-2

HTML code:

<form action="create.php" method="post">
Username: <input type="text" name="username"><br>
Password: <input type="text" name="password"><br>
<input type="submit" value="CREATE ACCOUNT">
</form>

PHP code (create.php):

<?php


require_once 'studentdb.php';
$db_server = mysql_connect($host,$username,$password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($dbname)
or die("Unable to select database: " . mysql_error());
$query = "INSERT INTO credentials (Username,Password) VALUES(".$_POST['username'].",".$_POST['password'].")"
$make = mysql_query($db_server,$query);
?>

In the PHP here, studentdb.php has all the necessary information to log into the database.

I don't get any errors, but the table just isn't updating at all.

AJB_1070179
  • 111
  • 4
  • In addition to the answers below, you're passing `$db_server` into `mysql_query` as the first parameter. 1) You don't need to pass it generally at all and 2) if you do, it needs to be the second arg. Please see the [documentation](http://php.net/mysql_query). – Jonnix May 20 '16 at 09:35
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 20 '16 at 13:18
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 20 '16 at 13:18
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 20 '16 at 13:19

3 Answers3

1

$_POST['username'] and $_POST['username'] should be string so you need to add quotes ' in insert query.

<?php


require_once 'studentdb.php';
$db_server = mysql_connect($host,$username,$password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($dbname)
or die("Unable to select database: " . mysql_error());
$query = "INSERT INTO credentials (Username,Password) VALUES('".$_POST['username']."','".$_POST['password']."')"
$make = mysql_query($db_server,$query);
?>
RJParikh
  • 4,096
  • 1
  • 19
  • 36
0
$query = "INSERT INTO credentials (`Username`,`Password`) VALUES('".$_POST['username']."', '".$_POST['password']."' )";

Please use quotes for string.

Shailesh Katarmal
  • 2,757
  • 1
  • 12
  • 15
0
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "INSERT INTO MyGuests (firstname, lastname, email)
VALUES ('John', 'Doe', 'john@example.com')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>
Jay
  • 199
  • 1
  • 14