php not writing data into database

Question

i had write a html file which will request some information from user and send it to another php file. The php file will establish the connection to database and insert the value to database.
My database name = testdb
table name = table1
I had do some testing on both file by calling an alert message, the alert messages was able to display in the html file,it's seen like the request from the html file cant send to the php file,so the code for inserting data to database can't execute

My Html form as show below

<form id="firstPrize" method="POST" action="firstPrize.php">

<label> Number 1</label>
<input type="text" name="num1"><br>
<label> Number 2</label>
<input type="text" name="num2"><br>
<label> Number 3</label>
<input type="text" name="num3"><br>
<label> Number 4</label>
<input type="text" name="num4"><br><br><Br>
<input type="button" value="enter" name="btnSubmit" onclick="show()">

</form>

firstPrize.php sample code

 <?php

   $host = "localhost";
   $user =  "root";
   $password = "";
   mysql_connect($host,$user,$password);
   mysql_select_db("testdb") or die(mysql_error());
   Session_Start();
   echo("yeah");
   if(isset($_POST["btnSubmit"]))
   {
      $num1 = $_POST["num1"];
      $num2 = $_POST["num2"];
      $num3 = $_POST["num3"];
      $num4 = $_POST["num4"];

      mysql_query("insert into table1(num1,num2,num3,num4) values ('num1','num2','num3','num4')");
?>

You're missing a closing curly bracket. I'm not sure if that's related but it could be throwing a syntax error. — Tyler Roper, Aug 04 '16 at 14:56
you're just ASSUMING that the query is succeeding. BAD assumption. Never assume success. always assume failure and treat success as a pleasant surprise: `mysql_query(...) or die(mysql_error())`. And you're vulnerable to [sql injection attacks](http://bobby-tables.com) as well. — Marc B, Aug 04 '16 at 14:56
So where is it falling flat? Are the wrong values being stored in the database? Are you getting an error in your PHP log? Is "yeah" getting echoed? — Chris Forrence, Aug 04 '16 at 14:57
check your error log. You should switch to using mysqli if you can. You are not using the variables from your form. And your missing a closing bracket for you if statement. — Jason K, Aug 04 '16 at 14:59
Plus, `('num1','num2','num3','num4')` you're literally entering those string values rather than the variables for the POST arrays. — Funk Forty Niner, Aug 04 '16 at 15:00
@Fred-ii- at least that way it's not an SQL injection vulnerability! :-) — Bill Karwin, Aug 04 '16 at 15:05
@BillKarwin It would if one of those values has `'123` and not doing `(int)$_POST["num1"]` at the very least ;-) Given if and when they do use `'$var'` rather than their `'var'`. — Funk Forty Niner, Aug 04 '16 at 15:06
@BillKarwin LOL! Sorry, I got it now *hehe!* Cheers (1000 more cc's of coffee required, stat!) — Funk Forty Niner, Aug 04 '16 at 15:09
N.B.: The pending edit http://stackoverflow.com/review/suggested-edits/13227872 by @GaurangJoshii is attempting to add the missing closing brace `}` and answers given have made a mention about it missing. If this edit is accepted, then most or all stand at being downvoted for it, stating that some may say: *"The closing brace is there, so why the mention?"* — Funk Forty Niner, Aug 04 '16 at 15:21
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Aug 04 '16 at 16:02
Please check your syntax. It's most likely to suffer with SQL Injection. Use prepared statements and mysqli. — Fabiano, Aug 04 '16 at 14:59
@HeartBreakKid: Your problem solved or not. If not, I gave one answer regarding your issue. Which will solve your problem. Have a look t it. — Nana Partykar, Aug 05 '16 at 13:56

Dennisvdh · Answer 1 · 2016-08-05T14:44:36.783

1

.Change your query to;

mysql_query("insert into table1(`num1`,`num2`,`num3`,`num4`) values ('".$num1."','".$num2."','".$num3."','".$num4."')");

followed by the closing bracket ( } ) for your if statement.

