What is wrong with my code PHP/mysql

Question

I just got assignment to make html form with php that will store information in mysql database. It is not making table and I can't figure out why. Here is html code(btw I dont care about sql injection becouse this is just for school)

<?php


@$ime = $_POST['ime'];
@$prezime = $_POST['prezime'];
@$email = $_POST['email'];
@$adresa = $_POST['adresa'];
@$misljenje = $_POST['misljenje'];


$conn = mysqli_connect("localhost","root","");
mysqli_query($conn,"create database baza_podataka");
mysqli_select_db($conn,"baza_podataka");
mysqli_query($conn,"create table 'podatci' (id int primary key auto_increment, ime varchar(10), prezime varchar(10), email varchar(20), adresa varchar(20), misljenje varchar(100))");
mysqli_query($conn,"INSTERT INTO `podatci` VALUES ('$ime','$prezime','$email','$adresa','$misljenje')");

?>

and html

<form name="forma" action="obrada.php" method="post">
            <label>Ime :</label>
                    <input type="text" id="ime" size="20"/><br><br>

            <label>Prezime :</label>
                    <input type="text" id="prezime" size="20"/><br><br>

            <label>E-mail :</label>
                    <input type="text" id="email" size="20"/><br><br>

            <label>Adresa :</label>
                    <input type="text" id="adresa" size="40"/><br><br>

            <label>Vase misljenje :</label><br><br>
                    <textarea name="misljenje" id="misljenje"></textarea>

            </label><input type="submit" id="submit" name="submit"/>

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Mar 29 '14 at 15:48
You should [learn how to use the label element properly](http://www.456bereastreet.com/archive/200711/use_the_label_element_to_make_your_html_forms_accessible/). Without a for attribute or a form control inside it, a label is useless. — Quentin, Mar 29 '14 at 15:48
"btw I dont care about sql injection becouse this is just for school" You should always care about writing secure code. It's easy to get in the habit of writing bad code. — ceejayoz, Mar 29 '14 at 15:59

score 0 · Answer 1 · answered Mar 29 '14 at 15:45

0

You have lot of problems..

Remove the error suppression operator. @$ime = $_POST['ime']; Remove the @ from all the variables.
You are creating the database each and every time whenever this script is called. [which is totally wrong]
It is INSERT not INSTERT on your query.
You are passing the $_POST parameters directly onto your query which makes you 100% vulnerable to SQL Injection. Switch to Prepared Statements to overcome this.

answered Mar 29 '14 at 15:45

Shankar Narayana Damodaran

68,075
43
96
126

when I remove @, I get Notice: Undefined index: ime in /Applications/XAMPP/xamppfiles/htdocs/obrada.php on line 4 Notice: Undefined index: prezime in /Applications/XAMPP/xamppfiles/htdocs/obrada.php on line 5 Notice: Undefined index: email in /Applications/XAMPP/xamppfiles/htdocs/obrada.php on line 6 Notice: Undefined index: adresa in /Applications/XAMPP/xamppfiles/htdocs/obrada.php on line 7 and It's still not creating table? – Phelippe Mar 29 '14 at 15:50
Add the name attribute on your form like this for all of your variables.. `

` – Shankar Narayana Damodaran Mar 29 '14 at 15:51

score 0 · Answer 2 · answered Mar 29 '14 at 16:53

First of all I don't see a </form> on your HTML code.

Try using $_REQUEST['htmlvariablename'];

ime = $_REQUEST['ime'];
$prezime = $_REQUEST['prezime'];
$email = $_REQUEST['email'];
$adresa = $_REQUEST['adresa'];
$misljenje = $_REQUEST['misljenje'];

...And as stated earlier you are vulnerable to SQL injection.

Aziz Saleh · Answer 3 · 2014-03-29T21:43:48.307

1) Use INSERT instead of INSTERT

mysqli_query($conn,"INSERT INTO `podatci` VALUES ('$ime','$prezime','$email','$adresa','$misljenje')");

2) Escape all of your data using mysqli_real_escape_string

3) Never use error suppressor on your code @, instead use isset() to check if it is set or not.

$conn = mysqli_connect("localhost","root","");
$ime = isset($_POST['ime']) : mysqli_real_escape_string($conn, $_POST['ime']) ? '';
$prezime = isset($_POST['prezime']) : mysqli_real_escape_string($conn, $_POST['prezime']) ? '';
$email = isset($_POST['email']) : mysqli_real_escape_string($conn, $_POST['email']) ? '';
$adresa = isset($_POST['adresa']) : mysqli_real_escape_string($conn, $_POST['adresa']) ? '';
$misljenje = isset($_POST['misljenje']) : mysqli_real_escape_string($conn, $_POST['misljenje']) ? '';

4) Finally, there is no need to create the database and/or table every load, you should only do it once.

What is wrong with my code PHP/mysql

3 Answers3