Why this code inserts blank?

Question

I´m trying to create a form connected to a database but when I fill out the form and I refer to the table in phpMyAdmin I see that it have entered a blank record instead of form data. I´m using PhpStorm.

I think all this code is correct...

That is the form of the .html:

<form id="form1" name="form1" method="post" action="index.php">
   <label for="userSignUp">Email</label>
   <input type="text" name="userSign" id="userSignUp" />
   <label for="passwordSignUp">Password</label>
   <input type="password" name="passwordSign" id="passwordSignUp" />
   <input type="submit" name="Submit" id="Submit" value="Submit" />
</form>

I have the following .php:

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$db_selected = mysqli_select_db($conn, $dbname);

$userSignUp = ""; // If I substitute "" with characters at this time the table is well updated
$passwordSignUp = ""; // Same as before

if(isset($_POST['userSign'])){
    $userSignUp = $_POST['userSign'];
}
if (isset($_POST['passwordSign'])) {
    $passwordSignUp = $_POST['passwordSign'];
}

$sql = "INSERT INTO test.person (FirstName, Password) VALUES ('$userSignUp', '$passwordSignUp')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();

Do the `isset`s evaluate as true? This is open to SQL injections. — chris85, Jul 12 '16 at 20:14
Just a guess, but I don't think you should have quotes around your variables. In the SQL statement. Should be `values ($var1, $var2)`. — blackandorangecat, Jul 12 '16 at 20:14
@blackandorangecat That's a very bad guess. They're strings, so they need quotes. — Barmar, Jul 12 '16 at 20:15
@blackandorangecat that is incorrect. They are presumably strings; even if integers, quoted would work. Non-quoting will only break it. — chris85, Jul 12 '16 at 20:15
However, it would be better if you used a prepared statement instead of substituting into the SQL, to prevent SQL injection. — Barmar, Jul 12 '16 at 20:16
is that php and html in the same file? if so, you don't have ANY protection to detect a POST around your query call, so every time the page loads, you do an insert with blank/undefined variables. And you're vulnerable to [sql injection attacks](http://bobby-tables.com) — Marc B, Jul 12 '16 at 20:17
I would suggest checking if the $_POST values are set at the beginning of your php script and not doing anything else if they aren't. Then you can work on figuring out why they aren't being set. — Don't Panic, Jul 12 '16 at 20:18
Your $_POST is emtpy when var_dump() shows array(0) { }. This means you are not transmitting any data to this script. Actually your script looks perfect. You need to figure out why you are not getting any data. Is this the actual index.php the form is send to? — colburton, Jul 12 '16 at 20:21
@MarcB no, codes are in different files, main.html and index.php — Víctor Elexpe, Jul 12 '16 at 20:22
Don't use the name `index.php`. Webservers are often configured to look for `index.html` and `index.php` as the default file to show when the URL points to the directory. — Barmar, Jul 12 '16 at 20:23
@colburton yes, i´ve just checked the project files and is the same file — Víctor Elexpe, Jul 12 '16 at 20:28
If you hardcode in values for $userSignUp and $passwordSignUp, does it insert those records? And echo "New record created successfully"? — blackandorangecat, Jul 12 '16 at 20:29
@Barmar that´s right, i´ve just rename the file but this doesn´t work. — Víctor Elexpe, Jul 12 '16 at 20:30
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 12 '16 at 20:30
@blackandorangecat There's a comment in the code that says if he puts a default string there it works. So the problem is all about why `$_POST` isn't being filled in properly. — Barmar, Jul 12 '16 at 20:31
@blackandorangecat yes!! if I force the insert values it inserts those records and also shows "New record created successfully" — Víctor Elexpe, Jul 12 '16 at 20:34
You're using the built-in webserver in PhpStorm? See http://stackoverflow.com/questions/35290133/phpstorm-post-always-empty where someone else reports that it doesn't fill in `$_POST` properly. — Barmar, Jul 12 '16 at 20:35
@JayBlanchard yes, i know I must encrypt the passwords but I´m trying to fix that problem first. — Víctor Elexpe, Jul 12 '16 at 20:36
@Barmar I´m using PhpStorm with XAMPP for the Apache service and MySQL. The test connection says that is ok. — Víctor Elexpe, Jul 12 '16 at 20:40
@VíctorElexpe What URL do you see in the browser address bar when it does not work? — LazyOne, Jul 12 '16 at 20:56
@LazyOne when I click on submit I see the URL of the .php (http://localhost:63342/untitled/src/registerSignUp.php) // I´ve changed the name of index.php — Víctor Elexpe, Jul 12 '16 at 22:03
@VíctorElexpe This URL means that you are NOT using Apache from your XAMPP but PhpStorm's own simple built-in web server that has some issues at the moment with POST requests. Solution: use XAMPP to serve your requests. — LazyOne, Jul 12 '16 at 22:27

Why this code inserts blank?

0 Answers0