edited Aug 05 '16 at 14:44

answered Aug 04 '16 at 14:57

Dennisvdh

120
5

What if one of those values happens to contain an injection such as `'123`? – Funk Forty Niner Aug 04 '16 at 15:03
You are right @Fred-ii-, but that wasn't the question. – Dennisvdh Aug 04 '16 at 15:06
Sure I'll agree. However, if the OP doesn't know about that, then they might not be a happy camper, if and when it ever happens to them ;-) – Funk Forty Niner Aug 04 '16 at 15:08
Indeed, but one thing at the time! ;) I don't want to scare the OP! – Dennisvdh Aug 04 '16 at 15:12
Rather scare them now instead for them to be scared "to death" later ;-) *"Where's my database???!!"* lol – Funk Forty Niner Aug 04 '16 at 15:22
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Aug 04 '16 at 16:02
i tested your solution but it's seen like not working – Heart Break KID Aug 05 '16 at 14:42
i missed a dot, try again with the . after $num3 like above. – Dennisvdh Aug 05 '16 at 14:45

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

1

First, your if statement is missing a closing }.

Second, your SQL query is not inserting the variables you've set above. You've got variables like $num1, but then you are inserting the value just 'num' in your SQL insert. You have to change 'num1', 'num2'... to '$num1', '$num2'...

Third, please do some research on PHP Data Objects (PDO) or MYSQLi (reference links at bottom of post). mysql_ is deprecated and completely vulnerable to malicious injection.

Edit: In addition, please see fred -ii-'s comments below for some sound advice on better INSERT queries. It's safe practice to verify that the values are of the type you're expecting prior to running them against your database.

fred -ii- says:

What if one of those values happens to contain an injection such as '123?

[Use]... (int)$_POST["num1"] and check to see firsthand if the input entered is an integer. There are a few functions that will do that.

Use error reporting and error checking against your query during testing and assuming that you are able to use the MySQL_ API.

References:

Otherwise, you will need to resort to either using the MySQLi_ or PDO API.

References:

edited Jun 20 '20 at 09:12

Community

1
1

answered Aug 04 '16 at 15:01

Tyler Roper

21,445
6
33
56

What if one of those values happens to contain an injection such as `'123`? – Funk Forty Niner Aug 04 '16 at 15:03
@Fred-ii- Quite honestly, it didn't seem like injection was a concern. And if it were, I've included links to both PDO and MYSQLi. – Tyler Roper Aug 04 '16 at 15:04
It's best to inform them of that (potential error/injection), since they may not know about it ;-) – Funk Forty Niner Aug 04 '16 at 15:04
@Fred-ii- Would you suggest splitting the string like so: `"... VALUES ('".$num1."', '".$num2."' ...`? I haven't done PHP in quite a few years. – Tyler Roper Aug 04 '16 at 15:06
More like `(int)$_POST["num1"]` and checking to see firsthand if the input entered is an integer. There are a few functions that will do that. – Funk Forty Niner Aug 04 '16 at 15:07
@Fred-ii- Thanks, I'll rectify my answer. – Tyler Roper Aug 04 '16 at 15:08
I suggest you pull my entire comment and added to your answer, should my comment ever disappear. – Funk Forty Niner Aug 04 '16 at 15:10

ac.caron · Answer 3 · 2016-08-04T15:06:40.053

1

First, your query can produce SQL Injection. Use Mysqli Prepared Statement :

    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "testdb";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);

 if(isset($_POST["btnSubmit"]))
 {
    $num1 = $_POST["num1"];
    $num2 = $_POST["num2"];
    $num3 = $_POST["num3"];
    $num4 = $_POST["num4"];

    // prepare and bind
    $query = $conn->prepare("INSERT INTO table1 (num1, num2, num3, num4) VALUES (?, ?, ?, ?)");
    $stmt->bind_param("ssss", $num1, $num2, $num3, $num4);
}

This function binds the parameters to the SQL query and tells the database what the parameters are. The "ssss" argument lists the types of data that the parameters are. The s character tells mysql that the parameter is a string.

