar 24 '14 at 00:21

0

I see you got the PHP thing fixed.

Now you need to fill your form with data. This:

<form action="insert.php" method="post">
    <input type="submit">
</form>

sends only the submit value. You need to add input fields inside that form tag, otherwise, nothing else will get sent. So, since you're sending an answer array, you should add those (adding them as text fields, as an example):

<form action="insert.php" method="post">
    <input type="text" name="answer[]" />
    <input type="text" name="answer[]" />
    etc...
    <input type="submit" />
</form>

And make sure you filter all user inputs before writing anything into the database, as otherwise my buddy Bobby Tables might come to visit you.

answered Mar 24 '14 at 00:21

Shomz

37,421
4
57
85

That sneaky Bobby Tables. Each has a "value" set within it that I want logged as the answer once a submit button is pressed. How would I make sure that only the "value" is entered into the database? For example, a possible answer would be: +10% The "+10%" is what the user will click on, but I want log the value "wide". – user3452790 Mar 24 '14 at 01:00
No worries, it's the value that gets sent via POST, not the string after the input. It should work fine, just make sure the inputs are inside the form. – Shomz Mar 24 '14 at 01:05
Can I add this action to each individual form and have it submit in a similar manner? Right now, each question is in its own form and if I add action="insert.php" to each form I'm worried that it will treat the data separately. Or is there a way to log only the user's answers? Is that what the [] delineates on your code, that the answer that the user clicks will be inserted? – user3452790 Mar 24 '14 at 01:24
If you're using AJAX, then it's ok to use multiple forms, however, with regular form, you should wrap all the questions inside one, and use the answers array (that's why []) to fetch all data. – Shomz Mar 24 '14 at 01:25

Logan Wayne · Answer 2 · 2014-03-24T02:11:48.443

0

Make sure in your XAMPP Control Panel that Apache and MySQL are running. Then check if your input fields are inside the <form action='insert.php' method='POST'> input fields </form>

Your HTML code would look like this:

<html>
<body>

<form action='insert.php' method='POST'>

<table>
<tr><td>Width: </td><td>
<input type="radio" name="width" value="skinny">-25%
<input type="radio" name="width" value="skinny">-10%
<input type="radio" name="width" value="mid">normal
<input type="radio" name="width" value="fat">+10%
<input type="radio" name="width" value="fat">+25%
</td></tr>

<tr><td>Spacing: </td><td>    
<input type="radio" name="spacing" value="small">-25%
<input type="radio" name="spacing" value="small">-10%
<input type="radio" name="spacing" value="mid">normal
<input type="radio" name="spacing" value="wide">+10%
<input type="radio" name="spacing" value="wide">+25%
</td></tr>

<tr><td>Weight: </td><td>
<input type="radio" name="weight" value="light">-25%
<input type="radio" name="weight" value="light">-10%
<input type="radio" name="weight" value="mid">normal
<input type="radio" name="weight" value="heavy">+10%
<input type="radio" name="weight" value="heavy">+25%
</td></tr>

<tr><td>Height: </td><td>    
<input type="radio" name="height" value="short">-25%
<input type="radio" name="height" value="short">-10%
<input type="radio" name="height" value="mid">normal
<input type="radio" name="height" value="tall">+10%
<input type="radio" name="height" value="tall">+25%
</td></tr>

<tr><td>City: </td><td><input type="text" name="city"></td></tr>
<tr><td>Why you are using this tool: </td><td><input type="text" name="tool"></td></tr>
<tr><td></td><td><input type='submit'></td></tr>

</table>

</form>

</body>
</html>

What are you using in creating your php files? Dreamweaver? Notepad? Try this: SAVE AS your file, Save As Type: All Files and name it insert.php.

<?php
$con=mysqli_connect("localhost","YourUsername","YourPassword(if any)","NameOfYourDatabase");
// Check connection
if (mysqli_connect())
  {
  echo "Failed to connect to MySQL: " . mysqli_errno();
  }

$width=$_POST['width'];
$spacing=$_POST['spacing'];
$weight=$_POST['weight'];
$height=$_POST['height'];
$city=mysqli_real_escape_string($con,$_POST['city']);
$tool=mysqli_real_escape_string($con,$_POST['tool']);

/* REAL ESCAPE STRING WOULD PREVENT A BIT OF SQL INJECTION */

$sql="INSERT INTO Persons (Name, Serif, Width, Height, Spacing, Weight)
VALUES
('$city','$tool','$width','$height','$spacing','$weight')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>

edited Mar 24 '14 at 02:11

answered Mar 24 '14 at 00:22

Logan Wayne

6,001
16
31
49

I'm using radio buttons as my mode of selection, does that affect the tags? I'm creating my php files using Coda 2. – user3452790 Mar 24 '14 at 01:03
@user3452790 - Can you provide us your HTML code/radio buttons? And the is for the table. No need to worry about it. – Logan Wayne Mar 24 '14 at 01:07
What is your current problem? – Logan Wayne Mar 24 '14 at 01:11
The page that I go to reads: Warning: mysqli_connect() [function.mysqli-connect]: (28000/1045): Access denied for user 'aarpet6'@'william-samuel.dreamhost.com' (using password: YES) in /home/aarpet6/capstone.aaronpetrik.com/insert.php on line 4 1 record added – user3452790 Mar 24 '14 at 01:12
Hey. Wait. Did you change your mysqli_connect according to your PhpMyAdmin? And you should provide five radio buttons on each five questions, right? – Logan Wayne Mar 24 '14 at 01:20
I definitely did not change any settings on PhpMyAdmin yet, I'll go check that out now. And there will be five radio buttons for four questions, the other two questions are text fields. Are those treated differently? – user3452790 Mar 24 '14 at 01:26
@user3452790 - Of course. Let me change my answer for you then. What are the four questions that have radio buttons? And what are the choices? Then what are the other two fields that require text fields? Give me also the name of your PhpMyAdmin's username, password (if any), and name of database. And name of your table – Logan Wayne Mar 24 '14 at 01:28
Can I send you an email? It's too much info for the comment box's character max – user3452790 Mar 24 '14 at 01:36
Why don't you include it in your post? – Logan Wayne Mar 24 '14 at 01:37
I've included all of the questions in my post. The username and password is pretty sensitive information, don't think I want to put that in public. – user3452790 Mar 24 '14 at 01:44
Awesome, thank you! I'll try that out in just a second. Each of the questions will also have a visual element that I've yet to create. Basically, every question will have an associated image that changes with an onclick function. The image is how the user decides their preference. Will having the
tag around these images affect their functionality?
– user3452790 Mar 24 '14 at 02:00
@user3452790 You should only provide one
for them. You should try
instead of another if you want to design your page.
– Logan Wayne Mar 24 '14 at 02:04
Sounds good. Thanks for all your help Logan! You've got some good karma coming your way. – user3452790 Mar 24 '14 at 02:05
@user3452790 Why don't you try putting them into table. See my updated html answer – Logan Wayne Mar 24 '14 at 02:12

PHP error - Inserting a user form into a database

2 Answers2