-2

it is connecting to the database but is not inserting values please help me with inserting the form values into the table registered ` 

if (isset($_POST["submit"])) {

    $dbconnect = new mysqli('localhost','root','','tas');

    if ($dbconnect) {
        echo "connected to database";
    }
    else{
        echo "did not connect";
    }

    $fname = $_POST["fname"];
    $lname = $_POST["lname"];
    $cert = $_POST["certificate"];
    $sex =  $_POST["sex"];
    $mobile = $_POST["mobile"];
    $email  = $_POST["email"];
    $institution =  $_POST["institution"];
    $session    =   $_POST["session"];
    $media  =   $_POST["media"];

    $insert ="INSERT INTO registered(firstmame,lastname,certificatename,sex,mobile,email,institution,session,media)
     VALUES ($fname,$lname,$cert,$sex,$mobile,$email,$institution,$session,$media)" ;

     if (!$insert) {
        echo "</br>error id not insert";
     }

     else{
        echo"<br/> success";
     }
}

?>`

Eseme Ukeme
  • 1
  • 1
    Can you post the exact error message you are getting? – Namphibian May 04 '15 at 21:54
  • 4
    [Your script is at risk for SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) You *never* execute the query. – Jay Blanchard May 04 '15 at 21:55
  • Where is the part where you are executing the `INSERT` statement ? – Maximus2012 May 04 '15 at 21:55
  • 2
    bet you its the missing quotes on the values –  May 04 '15 at 21:55
  • 2
    @JakeBall OP is using MySQLi: `$dbconnect = new mysqli('localhost','root','','tas');` Rude. – Twisty May 04 '15 at 21:56
  • 4
    I would assume most of those values you're trying to insert are strings and so need quoted. Also, rather than interpolating the variables directly into the query, I suggest you look up prepared statements / parameterised queries to secure your queries. Also, you don't run the insert. – Jonnix May 04 '15 at 21:56
  • 1
    **WARNING**: When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). **NEVER** put `$_POST` data directly into a query. – tadman May 04 '15 at 22:29
  • pls how do i execute the query – Eseme Ukeme May 04 '15 at 22:55
  • and how do i secure it from injection – Eseme Ukeme May 04 '15 at 22:55

2 Answers2

4

Your code is assigning a string value to a variable.

$query = "whatever";

That's not inserting anything to the database, because that string is never executed as SQL (sent to the database) by your code.

To execute that on the database, you need to use a mysqli_ function, such as mysqli_query().

Please consider using prepared statements with bind placeholders.

Including potentially unsafe values into SQL text leads to SQL Injection vulnerabilities.

NOTE: Character literals in SQL text need to be enclosed in single quotes.

e.g. VALUES ('abc','def') not VALUES (abc,def).

FOLLOWUP

Here's an example of running an INSERT using a prepared statement with bind placeholders. 

$sql = "INSERT INTO registered
( firstmame
, lastname
, certificatename
, sex
, mobile
, email
, institution
, session
, media
) VALUES 
( ? , ? , ? , ? , ? , ? , ? , ? , ?)";

if ($stmt = mysqli_prepare($dbconnect, $sql)) {
    mysqli_stmt_bind_param($stmt, 'sssssssss'
        , $fname
        , $lname
        , $cert
        , $sex
        , $mobile
        , $email
        , $institution
        , $session
        , $media 
        );
    mysqli_stmt_execute($stmt);
    echo "affected rows = " . mysqli_stmt_affected_rows($stmt);
    mysqli_stmt_close($stmt);
} else {
   echo "error in prepare " . mysqli_error($dbconnect);
}

Reference: http://php.net/manual/en/mysqli.prepare.php

spencer7593
  • 106,611
  • 15
  • 112
  • 140
  • pls how do i execute the query am a novice here – Eseme Ukeme May 04 '15 at 23:00
  • Read, review the examples. All the information is there if you look for it. Don't be lazy @EsemeUkeme http://php.net/manual/en/mysqli.query.php – Twisty May 04 '15 at 23:57
  • @EsemeUkeme: I've added a followup in my answer to provide an example of using a **prepared statement** with **bind placeholders** to perform a simple insert. This replaces the line in your code... `$insert = "INSERT...`(It's possible I misspelled something, or missed a semicolon, but this should give you the gist of what it looks like. See the PHP documentation for more information about the mysqli interface functions. (Pay careful attention to the *arguments* that the functions accept, and what the functions *return*.) – spencer7593 May 05 '15 at 00:05
0

You never execute your mysqli_query(). Please execute the query and provide more details.

Twisty
  • 30,304
  • 2
  • 26
  • 45