How to store input given by user in html form in sql using php

Question

This is my PHP code.

<html><head>
<title>login.php</title>
<link rel = "stylesheet" href="login-style.css">

</head>
<body>
<div class = "container">
<div class = "message">
<?php
define('DB_NAME','mydb');
define('DB_USER','root');
define('DB_PASSWORD','');
define('DB_HOST','127.0.0.1');

$link = mysql_connect(DB_HOST,DB_USER,DB_PASSWORD);
if($link){
    die('could not connect:'. mysql_error());
}
$db_selected = mysql_select_db(DB_NAME,$link);
if(!$db_selected){
    die('can\'t use'.DB_NAME . ': ' . mysql_error());
}
$value1 = $_POST['name'];
$value2 = $_POST['password'];
$sql = "INSERT INTO Account (username,password) VALUES ('$value1','$value2')";

if(!mysql_query($sql))
{die('ERROR'.mysql_error());
}
mysql_close();
?>

<h1>Thank you for logging in </h1>
<form action = "form.html">
<p class ="submit">
<button type ="submit" >
GO TO FORM
</button>
</p>
</div>
</div>
</body>
</html>

I want to store the data in MySQL but when I run the html code (which i have connected to this php code using action =" name of this file"), no entry is done in database I created, can you tell me what is done wrong and help me to correct it?

<DOCTYPE! html>
<html lang = "en-US">
<head>
<meta charset = "UTF-8">
<title>Sign-In</title>
<link rel = "stylesheet" href ="style-sign.css">
<script type = "text/javascript">
function validateForm(){
var x = document.forms["forma"]["login"].value;
if(x == null || x == "")
{ alert("fill the field ");
  return false;
}
var y = document.forms["forma"]["password"].value;
if( y == null || y == "")
{
alert("fill the field");
return false;
}
}
</script>
</head>
<body >
<div class="container">
<div class="login">
<h1>Login</h1>
<form  name = "forma" method="post" onsubmit="return validateForm()" action = "login.php">
<p>
<input type="text" name="name" value="" placeholder="Username or Email">
</p>
<p>
<input type="password" name="password" value="" placeholder="Password">
</p>
<p class="submit">
<input type="submit" name="commit" value="Login" >
</p>
</form>
</div>
</div>
</body>
</html>

this is my html code which i have connected to this php file ,I am using xampp and using phpmyadmin , I am not getting any error and apache and mysql both are running

help me with this problem

1. Mysql is depricated. 2. Stackoverflow already has hundreds of similar (mostly same) questions. 3. Form action to html file? — Manikiran, Jul 19 '16 at 12:17
You are using POST for name and password yet your form does not contain this textboxes — Saurabh, Jul 19 '16 at 12:18
no I am not getting any error , it seems like i am unable to connect to mysql — Mr.idiot, Jul 19 '16 at 12:18
@saurabh no i have made html file which has textbox , i am taking the value entered in the text box by user using post — Mr.idiot, Jul 19 '16 at 12:20
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Jul 19 '16 at 12:57
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jul 19 '16 at 12:58
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 19 '16 at 12:58
Have you checked your error logs? You're making an assumption the query is working. Add error reporting to the top of your file(s) right after your opening ` — Jay Blanchard, Jul 19 '16 at 13:03
Then there must be errors. If they are not being displayed you will have to look in your web server's error logs. — Jay Blanchard, Jul 19 '16 at 14:14
Since you're using HTML5 you do not need JS to validate the form fields. just add `required` to to the form elements. — Jay Blanchard, Jul 19 '16 at 14:17

score -1 · Answer 1 · answered Jul 19 '16 at 12:19

-1

Change the following:

$sql = "INSERT INTO Account (username,password) VALUES ('$value1','$value2')";

To:

$sql = "INSERT INTO Account (username,password) VALUES ($value1,$value2)";

EDIT: You do not have input fields setup for the username and password. So POST will not work.

answered Jul 19 '16 at 12:19

user1423798

29
7

1

Values have to be quoted going into the database if they are strings. Your syntax changes are incorrect. Instead of this you should be recommending [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Jul 19 '16 at 13:00

score -1 · Answer 2 · answered Jul 19 '16 at 12:39

-1

First you From needs an action and a method. Best woould be to rename the file to form.php

<form action = "form.php" method="POST">

in the result file ...

Connect to the database

$mysqli= @new mysqli('localhost', 'fake_user', 'my_password', 'my_db');

if ($mysqli->connect_errno) {
  die('Connect Error: ' . $mysqli->connect_errno);
}

escape your value strings

$query= "INSERT INTO Account (username,password) VALUES ('".$mysqli->real_escape_string($value1)."','".$mysqli->real_escape_string($value2)."')"

Execute query

$result=$mysqli->query($query);

Verify results if any or check if an Error occured

if(!$result) {
    $ErrMessage  =  $mysqli->error . "\n";
    $mysqli->close();
    die( $ErrMessage) ;
}

answered Jul 19 '16 at 12:39

Martin S.

256
1
10

In the html code you will need the 2 input fields "name" and "password" – Martin S. Jul 19 '16 at 12:42
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jul 19 '16 at 13:00
@Jay Blanchard nice to see that you a negativ vote, but presenting a own answer. Execpt this, i wanted to show only a simple answer. In his code was nothing at all about security and the answer of user1423798 contained definitiv an error. – Martin S. Jul 19 '16 at 13:17
Not my negative vote - I just posted comments. It doesn't matter though, security should *always* be the first thing you think of, use and recommend. The OP hasn't posted enough code for me to speculate what the answer might be. – Jay Blanchard Jul 19 '16 at 13:19

How to store input given by user in html form in sql using php

2 Answers2