1

I am trying to insert data from modal after user clicks submit button. But it is not working, I have 2 files index to display modal and PHP file to run connect MySQL and insert data into it. I don't think it recognizes submit action. I also have question how do I insert primary key id into database or does it adds automatically.

HTML submit code:

<button type="submit" action="add.php"class="btn">Finish!</button>

PHP code:

<?php

include 'db.php';

$cName = $_POST['form-name'];
$ser = $_POST['form-s-name'];
$link = $_POST['form-t'];
$info = $_POST['form-des'];


  $sql = "INSERT INTO crewlist(id, name,sname,linkname,description)
VALUES ('','".$cName."','".$ser."','".$link."','".$info."')";


mysqli_query($conn,$sql);

if(mysqli_affected_rows($conn) > 0){
    echo "<p>Added</p>";
Dharman
  • 30,962
  • 25
  • 85
  • 135
swipeales
  • 127
  • 1
  • 2
  • 12

3 Answers3

3

The textbook way to do this is to use prepared statements:

$stmt = mysqli_prepare($conn,
  "INSERT INTO crewlist(name,sname,linkname,description) VALUES (?,?,?,?)"
);

mysqli_stmt_bind_param($stmt, 'ssss',
  $_POST['form-name'],
  $_POST['form-s-name'],
  $_POST['form-t'],
  $_POST['form-des']
);

$result = mysqli_stmt_execute($stmt);

If you use prepared statements correctly you're guaranteed that your values are inserted with the proper escaping. Here I've used s for string, but there are other types listed in the documentation.

You'll want to enable exceptions for errors in case you make a mistake.

If you're doing a lot of database work I'd strongly encourage you to use an ORM like Doctrine or Propel as they make interfacing with your records a lot more pleasant.

Community
  • 1
  • 1
tadman
  • 208,517
  • 23
  • 234
  • 262
0

you are not using variables in sql query you should use it like this 

$sql = "INSERT INTO crewlist(id, name,sname,linkname,description)
        VALUES ('','{$cName}','{$ser}','{$link}','{$info}')";
Minesh Patel
  • 541
  • 1
  • 6
  • 13
Vivek Singh
  • 2,453
  • 1
  • 14
  • 27
  • 1
    Sorry, this is [dangerously bad](http://bobby-tables.com/). The safe way to do this is to use [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php). – tadman May 02 '16 at 08:05
  • @tadman i know i am just suggesting the right way to use of sql query – Vivek Singh May 02 '16 at 08:06
  • thanks but when i click finish it still doesn't do anything – swipeales May 02 '16 at 08:06
  • I'm sorry to be so difficult here but this is not the right way. Not only does this not escape data properly and will error out if any of those values contains `'`, but this is how you get your server hacked wide open. Using `bind_param` is not hard, and it's the absolute baseline. – tadman May 02 '16 at 08:07
  • echo the sql query and try to find the error by running it in phpmyadmin and try to use bind_param as @tadman also suggest's it will be more secure – Vivek Singh May 02 '16 at 08:09
  • i will, i just want to do it simple for first time, to see everything is working. – swipeales May 02 '16 at 08:10
  • @swipeales A prepared statement is the simplest, most reliable way to get data in there. It will properly encode all your values. – tadman May 02 '16 at 08:11
  • hook me up with example link, do you think there is error in html submit code? – swipeales May 02 '16 at 08:13
  • @swipeales is there any error which running the query to phpmyadmin? – Vivek Singh May 02 '16 at 08:14
  • @Vicky nothing happens it just closes modal when i click finish – swipeales May 02 '16 at 08:16
  • @Vicky i am sorry dont know :) – swipeales May 02 '16 at 08:21
-3

Insert query not matching your column use this it will work:

   $sql = "INSERT INTO crewlist(id, name,sname,linkname,description)
VALUES ('',cName,ser,link,info)";

this will insert cName,ser,link,info in table if you want the data use:

'".$cname."'
user2110253
  • 317
  • 4
  • 12
  • 1
    If you're not using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) this is not going to work reliably or safely. – tadman May 02 '16 at 08:10