Having trouble inserting inputted data into database

Question

I have previously written a question similar to this before hand and I have seemed to fix only minor errors in my code but like most of the time, when I fix one thing, another arises.

Before I clarify my problem, I just want to explain the background. Basically have two registration forms, both are used one after the other with their own input devices and validations. When I input the data in the first registration form, I press next and it takes me to the second form where I must fill out other information before I "register" completely. In my second registration form, I used a list of hidden inputs, like <input type="hidden" name="name" value="<?php echo $_POST['name'];?>"/> so that I can hold the information from first registration file and still possess the same data without loosing it completely when I am taken to the next registration page.

Below is my code:

<?php
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$name = $_POST['name'];
$lname = $_POST['lname'];
$address = $_POST['address'];
$agreement= $_POST['agreement'];
$conditions= $_POST['conditions'];
}

$conn = mysql_connect("localhost", "*****", "******");
 mysql_select_db("*********", $conn)
 or die ('Database not found ' . mysql_error() ); 

$sql= "INSERT INTO `users` (username, password, name, lname, address, agreement, conditions) 
VALUES (". $username .", ". $password .", ". $name .", ". $lname .", ". $address .", ". $agreement .", ". $conditions.")";

 $rs = mysql_query($sql, $conn) 
 or die ('Problem with query' . mysql_error()); 
 mysql_close($conn)
?>

My form opens but I get a list of errors

Notice: Undefined variable: username ... at line 140.

Line 140 meaning the VALUES line with my variables.

All I can say at the moment is that I know I am using the correct database and table, which is why this is extremely confusing for me as to why the data I input is not inserting into the database. I have tried many methods and nothing have helped improve my code so far.

`VALUES ('". $username ."', '". $password ."',` etc. you do the rest. Plus, make sure all your form elements are named with no typos. — Funk Forty Niner, Jun 01 '14 at 02:48
You may even want to put a semi-colon here `mysql_close($conn)` — Funk Forty Niner, Jun 01 '14 at 02:49
Anyone who answers please also explain the gaping SQL injection vulnerability. — Wesley Murch, Jun 01 '14 at 02:50
Even if you do get this going, your present code will still be open to [**SQL injection**](http://stackoverflow.com/q/60174/). Use [**prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo). — Funk Forty Niner, Jun 01 '14 at 02:52
See also: [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Wesley Murch, Jun 01 '14 at 02:54
Ask one of the guys who put in "answers". There are too many things that can be at play here, and I mean many. Wrong DB, table, column names, types etc. etc. — Funk Forty Niner, Jun 01 '14 at 02:54
And please note you are running the query even if your variables are not defined. — Wesley Murch, Jun 01 '14 at 02:54
Add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1);` — Funk Forty Niner, Jun 01 '14 at 02:55

Fluffeh · Answer 1 · 2014-06-01T02:55:08.187

It seems you have a bunch of errors in the code snippet you posted.

Notice: Undefined variable: username ... at line 140

Firstly, the error message you are getting means that the variable $username isn't set. This is likely a problem with your form being submitted incorrectly.

Reading the code you have, unless a form is submitted, you will ALWAYS get the error.

if (isset($_POST['submit']))

This will assign the variables you use later only if a form is submitted - yet the rest of your code will execute whether or not this condition is met.

The simplest way to only run the insert if you get form data is to pop that entire section inside the IF statement:

if (isset($_POST['submit'])) 
{
    $username = $_POST['username'];
    $password = $_POST['password'];
    $name = $_POST['name'];
    $lname = $_POST['lname'];
    $address = $_POST['address'];
    $agreement= $_POST['agreement'];
    $conditions= $_POST['conditions'];


    $conn = mysql_connect("localhost", "*****", "******");
     mysql_select_db("*********", $conn)
     or die ('Database not found ' . mysql_error() ); 

    $sql= "INSERT INTO `users` (username, password, name, lname, address, agreement, conditions) 
    VALUES (". $username .", ". $password .", ". $name .", ". $lname .", ". $address .", ". $agreement .", ". $conditions.")";

    $rs = mysql_query($sql, $conn) 
    or die ('Problem with query' . mysql_error()); 
    mysql_close($conn);

}

Secondly, when you get that working as expected, you will still need to pop quotes around all the strings you want to insert into the database.

VALUES ('". $username ."', // etc

Thirdly, by simply putting user entries directly into your query, you are wide open to SQL injection - which is the technical way of saying that anyone can pretty much do anything to your database, and therefore site. You should really use prepared statements, bound params and make it safe - from the start, not from when you get this working later on...

score -1 · Answer 2 · answered Jun 01 '14 at 02:50

You have to put the values between quotes

Try this :

$sql= "INSERT INTO `users` (username, password, name, lname, address, agreement, conditions) 
VALUES ('". $username ."', '". $password ."', '". $name ."', '". $lname ."', '". $address ."', '". $agreement ."', '". $conditions."')";

And be careful when you inject data from $_POST[] into an SQL Query : You can be victim of SQL injection !! Please read that : SQL Injection

[EDIT]

mysql_query() is deprecated, you should use PDO instead

Having trouble inserting inputted data into database

2 Answers2