PHP code just prints on screen instead of running

Question

For some reason I can't connect to database. Here's my code:

<?php

//only process form if $_POST isnt empty
if ( ! empty( $_POST ) ) {

// Connect to MySQL
$mysqli = new mysqli( 'localhost', 'username', 'password',       'database' );

//Check connection
if ( $mysqli->connect_error ) {
die( 'Connect Error: ' . $mysqli->connect_errno . ': ' . $mysqli-  >connect_error );
}   

//Insert form data
$sql = "INSERT INTO user ( Name, Username, Password, Email ) VALUES 
( '{mysqli->real_escape_string($_POST['Name'])}',
('{mysqli->real_escape_string($_POST['Lastname'])}',
('{mysqli->real_escape_string($_POST['Username'])}',
('{mysqli->real_escape_string($_POST['Password'])}' )
('{mysqli->real_escape_string($_POST['Email'])}' )";

//Print response from MySQL
if ( $insert ) {
echo "Success! Row ID: {$mysqli->insert_ID}";   



}else{  
die("Error: {$mysqli->errno} : {$mysqli->error}");
}

//Close our connection
$mysqli->close();
}

?>

When you say "PHP code just prints on screen instead of running" do you mean the browser displays your entire PHP file? If that's the case then you don't have PHP installed correctly on your server. — Darwin von Corax, Mar 22 '16 at 00:23
If that is your actual password in the code snippet you may want to [edit] it out. Also please clarify what you mean by `PHP code just prints on screen instead of running`; which PHP code are you referring to - the whole file or just a specific line? — Tim Penner, Mar 22 '16 at 00:32
**WARNING**: When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/) if you make a simple mistake and forget to escape something. — tadman, Mar 22 '16 at 00:36
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.2/authentication) built-in. You're not properly encrypting passwords here which exposes your users to severe risks. — tadman, Mar 22 '16 at 00:37
Relax @tadman - I am pretty sure that the OP will use proper code once he is able to understand it. This is just a sample, isn't it? :) — jacmoe, Mar 22 '16 at 00:43
Learning to do it properly the first time is extremely important. Mistakes like this have a way of worming their way into production, and once deployed, you might very well have your server hacked or end up in the [hall of shame](http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/). This is too serious a problem to hand-wave away. If there's one thing I'm "pretty sure of" it's that this needs to be said frequently because if it's never mentioned, many people have no idea it's strictly necessary for public-facing code. Safety first, just like learning to ride a bike. — tadman, Mar 22 '16 at 00:44

score 2 · Answer 1 · edited Jun 20 '20 at 09:12

Warning: your code is susceptible to SQL Injection!

Never use $_POST[] or any user submitted data directly in a SQL Insert.

Use Prepared Statements instead!

Regarding the code just prints on the screen:

If the PHP Code is printing on to the screen instead of being interpreted by the server; first make sure that the PHP file is using a valid PHP extension such as .php and not just .html

Also make sure that the php module is installed for your web server (this would be different instructions for IIS then for Apache).

Also your code is missing the actual query itself which is done using the following code:

$insert = $mysqli->query($sql) // do the insert

Then the rest of your code will start to function:

if ( $insert ) {
    echo "Success! Row ID: {$mysqli->insert_ID}";   
}else{  
    die("Error: {$mysqli->errno} : {$mysqli->error}");
}
$mysqli->close();

Without the $mysqli->query($sql) your hitting the else and die()

See query for more info.

`echo "Success! Row ID: {$mysqli->insert_ID}";` is exactly the same thing as `echo "Success! Row ID: ".$mysqli->insert_ID;` so it is just a matter of preference. The first one is also fine without the braces because it is not interpolated - it is needed when using array subscript notation, though. — jacmoe, Mar 22 '16 at 02:04

Philip · Answer 2 · 2016-03-22T00:52:00.803

1

The sql should be executed to return a result $insert

Example: $insert = $mysqli->query($sql)

(And, as mentioned it's much safer to use prepared statements.)

edited Mar 22 '16 at 00:52

answered Mar 22 '16 at 00:19

Philip

2,888
2
24
36

score 0 · Answer 3 · answered Mar 22 '16 at 00:20

0

well, you wrote

if ( $insert ) {
echo "Success! Row ID: {$mysqli->insert_ID}";

That echoes exactly what is between the subsequent quotation marks (as a string)...

answered Mar 22 '16 at 00:20

Johannes

64,305
18
73
130

score 0 · Answer 4 · answered Mar 22 '16 at 00:41

The script will keep hitting the die statement because $insert hasn't been set. So you are right: it just prints to the screen.

When you copied and pasted the code from "The Internet" you forgot one line - as Philip pointed out:

$insert = $mysqli->query($sql)

Without it, the only thing that your script would do is create a connection and close it again - or, most likely: not even managing to close it because it would die before it reached that line. :)

The line you forgot is supposed to be inserted just after the $sql string but before the conditional using $insert.

PHP code just prints on screen instead of running

4 Answers4

Warning: your code is susceptible to SQL Injection!

Regarding the code just prints on the screen: