Form saying its sent but there is no data is showing up in the database

Question

I'm new to PHP and still trying to get my head round it. this form says that the data has been sent to the database but when I look the database is empty, no errors are showing up? is there a problem with my code.

Note: I understand that this form is not protected from SQL Injection.

HTML

<?php
session_start();
?>
<!DOCTYPE HTML>
<html>
    <head>
        <title>Page Form</title>
        <link rel="stylesheet" href="style.css" />
    </head>
    <body>
        <div class="container">
            <div class="main">
                <h2>PHP Page 3 Form</h2><hr/>
                <span id="error">

                </span>
                <form action="page4_insertdata.php" method="post">

                    <label>Company Name :<span>*</span></label><br />
                    <input name="company_name" type="text" placeholder="Joes Cleaner" required>
                    <br />

                    <label>Ref :<span>*</span></label><br />
                    <input name="ref" type="text" placeholder="H123" required>
                    <br />

                    <label>Website :<span>*</span></label><br />
                    <input name="website" type="text" placeholder="www.google.com" required>
                    <br />

                    <label>Email :<span>*</span></label><br />
                    <input name="email" type="email" placeholder="Joescleaners@gmail.com" required>
                    <br />

                    <label>Telephone :<span>*</span></label><br />
                    <input name="tel" type="text" placeholder="07123456789" required>
                    <br />

                    <label>Message :<span>*</span></label><br />
                    <input name="message" id="message" type="text" size="500" required>
                    <br />



                    <input  type="reset" value="Reset" />
                    <input name="submit" type="submit" value="Submit" />

                </form>
            </div>

        </div>
    </body>
</html>

PHP

<?php
session_start();
?>
<!DOCTYPE HTML>
<html>
    <head>
        <title>PHP Multi Page Form</title>
        <link rel="stylesheet" href="style.css" />
    </head>
    <body>
        <div class="container">
            <div class="main">
                <h2>PHP Multi Page Form</h2><hr/>

                <?php

                            $servername = "localhost";
                            $db_database = 'form';
                            $username = "root";
                            $password = "";

                            // Create connection
                            $conn = new mysqli($servername, $username, $password);

                            // Check connection
                            if ($conn->connect_error) {
                                die("Connection failed: " . $conn->connect_error);
                            } 
                            echo "DB Connected successfully. ";


                            $company_name = $_POST['company_name'];
                            $ref = $_POST['ref'];
                            $website = $_POST['website'];
                            $email = $_POST['email'];
                            $tel = $_POST['tel'];
                            $message = $_POST['message'];


                            $sql = "INSERT INTO detail (company_name,ref,website,email,tel,message) 
                            VALUES ('$company_name','$ref','$website','$email','$tel','$message')";

                            if($sql){
                            echo " Database Sent.";
                            }
                            else {
                            echo "ERROR to insert into database";
                            };
                ?>
            </div>

        </div>
    </body>
</html>

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Dec 04 '14 at 16:09
Rule of thumb when posting SQL related questions: State that you know about SQL Injection before someone yells at you. — Tim Lewis, Dec 04 '14 at 16:13

RichardBernards · Accepted Answer · 2014-12-05T13:04:47.527

Change the following code:

if($sql){
echo " Database Sent.";
}
else {
echo "ERROR to insert into database";
};

To:

$result = $conn->query($sql);
if($result){
    echo " Database Sent.";
}
else {
    echo "ERROR to insert into database";
};

This way you are actually performing the query and checking on failure of query...

To make your query a bit safer, try the following:

$sql = "
    INSERT INTO detail (
        company_name,
        ref,
        website,
        email,
        tel,
        message
    ) 
    VALUES (
        '" . mysqli_real_escape_string($company_name) . "',
        '" . mysqli_real_escape_string($ref) . "',
        '" . mysqli_real_escape_string($website) . "',
        '" . mysqli_real_escape_string($email) . "',
        '" . mysqli_real_escape_string($tel) . "',
        '" . mysqli_real_escape_string($message) . "'
    )";

Better yet, use binding of params by replace the $sql instantiation and query execution ($conn->query()) with the following:

$stmt = $conn->prepare("INSERT INTO detail (company_name,ref,website,email,tel,message) VALUES (?, ?, ?, ?, ?, ?)");
$stmt->bind_param('ssssss', $company_name, $ref, $website, $email, $tel, $message);
$stmt->execute();

You can read up on binding parameters with mysqli by visiting PHP: mysqli_stmt::bind_param - Manual

Complete code:

<?php
session_start();
?>
<!DOCTYPE HTML>
<html>
    <head>
        <title>PHP Multi Page Form</title>
        <link rel="stylesheet" href="style.css" />
    </head>
    <body>
        <div class="container">
            <div class="main">
                <h2>PHP Multi Page Form</h2><hr/>

                <?php

                            $servername = "localhost";
                            $db_database = 'form';
                            $username = "root";
                            $password = "";

                            // Create connection
                            $conn = new mysqli($servername, $username, $password, $db_database);

                            // Check connection
                            if ($conn->connect_error) {
                                die("Connection failed: " . $conn->connect_error);
                            } 
                            echo "DB Connected successfully. ";

                            $stmt = $conn->prepare("INSERT INTO detail (company_name,ref,website,email,tel,message) VALUES (?, ?, ?, ?, ?, ?)");
                            $stmt->bind_param('ssssss', 
                                $_REQUEST['company_name'],
                                $_REQUEST['ref'],
                                $_REQUEST['website'],
                                $_REQUEST['email'],
                                $_REQUEST['tel'],
                                $_REQUEST['message']
                            );

                            if($stmt->execute()) {
                                echo " Database Sent.";
                            } else {
                                echo "ERROR to insert into database: " . $stmt->error;
                            };
                ?>
            </div>

        </div>
    </body>
</html>

bart2puck · Answer 2 · 2014-12-04T16:16:22.577

0

You arent actually sending a query, you are setting the variable $sql = "INSERT....." which is always true.

you need to do:

$result =  $mysqli->query($sql);


 if ($result......)

edited Dec 04 '14 at 16:16

answered Dec 04 '14 at 16:10

bart2puck

2,432
3
27
53

Form saying its sent but there is no data is showing up in the database

2 Answers2