can't insert data into my SQL

Question

I'm writing my project for my university and I can insert data manually from my_sql_query but can't insert in from some field.

Here is my code:

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>

<script type="text/javascript">
function checkForm(){
    if(document.regForm.name.value=='')
    alert('لطفا نام خود را وارد کنید')
    else if(document.regForm.username.value=='')
    alert('لطفا نام کاربری خود را وارد کنید')
    else if(document.regForm.password.value=='')
    alert('لطفا رمز عبور خود را وارد کنید')
    else if(document.regForm.rePassword.value=='')
    alert('لطفا عبور خود را دوباره وارد کنید')
    else if(document.regForm.rePassword.value!=document.regForm.password.value)
    alert('رمز عبور وارد شده یکسان نیست')

    else if(document.regForm.email.value=='')
    alert('لطفا ایمیل خود را وارد کنید')
    else
    document.regForm.submit();
}
</script>
<link rel="stylesheet" href="css/bootstrap.css">
</head>

<body>

<form action="" method="post" dir="rtl" name="regForm" >
<div class="form-group">
<br> <br> <br> <br>
<label >name</label>
<input class="form-control"  type="text" name="name" placeholder="حسین محمودی">
</div>
<div class="form-group">
<label >username</label>
<input class="form-control" type="text" name="username" placeholder="iHMahmoodi">
</div>
<div class="form-group">
<label >password</label>
<input class="form-control" type="password" name="password" placeholder="رمز">
</div>
<div class="form-group">
<label >repass</label>
<input class="form-control" type="password" name="rePassword" placeholder="تکرار رمز عبور">
</div>
<div class="form-group">
<label >email</label>
<input class="form-control" type="email" name="email" placeholder="ایمیل">
</div>
<input type="submit" class="btn btn-success"  onClick="checkForm()" name="reg" value="register">

</div>


</form>
<?php
connect();
$r=mysql_query("insert into login() values('','$name','$username','$password','$email','u')");
connect();
$name=$_POST['name'];
$username=$_POST['username'];
$password=$_POST['password'];
$rePassword=$_POST['rePassword'];
$email=$_POST['email'];
if($name && $username && $password && $email)
{
connect();
$r=mysql_query("insert into login() values('','$name','$username','$password','$email','u')");

if($r)
echo '<script>alert("اطلاعات شما ثبت شد "); </script>';
}
?>
</body>
</html>

I used bootstrap for styling.
And my connect() code is:

<?php
function connect()
{
   $db='ihmahmoodi';
    $connect=mysql_connect('localhost','root','');
    mysql_select_db($db,$connect);
    mysql_query('SET NAMES utf8');

}
?>

When I click on the register button, noting happens and the page just refreshes!
Where is the problem?

Use or die mysql error function, you have an error in your query? http://php.net/manual/en/function.mysql-error.php — Rens Tillmann, Nov 11 '15 at 04:10
Check for errors. Also you are open to SQL injections with this code and any `'` in user input will cause a failure. — chris85, Nov 11 '15 at 04:21

score 1 · Accepted Answer · edited May 23 '17 at 12:03

You should define your variables before using them like so:

connect();
$name=$_POST['name'];
$username=$_POST['username'];
$password=$_POST['password'];
$rePassword=$_POST['rePassword'];
$email=$_POST['email'];
$r=mysql_query("insert into login values('','$name','$username','$password','$email','u')");

Few things to note:

Always check if the $_POST variables you are trying to access have been set. Otherwise, you will run into errors.

if(isset($_POST['name']) && isset($_POST['username']) && isset($_POST['password']) && isset($_POST['rePassword']) && isset($_POST['email'])) { // do stuff here } else { // show error here }
Executing your code like this causes a SQL injection vulnerability. Always assume that any input given by the user to be untrustworthy and do the appropriate validation.

The absolute basic would be to simply escape the user input like so:

connect(); $name=$_POST['name']; $username=mysql_escape_string($_POST['username']); $password=mysql_escape_string($_POST['password']); $rePassword=mysql_escape_string($_POST['rePassword']); $email=mysql_escape_string($_POST['email']);
Never use the root user to connect to the database as it will grant attackers unrestricted access to your databases. Always setup a dedicated user for each application that will access your database.
While your code is good from a learning point of view, it is better to stop using the mysql_ set of functions as they have been deprecated. Using the mysqli class is better as it supports parameterized queries that prevent sql injection.

I'd add a fourth point about using deprecated `mysql_` functions; and also about using parameterized queries over escaping. — chris85, Nov 11 '15 at 04:59
thanks, i used your answer so my code going to alert("اطلاعات شما ثبت شد "); '; } else { echo ''; } — Hossein, Nov 11 '15 at 05:15
@Hossein you should move the variable assignment code into the if statement as you will only want to access them if they have been set. Otherwise the code will still cause the same issues. — fabian enos, Nov 12 '15 at 07:08

can't insert data into my SQL

1 Answers1