0

My html code:

<form action="send_post.php" method="post">
    <input type="submit" value="Login" />
</form>

PHP code:

<?php
$con = mysqli_connect("","","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
else
{
// echo('Connected with Mysql');
}
@mysql_select_db("a", $con);// connect to database db_name
if (isset($_POST['Submit']))
{
$email=$_POST['email']; 
 $pass=$_POST['pass']; 
$sql_query="INSERT INTO formdata (email, pass) VALUES('$email', '$pass')";}
?>

Database name: mysql Table name: formdata

Why it is not working? in second line I used 'local host' first but I was receiving error so I removed it.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
user1808621
  • 13
  • 1
  • 3
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin May 19 '14 at 06:49
  • (1) Do not suppress error messages. `@mysql_select_db("a", $con);` (2) Show us all the HTML for the form. (3) Define "not working" – Quentin May 19 '14 at 06:50
  • You cannot mix MySQL APIs. Add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1);` --- Plus, your conditional statement will fail. It's based on looking for your submit button being named `Submit` which it isn't. – Funk Forty Niner May 19 '14 at 06:50
  • 2
    I also noticed that you may be storing passwords in plain text. This is not recommended. Use [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. For PHP < 5.5 use the [`password_hash() compatibility pack`](https://github.com/ircmaxell/password_compat). – Funk Forty Niner May 19 '14 at 07:03

1 Answers1

2
  1. You use the mysqli_ API to connect to your database and then test for errors and try to select a database with the mysql_ API. Pick one and stick to it. (Don't pick mysql_ it is deprecated).
  2. You only run the form handling code if there is a Submit data item in the submitted data. You have no form control with name="Submit" so that will never happen.
  3. Your form handling code expects there to be email and pass data in the submitted data but your form does not have fields with those names.
  4. Constructing an SQL query as a string and storing it in a variable is insufficient to do anything to your database. You have to actually sent it to the database server. That would use mysqli_query with your current approach, but you should switch to prepared statements
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335