Inserting data into SQL table from HTML form

Question

A HTML form has been created that should (when filled) send the data it's holding to a database inserting a new row so it can be used later on. However, I can't seem to get it to work, I'm getting the following error:

Notice: Use of undefined constant con - assumed 'con' in C:\xampp\htdocs\form\insert.php on line 4

Warning: mysql_query() expects parameter 1 to be string, object given in C:\xampp\htdocs\form\insert.php on line 17
Data not inserted

HTML Code

<!DOCTYPE html>
<html>
    <head>    
        <title>Form linked to database</title>
    </head>
    <body>
        <form action="insert.php" method="post">
            Name: <input type="text" name="username">
            <br>
            Email: <input type="text" name="email">
            <br>
            <input type="submit" value="insert">
        </form>
    </body>
</html>

PHP Code

<?php
$con = mysqli_connect('localhost','[retracted]','[retracted]');

if(!con) {
    echo 'Not connected to server!';
}

if(!mysqli_select_db($con,'tutorial')) {
    echo 'Database not selected!';
}

$Name = $_POST['username'];
$Email = $_POST['email'];

$sql = "INSERT INTO person (Name,Email) VALUES ('$Name','$Email')";
if(!mysql_query($con,$sql)) {
    echo 'Data not inserted';
} else {
    echo 'Data inserted';
}
//header("refresh:2; url=form.html");
?>

I'm new to PHP and followed the following YouTube tutorial.

I'm also using XAMPP for this, on a localhost. Any help is appreciated. Thank you.

you are using mysql and mysqli together. Change all the mysql to mysqli — Rafael Shkembi, Jan 05 '17 at 11:44
Possible duplicate of [Can I mix MySQL APIs in PHP?](http://stackoverflow.com/questions/17498216/can-i-mix-mysql-apis-in-php) — u_mulder, Jan 05 '17 at 11:45
The next thing is the totally insecure sql statement. Your SQL query is potentially vulnerable for sql injections. — Marcel, Jan 05 '17 at 11:47
@RafaelShkembi Thank you for the prompt response. I've just done that but I'm still getting the first error on line 4. Any suggestions? — Asad Hussain, Jan 05 '17 at 11:50
@Marcel Thanks for the insight. I'm new to SQL too and just wanted to know how to get the form to work, but, I will definitely look SQL security and recommendations. — Asad Hussain, Jan 05 '17 at 11:51
Id personally suggest budging over to PDO. If you'd like an example please let me know and I will gladly give a fully written example in the answers section below. — Option, Jan 05 '17 at 12:06

score 3 · Accepted Answer · edited May 23 '17 at 11:47

You should change:

if(!con){
    echo 'Not connected to server!';
}

to:

if(!$con){
    echo 'Not connected to server!';
}

as you're missing a dollar sign there.

Additionally, you're using a mysql_ function here, on the mysqli_ object $con:

if(!mysql_query($con,$sql))

Change this to

if(!mysqli_query($con,$sql))

SQL injection

As your query is vulnerable to SQL injection, then I'd like to recommend you take a look at using prepared statements, or using mysqli_real_escape_string()-- though, this comes with a few gotcha's: https://stackoverflow.com/a/12118602/7374549

score 1 · Answer 2 · answered Jan 05 '17 at 12:12

You have done two small mistakes ie

1) forgot to add $ before the variable name ie changes is

if(!$con){
        echo 'Not connected to server!';
    }

2) you are connected with mysqli_connect but you are trying to use mysql_query functions in it. so please change and use mysqli_query

if(!mysqli_query($con,$sql)){ }

This is issue in your case. My suggestion is to use mysqli or PDO that is good practice.

score 0 · Answer 3 · answered Jan 05 '17 at 11:53

0

You are not using the correct mySQL query function, you have used:

mysql_query($con

You should use:

mysqli_query

instead. Let me know if you still have issues.

answered Jan 05 '17 at 11:53

Laith Mohammad El Aamry

27
4

score -1 · Answer 4 · answered Jan 05 '17 at 12:00

Altough you have a lot of answers right now, I think none of those is the right one. I've written your code new, procedural as you did, but with prepared statements, so you're going to be save to SQL injections.

<?php
    $con = mysqli_connect('localhost','[retracted]','[retracted]');

    if(!$con){
        echo 'Not connected to server!';
    }

    if(!mysqli_select_db($con,'tutorial')){
        echo 'Database not selected!';
    }

    $Name = $_POST['username'];
    $Email = $_POST['email'];

   if ($stmt = mysqli_prepare($con, "INSERT INTO person (Name, Email) VALUES (?, ?"))) {
    mysqli_stmt_bind_param($stmt, "ss", $Name, $Email);
    mysqli_stmt_execute($stmt);
    echo "Data inserted";
   }
   else {
    echo "Error";
   }

mysqli_close($con);

    //header("refresh:2; url=form.html");
?>

I think it should work, if not let me know.

score -2 · Answer 5 · answered Jan 05 '17 at 11:53

-2

Try this :

<?php

// Create connection
$conn = new mysqli("localhost", "username", "password", "databasename");
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "INSERT INTO MyGuests (firstname, lastname, email)
VALUES ('test fname', 'test lname', 'test@example.com')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

answered Jan 05 '17 at 11:53

Sujal Patel

592
2
5
14

2

Nice copy paste from W3. At least you editet de standard names. But it won't help the OP, since he's trying to insert data from a HTML form. If you copy paste, then please copy paste an example with prepared statements for a good example. – Twinfriends Jan 05 '17 at 12:03
This is just insert query example. i think he's not find in w3. – Sujal Patel Jan 05 '17 at 12:09

Inserting data into SQL table from HTML form

HTML Code

PHP Code

5 Answers5