PHP not reading POST variables

Question

i have a PHP file that i am, passing numerous values in to. one if the first lines checks to see if they are set using isset. the isset worksbecause it does use a get value for my select statement. it is my insert statement that has no values.

    $conn = mysqli_connect("hostname", "user name", "password", "db name");

    // check connection
    if ($conn->connect_error)
    {
      echo ('Database connection failed: '  .mysqli_connect_error);
    }
    else
    {
        echo 'db connected </br>';
    }

function cryptPass($input, $round = 9)
{
    $salt = "";
    $saltChars = array_merge(range('A','Z'), range('a','z'), range('0','9'));
    for($i = 0; $i < 22; $i++)
    {
        $salt .=$saltChars[array_rand($saltChars)];
    }
    return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt);
}


if(isset($_POST['firstName']) && isset($_POST['lastName']) && isset($_POST['email']) && isset($_POST['password']) && isset($_POST['code']) && isset($_POST['diabetes']) && isset($_POST['bloodPressure']) && isset($_POST['fitness']) && isset($_POST['cholesteral']));
{
    //Get post values
    $firstNaame = $_POST['firstName'];
    $lastName = $_POST['lastName'];
    $email = $_POST['email'];
    $password = $_POST['password'];
    $encrptPassword = cryptPass($_password);
    $code = $_GET['code'];
    $diabetes = $_POST['diabetes'];
    $bloodpressure = $_POST['bloodPressure'];
    $fitness = $_POST['fitness'];
    $cholesteral = $_POST['cholesteral'];
    $codeId = "";
    $result = "";

    echo $firstName;

    $sql = "SELECT id FROM mentor where mcode = '" . $code . "'";
    $result = mysqli_query($conn, $sql);

    if((mysqli_num_rows($result))===1)
    {
        while($row = mysqli_fetch_assoc($result))
        {
            $codeId = $row['id'];
            echo $codeId;
        }

        $sql = "INSERT INTO users ('firstName','lastName','email','encrypted_password','diabetes','hiLowChorlesteral','hiLowBloodPressure','fitnessTraining') values('".$firstName."','".$lastName."','".$_email."','".$encryptedPassword."',".$codeId.",".$diabetes.",".$cholesteral.",".$bloodpressure.",".$fitness.")";
        echo($sql);
        mysqli_query($conn,$sql);
    }
    else
    {
        echo "</br>no rows found";
    }
}

my echo statement for firstname comes up empty

my echo statement for insert into shows

INSERT INTO users ('firstName','lastName','email','encrypted_password','diabetes','hiLowChorlesteral','hiLowBloodPressure','fitnessTraining') values('','','','',1,,,,)

the only value that it seems to pickup is the get.

i am testing from a web browser using http://website.com/test/biteboard/CreateContact.php?firstName=larry&lastName=seymour&email=larry@sbmgroup.ca&password=password&code=56gfd&diabetes=0&bloodpressure=0&fitness=0&cholesteral=1

Your spellings are all over the place. And the quotes in your SQL for columns are wrong. — Jonnix, Jun 09 '16 at 15:54
You are using get mehod to send parameters, try fetching using get instead of post — Pardeep Poria, Jun 09 '16 at 15:54
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – [Jay Blanchard](http://stackoverflow.com/users/1011527/jay-blanchard) — Jeff Puckett, Jun 09 '16 at 15:56
P.s. please use the [PHP Password API](http://php.net/password) for hashing your passwords. — Jonnix, Jun 09 '16 at 15:58
@JonStirling the column quoting looks to be technically OK because they are numeric values, except for `codeID` — Jeff Puckett, Jun 09 '16 at 15:58
`$firstNaame` != `$firstName`, `$email` != `$_email`, etc... — AbraCadaver, Jun 09 '16 at 15:59
Since you are passing parameters through query string, try using $_GET or $_REQUEST instead of $_POST. — Ravinder Reddy, Jun 09 '16 at 16:00
@JeffPuckettII Yes? If it was quoted with backticks that would be fine. — Jonnix, Jun 09 '16 at 16:02
`isset($_POST['cholesteral']));` <<< you see that semi-colon in there? It's called an **end** of statement character. Remove it. This besides other comments given. — Funk Forty Niner, Jun 09 '16 at 16:02
@JonStirling Oh, my bad, I was looking at the VALUES quotes. yeah, problems with both — Jeff Puckett, Jun 09 '16 at 16:02
You're also using a GET method in the URL and using POST arrays. and who knows where/how those POST arrays are coming from. — Funk Forty Niner, Jun 09 '16 at 16:03
then this `INSERT INTO users ('firstName','lastName','email','encrypted_password','diabetes','hiLowChorlesteral','hiLowBloodPressure','fitnessTraining')` wrong identifier qualifiers here. Then this `values('".$firstName."','".$lastName."','".$_email."','".$encryptedPassword."',".$codeId.",".$diabetes.",".$cholesteral.",".$bloodpressure.",".$fitness.")` not quoting properly. — Funk Forty Niner, Jun 09 '16 at 16:05
Sorry, but your code is riddled with syntax errors. Check for errors via PHP and MySQL, read the manuals also; that's what they're there for. — Funk Forty Niner, Jun 09 '16 at 16:06
Some good [error reporting](http://stackoverflow.com/q/845021/4233593) would probably help. — Jeff Puckett, Jun 09 '16 at 16:06
@JeffPuckettII it just gets better, don't it? I am so not submitting an answer for this; riddled with errors. This is an *"OMG question"* lol. — Funk Forty Niner, Jun 09 '16 at 16:09
you're missing `codeID` from the insert column identifiers, and you pass it without quotes in the values statement, which won't work because it's not numeric. — Jeff Puckett, Jun 09 '16 at 16:16

score -1 · Answer 1 · answered Jun 09 '16 at 16:03

-1

$firstNaame = $_POST['firstName'];

$sql = "INSERT INTO users ('firstName','lastName','email','encrypted_password','diabetes','hiLowChorlesteral','hiLowBloodPressure','fitnessTraining') values('".$firstName."','".$lastName."','".$_email."','".$encryptedPassword."',".$codeId.",".$diabetes.",".$cholesteral.",".$bloodpressure.",".$fitness.")";

You have misspelled the variable name $firstNaame ve $firstName. Also variable names in PHP are case sensitive.

answered Jun 09 '16 at 16:03

A. Onder

134
6

2

that's not the only thing wrong. You missed a LOT of stuff. – Funk Forty Niner Jun 09 '16 at 16:03
`values('".$firstName."','".$lastName."','".$_email."','".$encryptedPassword."',".$codeId.",".$diabetes.",".$cholesteral.",".$bloodpressure.",".$fitness.")` that my fail. as will `('firstName','lastName','email','encrypted_password','diabetes','hiLowChorlesteral','hiLowBloodPressure','fitnessTraining')`. Wrong identifier qualifiers. – Funk Forty Niner Jun 09 '16 at 16:07
Yes noticed the quote errors afterwards. Spelling mistake was the first thing I noticed. Sorry. – A. Onder Jun 09 '16 at 16:11
1

@user3624640 also in your query coulmn names are 8 but values are 9. make them equal – Passionate Coder Jun 09 '16 at 16:14
@mamta good catch, I commented on that in the question. can't blame A. Onder for that one :) – Jeff Puckett Jun 09 '16 at 16:17
the big thing was it didnt populate anything insidse the isset, as soon as i took that out my query populated. – user3624640 Jun 09 '16 at 21:40

PHP not reading POST variables

1 Answers1