Inserting Values into Server using PHP

Question

This is a basic (so I thought) working registration form, I went through it and didn't see any gaping hole in my script.

My main issue is that they code is running fully with no errors, however the final echo statement isn't appearing and the details have not been inserted when I look back at my table in phpMyAdmin.

<? php

    require 'connect.php';

    if (isset($_POST['username', 'password', 'firstname', 'lastname', 'email', 'age']){

        $username = $_POST['username'];
        $password = $_POST['password'];
        $firstname = $_POST['firstname'];
        $lastname = $_POST['lastname'];
        $email = $_POST['email'];
        $age = $_POST['age'];

        $query = "INSERT INTO 'user_details'.'user_login_details' ('id', 'username', 'firstname', 'lastname', 'email', 'password', 'age) VALUES (NULL, '$username', '$firstname', '$lastname', '$email', '$password', '$age')";

        $result = mysqli_query($query);

        if ($result == true){
            echo "User Created Successfully. Welcome to the family !";
        }



    }

?>

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jan 25 '15 at 20:22
"My main issue is that they code is running fully with no errors" — The PHP might not have an errors, but if `$result` is a false value then there are SQL errors and you have to call the error function of your database API to find out what they are. — Quentin, Jan 25 '15 at 20:23
Like so many, you're not looking for errors and complaining that things aren't working. Specifically, your use of `mysqli_query()` is wrong. Check the PHP manual for the correct syntax for this function. It's __not__ the same as `mysql_query()` — , Jan 25 '15 at 20:26
for the actual "INSERT INTO" command I actually pretty much directly copy and pasted from the phpMyAdmin interface as it gives you the code for inserting a record into your table ... I dont think it is that. Must be something though. — Drahgon, Jan 25 '15 at 20:29
Hobo Sapiens, do I need to add the link to the database as the first parameter ? if I do then surely it would have come up with a php error and required me to do so. — Drahgon, Jan 25 '15 at 20:29
Most prominently you have a syntax error in `isset($_POST["x", "y", "z"])`. That's not how isset() and array accesses work. Enable `error_reporting` in your php.ini before you do anything else. It's pointless to code blindly when something doesn't work. — mario, Jan 25 '15 at 20:32

George Cummins · Accepted Answer · 2015-01-25T20:45:36.560

There are several possible reasons that your echo statement was not executed

Script Failed to Run

Ensure that your server can run PHP scripts and that this script runs. Test by passing a simple echo statement at the top of this script, just after the opening <?php tag (which should not have a space between '

Conditional Failed

Your query will not execute if the conditional on line five fails. I suspect that you want to ensure that each of the variables is present in $_POST, but the code does not do that now. Instead, try to check each key individually:

if (isset($_POST['username'] && isset($_POST['password'])...)

Add some debugging output to an else clause to determine whether the conditional is failing:

if (...) {
    //
} else {
    echo "Please enter a value in all required fields."
}

Query Failed

The code executes a query but fails to determine whether it completed successfully. For debugging, you can do something like:

$result = mysqli_query($query) or die('Query failed: ' . mysql_error());

For production code, check the return value

if ($result == true){

and create an else clause to manage failures

} else {
    // Log mysql_error() to an appropriate location

mysql_error() will reveal detailed information about errors in your query or connection.

One of the errors that mysql_error will report is that the query is referencing databases, tables and column names incorrectly; database, table and column names need to be surrounded by backticks(`) instead of single quotes('):

$query = "INSERT INTO `user_details`.`user_login_details` (`id`, `username`, `firstname`, `lastname`, `email`, `password`, `age`) VALUES (NULL, '$username', '$firstname', '$lastname', '$email', '$password', '$age')";

Only the values should be surrounded by single-quotes

Deprecation and Security warning

As others have noted, the code uses deprecated mysql_* functions and is vulnerable to SQL injection attacks. Consider upgrading to PDO and prepared statements as a first line of defense.

One of the best god damn answers I have ever received on this site, thanks so much for taking time out of your evening to help me out. It is really appreciated =] — Drahgon, Jan 25 '15 at 20:36

Inserting Values into Server using PHP

1 Answers1