0

Here goes, I've been trying to follow a few tutorials and build a basic form.

<form name="ContactInformation" method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" class="uk-form blcform">

        <fieldset data-uk-margin>
            <legend>For enquires please leave your contact information below</legend>

            <div class="uk-form-row blcinput">
                <input type="text" name="firstname" placeholder="First name">
            </div>

            <div class="uk-form-row blcinput">
                <input type="text" name="secondname" placeholder="Second name">
            </div>

            <div class="uk-form-row blcinput">
                <input type="text" name="urcompany" placeholder="Company">
            </div>

            <div class="uk-form-row blcinput">
                <input type="text" name="email" placeholder="Email address">
            </div>

            <div class="uk-form-row blcinput">
                <input type="text" name="telephone" placeholder="+tel">
            </div>

            <div class="uk-form-row blcinput">
                <textarea name="comment" placeholder="Information about your enquiry" rows="6" ></textarea>
            </div>

            <div class="uk-form-row blcinput"><input type="submit" name="submit" value="Submit"></div>

        </fieldset>

    </form>

Followed by a php segment 

    <?php


$conn = new mysqli($servername, $username, $password, $mydb);

// Check connection

if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

echo "Connected successfully";


 if(isset($_POST["submit"])){

 //insert into database


 $sql = "INSERT INTO ContactInformation (fname, sname, email, comment, telephone, company)
        VALUES ('".$_POST["fname"]."','".$_POST["sname"]."','".$_POST["email"]."','".$_POST["comment"]."','".$_POST["telephone"]."','".$_POST["company"]."')";
     }   

//fetch from database
$sql = "SELECT email, fname, sname FROM ContactInformation";
$result = $conn->query($sql);


//Test pre existing database entries


if ($result->num_rows > 0) {
    // output data of each row
    while($row = $result->fetch_assoc()) {
        echo "id: " . $row["email"]. " - Name: " . $row["fname"]. " " . $row["sname"]. "<br>";
    }
} else {
    echo "0 results";
}

                 $conn->close();

?>

So I'm connecting to the database fine because I'm getting info back from it, my issue is new user input isn't put to the server.

Jay.Smyth
  • 77
  • 1
  • 10
  • Didnt you forget a `$conn->query($sql);` just after the `INSERT INTO` line ? – Proger_Cbsk Sep 26 '16 at 22:24
  • 1
    ^ that isn't the only thing wrong with the code... http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index – Funk Forty Niner Sep 26 '16 at 22:25
  • Put it in but no dice – Jay.Smyth Sep 26 '16 at 22:27
  • if it's about the undefined indexes; you're wrong. You have quite a few. You know why you're not? Because, it never got executed. Only the last query gets executed, not both. – Funk Forty Niner Sep 26 '16 at 22:41
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Sep 26 '16 at 22:55
  • Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Sep 26 '16 at 22:56
  • Try following ONE tutorial until you get a bit of a handle on what you are doing – RiggsFolly Sep 26 '16 at 22:56

2 Answers2

3

See this part of your code?

 if(isset($_POST["submit"])){

 //insert into database


 $sql = "INSERT INTO ContactInformation (fname, sname, email, comment, telephone, company)
        VALUES ('".$_POST["fname"]."','".$_POST["sname"]."','".$_POST["email"]."','".$_POST["comment"]."','".$_POST["telephone"]."','".$_POST["company"]."')";
     }

That only gets executed when you hit the submit button, yet you didn't query() as you did for the SELECT query. Plus, you're using the same $sql variable for both.

  • Use a different variable; it helps to differentiate between both of them.

You're not getting undefined index notices from error reporting because that query never gets executed; that's why.

You have 2 of those inputs that bear the wrong name attributes.

  • name="firstname"
  • name="secondname"

who respectively belong to:

  • $_POST["fname"]
  • $_POST["sname"]

You need to use a prepared statement here, since your code is prone to an SQL injection.

References:

Debugging tools:

and apply that to your code.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Dont you love the new school year – RiggsFolly Sep 26 '16 at 22:59
  • @RiggsFolly The fresher, the better ;-) It keeps us on our toes. – Funk Forty Niner Sep 26 '16 at 22:59
  • Clearly a novice though not a student just a guy trying to learn, I got it working thanks for the help (redefined variables, initialised others and executes after submit) TIL don't leave out posting form validation from stackexchange to save time :/ – Jay.Smyth Sep 26 '16 at 23:55
0

Well, there is nothing wrong with your code, it works perfectly, but there are 2 things that you missed o forgot:

As Proger_Cbsk wrote, you never call $conn->query($sql)

Also, you are using $_POST["fname"] which is wrong if you have your form with a name like name="firstname".

The issue relays that you are using wrong post names

$sql = "INSERT INTO ContactInformation 
                (fname, sname, email, comment, telephone, company)
        VALUES ('".$_POST["fname"]."','".$_POST["sname"].
                "','".$_POST["email"]."','".$_POST["comment"].
                "','".$_POST["telephone"]."','".$_POST["company"]."')";`

It should be:

$sql = "INSERT INTO ContactInformation 
                (fname, sname, email, comment, telephone, company)
        VALUES ('".$_POST["firstname"]."','".$_POST["secondname"].
              "','".$_POST["email"]."','".$_POST["comment"].
              "','".$_POST["telephone"]."','".$_POST["urcompany"]."')";`
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Neobugu
  • 333
  • 6
  • 15
  • 2
    *"Well, there is nothing wrong with your code, it works perfectly"* --- *"Also, you are using $_POST["fname"] which is wrong if you have your form with a name like name="firstname"."* - I thought you said it works perfectly? You're contradicting yourself. Plus, you missed one. – Funk Forty Niner Sep 26 '16 at 22:42
  • 2
    *"As Proger_Cbsk wrote, you never call $conn->query($sql)"* - He's both wrong and right. Oh sure, it gets executed alright; only the 2nd one gets to see the show, not the first as it's being overwritten by the 1st one that's inside the conditional statement. So, I'd call that a *"catch 22"* ;-) – Funk Forty Niner Sep 26 '16 at 22:45