-1

I learned PHP from an institute but they taught me old syntax and techniques for PHP inserting data into database. When i searched online it found it deprecated and will not be longer available in future version of PHP.I want to learn the new techniques for inserting data into database. I give you example what i am doing now, it is working fine for me but i want to insert data using prepared statement and all possible techniques.

HTML:

    <form method="post" action="do_submit.php"/>
    Name:<input type="text" name="name" id="name"/>
    Class:<input type="text" name="class" id="class"/>
    Section:<input type="text" name="section" id="section"/>
    Roll Number:<input type="text" name="roll" id="roll"/>
    Registration Number:<input type="text" name="reg" id="reg"/>
    <input type="submit"/>
    </form>

do_submit.php:

        <?php

    include 'dbconnect.php';

    $name=$_POST['name'];
    $class=$_POST['class'];
    $section=$_POST['section'];
    $roll=$_POST['roll'];
    $reg=$_POST['reg'];


    $sql = mysql_query("INSERT INTO `school`.`students` (`Name`, `Class`, `Section`,`Roll_No`, `Reg_No`) 
    VALUES ('$name', '$class', '$section', '$roll','$reg');") or die("SELECT Error: ".mysql_error());
            if($sql) 

            {
                $myURL = 'success.php?sType=insert';
                header('Location: '.$myURL);
                exit;
            }

     else 
             echo "Try again!";


    ?>

Can anyone please guide me with example code so that i learn new techniques that are more secured from being hacked.

John Conde
  • 217,595
  • 99
  • 455
  • 496
Raj
  • 1
  • 1
  • 1
    Give a look at [PDO](http://php.net/manual/en/book.pdo.php) and try to use prepare statements would already be more secure – Marc-André Trahan Apr 15 '15 at 16:40
  • possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – andrewsi Apr 16 '15 at 00:56

2 Answers2

0
<?php

// create connection
$conn = new mysqli($servername, $username, $password, $dbname);

$name=$_POST['name'];
$class=$_POST['class'];
$section=$_POST['section'];
$roll=$_POST['roll'];
$reg=$_POST['reg'];

$stmt = $conn->prepare("INSERT INTO `school`.`students` (`Name`, `Class`, `Section`,`Roll_No`, `Reg_No`) 
VALUES (?, ?, ?, ?, ?);");
$stmt->bind_param("sssss", $name, $class, $section, $roll, $reg);
        if($stmt->execute() === true) 

        {
            $myURL = 'success.php?sType=insert';
            header('Location: '.$myURL);
            exit;
        }

 else 
         echo "Try again!";


?>
Chris Tate
  • 458
  • 2
  • 10
  • @crystal thanks for helping me. Can u plz tell new techniques for storing values in variables. I think i a new mehtod somewhere on google – Raj Apr 15 '15 at 16:53
0

Here is a basic outline:

// 2. Prepare
$sql = "SELECT id, familyname FROM familymembers WHERE familyname = ?";

$stmt = $conn->prepare($sql);

if(!$stmt) {
    die("Prepare failed: (" . $conn->errno . ") " . $conn->error);
} else  {
    echo ("<p>Prepare succeeded</p>");
}

// 3. Bind params
// s = string
// i = integer
// d = double (float)
// b = blob (binary data)

$bind_result = $stmt->bind_param("sssss", $name, $class, $section, $roll,$reg);

if(!$bind_result) {
    echo "Binding failed: (" . $stmt->errno . ") " . $stmt->error;
} else  {
    echo ("<p>Binding succeeded</p>");
}

// 4. Execute
$execute_result = $stmt->execute();

if(!$execute_result) {
  echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
} else  {
    echo ("<p>Execute succeeded </p>");
}

// 7. Free results
$stmt->free_result();

// 8. Close statment
$stmt->close();

// 9. Close MySQL connection
$conn->close();
geeves
  • 652
  • 7
  • 24