mysql and php form and connection

Question

this seems to be correct but I'm missing it somehow.

form in a demo-form.php file

<form action="test.php" method="post" />   
<p>Name: <input type="text" name="name" /></p>
<p>Email: <input type="text" name="email" /></p>
<input type="submit" value="Submit" />
</form>

code in a test.php file

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "forms1";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

$sql = "INSERT INTO per_Info (name, email)
VALUES ('Test', 'test@example.com')";

if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

The problem: it inserts 'Test', 'test@example.com' into the database (under "name" and "email") instead of whatever name I actually type into the form, in other words, if I type "John" and "John@test.com in the Name field on the form it will only insert 'Test', 'test@example.com' and not "John", etc.

Because on your sql you set name and email values as `test` and `test@example.com`. — Rashad, Nov 22 '15 at 23:15
See this query in your code, `$sql = "INSERT INTO per_Info (name, email) VALUES ('Test', 'test@example.com')";`, so that's why. — Rajdeep Paul, Nov 22 '15 at 23:15
You need to be drawing values from `$_POST['name'], $_POST['email']` instead of the hard-coded values in your `$sql` variable. Begin reading about [PHP superglobals](http://php.net/manual/en/reserved.variables.post.php) and also, about protecting form inputs from SQL injection attacks with [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). It will be important to use `prepare()/bind_param()/execute()` instead of `query()`. — Michael Berkowski, Nov 22 '15 at 23:15
that is because you have `Test` and `test@example.com` hard coded in your query, also no where in your code are you storing the data sent from demo-form.php to test.php. most Programming languages aren't mind readers so it wont automatically alter a hard coded query for you — Memor-X, Nov 22 '15 at 23:16

Xorifelse · Accepted Answer · 2016-11-29T22:38:39.497

-1

You post data with a form and that data can be retrieved by using $_POST['inputname']

<?php

    $stmt = $conn->prepare("
       INSERT INTO per_Info
        (name, email) 
       VALUES 
        (?, ?)
    ");

    $stmt->bind_param("ss", $_POST['name'], $_POST['email']);

    if($stmt->execute()){
      echo "New record created successfully";
    }

?>

edited Nov 29 '16 at 22:38

answered Nov 22 '15 at 23:15

Xorifelse

7,878
1
27
38

score -1 · Answer 2 · edited May 23 '17 at 12:07

Isn't that what you want ? Inserting "Test" as a name and "test@example.com" in your database whatever the users types in the form ? Because that's what this line says :

$sql = "INSERT INTO per_Info (name, email)
VALUES ('Test', 'test@example.com')";

Sorry for being sarcastic, it took me 5 minutes to figure out what was wrong and when I did I felt stupid :p. So what you need to do is to sanitize your $_POST['name'] and $_POST['email'] (more info on sanitizing post data). Say you already did that and you have two pefectly clean variables called $name and $email. What you want to do is :

$sql = "INSERT INTO per_Info (name, email)
VALUES ('$name', '$email')";

mysql and php form and connection

2 Answers2