-1

I've just set up a local MAMP enviroment and I'm trying to insert just a name in to a database table as a test. I'm not getting any errors in the console or PHP log but for the life of me I can't get it to insert the data in to the database.

HTML:

<form action="" method="GET" name="nameSubmit">
   <input type="input" name="userName"  class="user-name">
   <input type="submit" value="Submit" class="name-submit">
</form>

JS:

var userSubmitButton = $('.name-submit'),
    userNameInput = $('.user-name'),
    userName;

userSubmitButton.click(function(e){
e.preventDefault();


userName = userNameInput.val();
console.log(userName);
$.ajax({
    url: "nameSubmit.php",
    type : "GET",
    dataType : "json",
    data : {type : "nameSubmit", name : userName},
    success : function(response){
        alert(JSON.stringify(response));
    },
    error : function(err){
        alert(JSON.stringify(err));
    }
 });
});

PHP:

<?php
$mysqli = mysqli_connect("localhost", "root", "root", "test_name");

if (isset($_GET['type'])){


if($_GET['type'] == "nameSubmit"){
    $name = $_GET['name'];
    $stmt = $mysqli->prepare("INSERT INTO names (name) VALUES ('$name')");
    echo "$name";
}
}
?>

The response says its completed all tasks and returns $name

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Mark
  • 552
  • 1
  • 6
  • 19
  • You just prepared.. forgot to [**execute**](http://php.net/manual/en/mysqli-stmt.execute.php)? Also, you are kinda mixing procedural and OOP mysqli. – FirstOne Mar 02 '16 at 17:50
  • And your code is open to sql injection. Take a look at [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/q/60174/4577762) – FirstOne Mar 02 '16 at 17:52
  • Execute! So simple thanks that's worked. – Mark Mar 02 '16 at 17:57
  • On a sidenote: You're not "preparing" anything, so you don't even need to "execute" by just doing `$mysqli->query()`. *Problem solved*. – Funk Forty Niner Mar 02 '16 at 17:59
  • @Fred-ii-, at least THAT problem is solved: [Little Bobby Tables](http://bobby-tables.com/). I'd like to add that you are **not checking** if `$_GET['name']` is set. – FirstOne Mar 02 '16 at 18:02
  • Thanks for your answers its been a while since I've used MYSQL let alone mysqli so looks like I got a bit reading to do! – Mark Mar 02 '16 at 18:02
  • You're welcome Mark, *cheers* – Funk Forty Niner Mar 02 '16 at 18:06

1 Answers1

0

you never ever execute:

$stmt = $mysqli->prepare("INSERT INTO names (name) VALUES ('$name')");

$stmt->execute();
low_rents
  • 4,481
  • 3
  • 27
  • 55
  • easier fix `$mysqli->query()`. No execute required. – Funk Forty Niner Mar 02 '16 at 18:00
  • @Fred-ii- excuse me, what? why isn't he preparing anything like you said in your comment to the question? – low_rents Mar 02 '16 at 18:02
  • *"why isn't he preparing anything"* - That, I couldn't answer. Ask him ;-) and there are no placeholders to bind/prepare. – Funk Forty Niner Mar 02 '16 at 18:03
  • It's been a while since I've had to do backend so I got some reading and catching up to do. Thanks to everyone for your help. – Mark Mar 02 '16 at 18:05
  • @Fred-ii- prepare actually does check the syntax **before** executing the query: _At the prepare stage a statement template is sent to the database server. The server performs a syntax check and initializes server internal resources for later use._ (from http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – low_rents Mar 02 '16 at 18:07
  • @low_rents I'm not questioning that. All I said was, that since there is nothing "to" prepare, there's no need to use `prepare()`, where he could have just used `query()`. – Funk Forty Niner Mar 02 '16 at 18:08