php Form not submitting to MySQL database

Question

I am making a signup form. Below is my code. My database name is "users" and has the following fields: id, name, email & password. When I submit form it echos "You've been signed up!" but nothing gets inserted to the database. I am new to php and SQL. If anyone could help me with why my form is not submitting data to database.

<?php

if (isset($_POST['submit'])) {

    $error = "";

    if (!$_POST['userName'])
        $error .= "<br/>Please enter your name";

    if (!$_POST['userEmail'])
        $error .= "<br/>Please enter your email";
    else if (!filter_var($_POST['userEmail'], FILTER_VALIDATE_EMAIL))
        $error .= "<br/>Please enter a valid email address";

    if (!$_POST['userPassword'])
        $error .= "<br/>Please enter your password";
    else {
        if (strlen($_POST['userPassword']) < 8)
            $error .= "<br/>Please enter a password with minimum 8 characters";
        if (!preg_match('`[A-Z]`', $_POST['userPassword']))
            $error .= "<br/>Please include a capital letter in your password";
    }

    if ($error)
        echo "There were error(s) in your signup details: " . $error;
    else {
        $link = mysqli_connect("localhost", "username", "password", "database");

        if (!$link) {
            echo "Failed.";
        } else {
            $query = "SELECT * FROM `users` WHERE email='$_POST[userEmail])'";
            $result = mysqli_query($link, $query);
            $results = mysqli_num_rows($result);

            if ($results)
                echo "That email address already exists. Do you want to log in? ";
            else {
                $query = "INSERT INTO users (name, email, passsword) VALUES(
                    '$_POST[userName]', '$_POST[userEmail]', '$_POST[userPassword]')";
                mysqli_query($link, $query);
                echo "You've been signed up!";
            }
        }
    }
}
?>
    <!DOCTYPE html>
    <html lang="en">
      <head>
        <meta charset="utf-8">
        <title>Sign Up</title>
    </head>
    <body>
    <h1>Sign Up</h1>
    <form method="post">
        <label for="userName">Name</label>
        <input type="text" id="userName" name="userName" placeholder="Name"/>
        <label for="userEmail">Email address</label>
        <input type="email" id="userEmail" name="userEmail" placeholder="Email"/>
        <label for="userPassword">Password</label>
        <input type="password" id="userPassword"
            name="userPassword" placeholder="Password"/>
        <input type="submit" id="submit" name="submit" placeholder="Sign Up"/>
    </form>
    </body>
    </html>

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Dec 17 '15 at 16:22
Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Dec 17 '15 at 16:22
[Why are you limiting passwords?](https://xkcd.com/936/) [Don't limit passwords](http://jayblanchard.net/security_fail_passwords.html). — Jay Blanchard, Dec 17 '15 at 16:23
$_POST[userName] should be $_POST["userName"].. Other values also need to be adjusted. SQL Injection vulnerabilities are there too — Rehmat, Dec 17 '15 at 16:24
@rehmat When substituting an array element inside a double-quoted string, you don't put quotes around the index, unless you put the whole thing inside curly braces. — Barmar, Dec 17 '15 at 16:57
Add error reporting by adding this line to the top of your file `error_reporting(E_ALL); ini_set('display_errors', 1);`. Then look at this http://www.hackingwithphp.com/5/10/0/arrays-in-strings . But you shouldn't be using the POST variables directly in your SQL — Dan, Dec 17 '15 at 16:58
Since you're using mysqli, you should take advantage of prepared statements instead of substituting variables into the SQL string. — Barmar, Dec 17 '15 at 16:58
Use `mysqli_query($link, $query) or die(mysqli_error($link));` to see an error from the `INSERT` statement. — Barmar, Dec 17 '15 at 16:59
`$query = "SELECT * FROM \`users\` WHERE email='$_POST[userEmail])'";` You've a stray parentheses. — Dan, Dec 17 '15 at 17:00

Alfred · Answer 1 · 2015-12-17T17:03:50.767

0

Replace your else with

else {
     $uname = $_POST["userName"];
     $email = $_POST["userEmail"];
     $password = $_POST["userPassword"];
     $query = "INSERT INTO users (name, email, passsword) VALUES('$uname', '$email', '$password')";
     mysqli_query($link, $query) or die(mysqli_error($link));
     echo "You've been signed up!";     
}

edited Dec 17 '15 at 17:03

answered Dec 17 '15 at 17:00

Alfred

21,058
61
167
249

1

Throw some `mysqli_real_escape_string`s in there at least. – Dan Dec 17 '15 at 17:01

score 0 · Answer 2 · answered Dec 17 '15 at 17:03

0

Your INSERT query should look like this:

$query="INSERT INTO users (name, email, passsword) VALUES('$userName', '$userEmail', '$userPassword')";

answered Dec 17 '15 at 17:03

Tony

298
3
17

score 0 · Accepted Answer · answered Dec 17 '15 at 18:31

0

I checked your code.

Error : 1.) It was in select Query : placed extra ')' right parenthesis. 
2.) It was in Insert Query : spelling of password was passsword.

Updated : Just change below query.

$query = "SELECT * FROM `student` WHERE email='$_POST[userEmail]'";

$query = "INSERT INTO student (name, email, password) VALUES(
                    '$_POST[userName]', '$_POST[userEmail]', '$_POST[userPassword]')";

answered Dec 17 '15 at 18:31

Monty

1,110
7
15

Thanks. It was because of the spelling mistake. I will update the other part of the code too as suggested by you and the others. – chaitanya Dec 18 '15 at 12:32

php Form not submitting to MySQL database

3 Answers3