The argument may be one of four types:

i - integer
d - double
s - string

Second, your if statement misses a closing bracket }

Third, your variable $num1 is never used. You use num1, num2, but you miss the '$'

edited Aug 04 '16 at 15:06

answered Aug 04 '16 at 15:02

ac.caron

97
1
9

Noble, yet you didn't outline what was wrong with their code to start with. – Funk Forty Niner Aug 04 '16 at 15:03
1

You also have only 3x `?` with 4 binds. – Funk Forty Niner Aug 04 '16 at 15:04
1

You mention PDO but you show code using mysqli. Okay, now you've edited to correct it. – Bill Karwin Aug 04 '16 at 15:06
i tested your code also not working, it's a bit similar with @Nana Partykar solution – Heart Break KID Aug 05 '16 at 14:42

score 0 · Answer 4 · edited May 23 '17 at 12:14

<?php
   session_start();
   // always start your session before any other code

   $host = "localhost";
   $user =  "root";
   $password = "";
   mysql_connect($host,$user,$password);
   mysql_select_db("testdb") or die(mysql_error());


   if(isset($_POST["btnSubmit"]))
   {
      $num1 = mysql_real_escape_string($_POST["num1"]);
      $num2 = mysql_real_escape_string($_POST["num2"]);
      $num3 = mysql_real_escape_string($_POST["num3"]);
      $num4 = mysql_real_escape_string($_POST["num4"]);

      // mysql isn't the safest way to put your code out, however if you do, escape it. You may be better off by using prepared statements, but thats up to you, i am just fixing this code 

      mysql_query("insert into table1(num1,num2,num3,num4) 
                   values ('$num1','$num2','$num3','$num4')");

    }
?>

I made a few tweaks in your code and this should do it. Note my additional comments in the code, including the propper escaping your variables, because of the injection danger. Its not my place to judge you on your code, but you would be better off by using prepared statements.

This is a very good topic on this here on stack, I suggest you read it: How can I prevent SQL injection in PHP?

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Aug 04 '16 at 16:03
As I said in my comments and in my text, he is better off with simply using prepared statements, but since Q is not asking for that, he asks why his code aint working. — Dorvalla, Aug 08 '16 at 07:52

score 0 · Answer 5 · edited May 23 '17 at 12:33

As you clearly mentioned in your question,

" I had do some testing on both file by calling an alert message, the alert messages was able to display in the html file, it's seen like the request from the html file cant send to the php file ,so the code for inserting data to database can't execute ~@Heart Break KID "

For That,

1) Change

<input type="button" value="enter" name="btnSubmit" onclick="show()">

To

<input type="submit" value="enter" name="btnSubmit" onclick="show()">

here, type='submit' is required to submit form data..

2) Closing curly brackets are not available. Close if condition.

if(isset($_POST["btnSubmit"]))
{
    // Your query.
}

Now, data will go to next page. But, read this question How can I prevent SQL-injection in PHP?

The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead

UPDATED CODE (using mysqli)

Html form

<form id="firstPrize" method="POST" action="firstPrize.php">
  <label> Number 1</label>
  <input type="text" name="num1"><br>
  <label> Number 2</label>
  <input type="text" name="num2"><br>
  <label> Number 3</label>
  <input type="text" name="num3"><br>
  <label> Number 4</label>
  <input type="text" name="num4"><br><br><Br>
  <input type="submit" value="enter" name="btnSubmit" onclick="show()">
</form>

firstPrize.php

<?php
$host = "localhost";
$user =  "root";
$password = "";
$connect = mysqli_connect($host, $user, $password, "testdb");
session_start();

if(isset($_POST["btnSubmit"]))
{
  $num1 = $_POST["num1"];
  $num2 = $_POST["num2"];
  $num3 = $_POST["num3"];
  $num4 = $_POST["num4"];

  $stmt = mysqli_prepare($connect, "INSERT INTO table1(num1,num2,num3,num4) VALUES (?, ?, ?, ?)");
  mysqli_stmt_bind_param($stmt, 'ssss', $num1, $num2, $num3, $num4);

  $query123 = mysqli_stmt_execute($stmt);
}
?>

hi,i tested your solution but the alert message in my php code still not able to display — Heart Break KID, Aug 05 '16 at 14:40
Data is saving or not @HeartBreakKID? Because, previously It was not saving. — Nana Partykar, Aug 05 '16 at 15:24
yes,data still not saving, I try to move to window environment and test it out, because the current testing environment is Ubuntu, not sure is it the installation problem of LAMP — Heart Break KID, Aug 06 '16 at 05:02

php not writing data into database

5 Answers5