-1

I am trying to post some data from my HTML form into my mysql database.

Here is my HTML code:

<!doctype html>
<html>
<head>
</head>
<body style="background-color:#BCB7B7">
<form id="form1" name="form1" method="post" style="text-align:center" action="post.php">
  <input type="text" name="name" id="name" placeholder="Name">
  <p></p>
  <input type="text" name="age" id="age" placeholder="Age">
  <p></p>
  <input type="text" name="food" id="food" placeholder="Food">
  <p></p>
  <input type="submit" name="submit" id="submit" value="Submit">
</form>
</body>
</html>

and here is my php code:

<?php
$connect = mysql_connect("localhost","myusername","mypassword","mydbname");
mysql_select_db("mydbname",$connect);
mysql_query("INSERT INTO myTable VALUES Name = $_POST[name],  Age = $_POST[age], Food = $_POST[food]");
?>

but the data does not get saved

Abdullah Shafique
  • 6,878
  • 8
  • 35
  • 70
  • [The HTML5 placeholder attribute is not a substitute for the label element](http://www.456bereastreet.com/archive/201204/the_html5_placeholder_attribute_is_not_a_substitute_for_the_label_element/) – Quentin Jun 18 '14 at 14:05
  • 1
    Add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1);` and `("localhost","myusername","mypassword")` you chose the DB name below. Plus, your values are way off AND open to SQL injection. It's not `Name = ...` it's just the value itself. Do read proper tutorials. – Funk Forty Niner Jun 18 '14 at 14:05

4 Answers4

3

Strings in SQL must be quoted. You are dumping your variables into the SQL without quotes.

Your syntax is also wrong. The format is INSERT INTO table_name (column_name, column_name) VALUES value, value.

You are also failing to escape the data, so you are vulnerable to SQL Injection attacks.

To fix your problems:

  1. Stop using the deprecated mysql_ library and switch to mysqli_ or PDI
  2. Use bound arguments to insert variables into your SQL
  3. Use the correct syntax

This question about preventing SQL injection has examples of how to use those libraries safely.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

There are 2 different versions of the INSERT command - you are using neither.

Either: 

INSERT INTO myTable SET Name = "Peter", 
Age = 15, Food = "pizza"

or

INSERT INTO myTable (Name, Age, Food) VALUES 
("Peter", 15, "pizza")
Sam Dufel
  • 17,560
  • 3
  • 48
  • 51
  • *"Either: `INSERT INTO myTable SET Name`"* - That is incorrect. That would need to be `UPDATE myTable SET Name = "Peter"...` – Funk Forty Niner Jun 18 '14 at 14:13
  • @Fred-ii- - you are mistaken. It's a less common syntax, but some people like it. If you don't believe me, go read the mysql manual. http://dev.mysql.com/doc/refman/5.6/en/insert.html – Sam Dufel Jun 18 '14 at 14:15
  • My bad, sorry about that Sam. I stand corrected. Will +1 for my mistake ;-) – Funk Forty Niner Jun 18 '14 at 14:17
0

You have to quote the values:

mysql_query("INSERT INTO myTable VALUES Name = '$_POST[name]',  Age = '$_POST[age]', Food = '$_POST[food]'");

Hint: You should use mysqli_ or PDO_ functions as mysql_ functions are deprecated

Cornel Raiu
  • 2,758
  • 3
  • 22
  • 31
  • 3
    **Danger**: This is still vulnerable to SQL injection attacks. – Quentin Jun 18 '14 at 14:08
  • I know that. He should read some tutorials about proper and safe inserting form data into sql db. I only fixed his issue – Cornel Raiu Jun 18 '14 at 14:09
  • 1
    *"Hint: You should use mysqli_ or PDO_ functions as mysql_ functions are deprecated"* --- The use of `mysqli_` and/or PDO are **not** safeguards against SQL injection; not on their own that is. Using [**`mysqli_*` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or **PDO** with [**prepared statements**](http://php.net/pdo.prepared-statements) will. – Funk Forty Niner Jun 18 '14 at 14:20
  • I did not say those are safeguards. I only said that mysql_ functions are deprecated. I see you quoted my answer ... where did I say that using those provide safeguard? :) – Cornel Raiu Jun 18 '14 at 14:24
  • I was merely "stating" that the use of those are not safeguards, and wasn't putting words in your mouth. People get the wrong impression and think that by using `mysqli_` and/or PDO, that SQL injection won't happen. I honestly don't know where people get that misconception about thoses APIs. – Funk Forty Niner Jun 18 '14 at 14:42
  • neither do I. you provided some links there. They should read them :) – Cornel Raiu Jun 19 '14 at 14:24
0

try this

<?php
$connect = mysql_connect("localhost","myusername","mypassword","mydbname") or die("error while connecting to the database");
mysql_select_db("mydbname",$connect) or die("error while selecting the database");
mysql_query("INSERT INTO myTable VALUES ('" . mysql_real_escape_string($_POST[name]) . "', '" . mysql_real_escape_string($_POST[age]) . "', '". mysql_real_escape_string($_POST[food]) . "')");
?>