-2

I am at a point where my form is connecting with the DB and inserting but it isn't taking my form data and inserting blank fields.

<form method="post" action="add.php">

    <input type="text" name="firstname" placeholder="Firstname" id="firstname"><br><br>

    <input type="text" name="lastname" placeholder="Lastname" id="lastname"><br><br>

    <input type="submit" name="submit" value="Sent">

</form>

Here is the add.php script:

<?
mysql_connect("localhost","******","******");//database connection
mysql_select_db("testrentals");

//inserting data order
$order = "INSERT INTO customers (firstname, lastname) VALUES ('$firstname', '$lastname')";

//declare in the order variable
$result = mysql_query($order);  //order executes
if($result){
    echo("<br>Input data is workin and adding!");
} else{
    echo("<br>Input data is failing =(");
}
?>

My database table has and id, firstname and last and joined date.

But as mentioned above, when submitted it states it is working and a record appears but nothing in the firstname or lastname field (I have yet to do the joined date part.)

user3725879
  • 69
  • 1
  • 1
  • 11
  • 3
    [Prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). Add some error checking to your query / connections, for instance `or die(mysql_error())` – Jay Blanchard Apr 24 '15 at 14:48
  • Your code is vulnerable to SQL Injection! like @JayBlanchard said. – Akar Apr 24 '15 at 14:49
  • This is purely for a personal project it is not an outfacing app. – user3725879 Apr 24 '15 at 14:50
  • 1
    *It doesn't matter.* – Jay Blanchard Apr 24 '15 at 14:50
  • @user3725879 Before you ask your next question, please consider to read this: http://meta.stackoverflow.com/q/261592/3933332 – Rizier123 Apr 24 '15 at 15:00
  • I am fully aware of the security flaws, however, this is never going to be used outside of a local environment. – user3725879 Apr 24 '15 at 15:03
  • 2
    *It still doesn't matter.* Everything, and I mean everything, can be hacked. – Jay Blanchard Apr 24 '15 at 15:06

4 Answers4

2

You need to get the values from $_POST i.e. $_POST['firstname']. If you're going to be grabbing data straight from $_POST you better filter and validate what's coming through from the form before persisting anything to the database.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
dannym87
  • 109
  • 1
  • 6
2

Let's switch all of this over to PDO and get it right. Here is what add.php could look like:

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);

define('USER', '*****');
define('PASS', '*****');


function dataQuery($query, $params) {
    // what kind of query is this?
    $queryType = explode(' ', $query);

    // establish database connection
    try {
        $dbh = new PDO('mysql:host=localhost;dbname=testrentals', USER, PASS);
        $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    }
    catch(PDOException $e) {
        echo $e->getMessage();
        $errorCode = $e->getCode();
    }

    // run query
    try {
        $queryResults = $dbh->prepare($query);
        $queryResults->execute($params);
        if($queryResults != null && 'SELECT' == $queryType[0]) {
            $results = $queryResults->fetchAll(PDO::FETCH_ASSOC);
            return $results;
        }
        $queryResults = null; // first of the two steps to properly close
        $dbh = null; // second step tp close the connection
    }
    catch(PDOException $e) {
        $errorMsg = $e->getMessage();
        echo $errorMsg;
    }
}


$order = "INSERT INTO `customers` (`firstname`, `lastname`) VALUES (?,?)";
$params = array($_POST['firstname'], $_POST['lastname']);
$results = dataQuery($order, $params);

?>

The technique for this is explained in detail here.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
1

You need to feed you data from the $_POST array. This is where the from data goes after submitting it http://php.net/manual/en/reserved.variables.post.php

$firstname = $_POST['firstname'];
$lastname= $_POST['lastname'];

$order = "INSERT INTO customers (firstname, lastname) VALUES ('".$firstname."', '".$lastname."')";
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Yasen Zhelev
  • 4,045
  • 3
  • 31
  • 56
1

You should be using your post variables like...

$_POST['firstname'];
$_POST['lastname'];
John williams
  • 654
  • 1
  • 8
  • 22