0

first of all i am pretty new with mysql and php and for now i just want to insert some data in a mysql database form two text box using php.

here the database name is "info" and table name is "students" having three columns like id(primary key, auto increment activated), name and dept. There are two text boxes txtName and txtDept. I want that when i press the enter button the data form the text boxes will be inserted into the mysql database. I have tried the following code but data is not being inserted in the table....

<html>

<form mehtod="post" action="home.php">
    <input type="text" name="txtName" />
    <input type="text" name="txtDept" />
    <input type="submit" value="Enter"/>

</form>
</html> 

<?php

$con = mysqli_connect("localhost","root","","info");
if($_POST){

    $name = $_POST['txtName'];
    $dept = $_POST['txtDept'];
    echo $name;
    mysqli_query($con,"INSERT INTO students(name,dept) VALUES($name,$dept);");


}

?>
Ishrak
  • 71
  • 6
  • 18

2 Answers2

6

There are a few things wrong with your posted code.

mehtod="post" it should be method="post" - typo.

Plus, quote your VALUES

VALUES('$name','$dept')

DO use prepared statements, or PDO with prepared statements.

because your present code is open to SQL injection

and add error reporting

error_reporting(E_ALL);
ini_set('display_errors', 1);

You should also check for DB errors.

$con = mysqli_connect("localhost","root","","info")   
          or die("Error " . mysqli_error($con));

as well as or die(mysqli_error($con)) to mysqli_query()

Sidenote/suggestion:

If your entire code is inside the same file (which appears to be), consider wrapping your PHP/SQL inside a conditional statement using the submit button named attribute, otherwise, you may get an Undefined index... warning.

Naming your submit button <input type="submit" name="submit" value="Enter"/>

and doing

if(isset($_POST['submit'])){ code to execute }

Just doing if($_POST){ may give unexpected results when error reporting is set.

Rewrite: with some added security using mysqli_real_escape_string() and stripslashes()

<html>

<form method="post" action="home.php">
    <input type="text" name="txtName" />
    <input type="text" name="txtDept" />
    <input type="submit" name="submit" value="Enter"/>

</form>
</html> 

<?php

$con = mysqli_connect("localhost","root","","info")  
         or die("Error " . mysqli_error($con));

if(isset($_POST['submit'])){

    $name = stripslashes($_POST['txtName']);
    $name = mysqli_real_escape_string($con,$_POST['txtName']);

    $dept = stripslashes($_POST['txtDept']);
    $dept = mysqli_real_escape_string($con,$_POST['txtDept']);
    echo $name;

    mysqli_query($con,"INSERT INTO `students` (`name`, `dept`) VALUES ('$name','$dept')")   
           or die(mysqli_error($con));

}

?>

As per the manual: http://php.net/manual/en/mysqli.connect-error.php and if you wish to use the following method where a comment has been given to that effect:

<?php
$link = @mysqli_connect('localhost', 'fake_user', 'my_password', 'my_db');

if (!$link) {
    die('Connect Error: ' . mysqli_connect_error());
}
?>
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

God save us all... Use PDO class instead :). By using PDO you can additionally make prepared statement on client side and use named parameters. More over if you ever have to change your database driver PDO support around 12 different drivers (eighteen different databases!) where MySQLi supports only one driver (MySQL). :( In term of performance MySQLi is around 2,5% faster however this is not a big difference at all. My choice is PDO anyway :).

DevWL
  • 17,345
  • 6
  • 90
  • 86