adding new mySQL table row with PHP doesn't work

Question

I got a little form:

<form id="plannerform" action="save.php" method="post">
    <input id="plannername" placeholder=" " type="text" autocomplete="off" name="plannername">
    <input id="plannersubmit" type="submit" value="eintragen">
</form>

As you can see there is the action="save.php" and method="post" on the text-input there is name="plannername".

And thats my php:

$con = mysql_connect("myHost","myUser","myPW");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}

mysql_select_db("myDB", $con);

$sql="INSERT INTO anmeldungen (FR_PM)
VALUES ('$_POST[plannername]')";

if (!mysql_query($sql,$con))
{
  die('Error: ' . mysql_error());
}
echo "1 record added";

The FR_PM is one column of my table. But when I press submit, not even a new row gets created. Nothing happens. But when I call my php with "mywebsite.com/save.php" it adds a new row in my table (with no value at "FR_PM", what's pretty obvious)

What do I do wrong?

***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Feb 22 '17 at 12:53
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Feb 22 '17 at 12:53

Masivuye Cokile · Answer 1 · 2017-02-22T12:27:38.473

one of the things that you need to learn if you are a beginner, you should try by all means to stay away from using mysql_* function this is depreciated and its no longer supported in php. instead use mysqli_* with prepared statements, or use PDO prepared statements.

prepared statments make you code looks clean and its easy to debug.

this is you example with prepared statements.

<form id="plannerform" action="save.php" method="post">
    <input id="plannername" placeholder=" " type="text" autocomplete="off" name="plannername">
    <input id="plannersubmit" type="submit" value="eintragen" name="submit">
 </form>

save.php

<?php
$servername = "localhost";
$username   = "root";
$password   = "";
$dbname     = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

if (isset($_POST['submit'])) {

    if (empty($_POST['plannername'])) {

        die("Enter plannername");
    } else {
        // prepare and bind
        $stmt = $conn->prepare("INSERT INTO anmeldungen (FR_PM) VALUES (?)");
        $stmt->bind_param("s", $_POST['plannername']);

        if ($stmt->execute()) {

            echo "New records created successfully";

        } else {

            echo "Could not insert record";
        }

        $stmt->close();

    }
}
?>

The reason I used prepared statements :

Prepared statements reduces parsing time as the preparation on the query is done only once (although the statement is executed multiple times)
Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

But when I call my php with "mywebsite.com/save.php" it adds a new row in my table (with no value at "FR_PM", what's pretty obvious)

What do I do wrong?

Well do prevent that from happening you need to check if the form was submitted before you can actual process any thing.

Note: If we want to insert any data from external sources (like user input from a form ), it is very important that the data is sanitized and validated. always treat input from a form as if its from a very dangerous hacker

I am using your code, but still. nothing is happening when I submit. — Tobias Glaus, Feb 22 '17 at 12:30
did you update your form and add the name attribute to your button? this code should work. @TobiasGlaus — Masivuye Cokile, Feb 22 '17 at 12:33
@MasivuyeCokile Ah, half of the problem solved. But now something strange happens. Can you come into this chat? http://chat.stackoverflow.com/rooms/42482/web-developers I post an image there — Tobias Glaus, Feb 22 '17 at 12:37

score 0 · Answer 2 · answered Feb 22 '17 at 12:09

0

change your insert query:

$sql="INSERT INTO anmeldungen (FR_PM) VALUES ('".$_POST["plannername"]."')";

Or

$plannername = $_POST["plannername"];
$sql="INSERT INTO anmeldungen (FR_PM) VALUES ('".$plannername."')";

answered Feb 22 '17 at 12:09

Pathik Vejani

4,263
8
57
98

still. nothing happens when I submit. – Tobias Glaus Feb 22 '17 at 12:16
You can also put braces around the array variable : `"...VALUES ('{$_POST['plannername']}')";` – MadMarc Feb 22 '17 at 12:17
@TobiasGlaus just see whether you are getting the value of `$_POST["plannername"]` or not? – Pathik Vejani Feb 22 '17 at 12:17
@Punit.. I don't get anything in the console. Whereelse could I get errors? – Tobias Glaus Feb 22 '17 at 12:18
@PathikVejani How can I check that? – Tobias Glaus Feb 22 '17 at 12:19
@TobiasGlaus just do echo $_POST["plannername"]; exit; – Pathik Vejani Feb 22 '17 at 12:19
error log, if you using apache, its in a folder logs, error.log – Masivuye Cokile Feb 22 '17 at 12:20
@PathikVejani No this is just giving me a blank page when I call it on "mypage.com/save.php" – Tobias Glaus Feb 22 '17 at 12:23
@TobiasGlaus then value is not going to posted on the submit – Pathik Vejani Feb 22 '17 at 12:23
@MasivuyeCokile I am working on a webserver. There is a .logs folder with a php_error.log but it's blank – Tobias Glaus Feb 22 '17 at 12:24
@PathikVejani How can I get it posted? – Tobias Glaus Feb 22 '17 at 12:24
@TobiasGlaus , let us know your folder structure – Punit Gajjar Feb 22 '17 at 12:25
at the top of **save.php** add this `error_reporting(E_ALL); ini_set('display_errors', 1);` – Masivuye Cokile Feb 22 '17 at 12:26
How can I move this to chat.stackoverflow.com? So I can upload an image of it – Tobias Glaus Feb 22 '17 at 12:26
@MasivuyeCokile `Notice: Undefined index: plannername in /.../.../save.php on line 3` – Tobias Glaus Feb 22 '17 at 12:27
@TobiasGlaus check my answer above, it does deal with that issue. – Masivuye Cokile Feb 22 '17 at 12:28

score 0 · Answer 3 · answered Feb 22 '17 at 12:13

0

Also, use "name"= and not "id"= in the HTML form. This is usually misleading when working with forms and HTTP POST method.

answered Feb 22 '17 at 12:13

NotANumber

144
9

Ook good, because I have been stuck in the same problem, too. – NotANumber Feb 22 '17 at 12:44

score -1 · Answer 4 · answered Feb 22 '17 at 14:31

-1

you may try

$value = $_POST['plannername'];

$sql="INSERT INTO anmeldungen (FR_PM) VALUES ('{$value}')";

answered Feb 22 '17 at 14:31

Jongwoo Choi

1
2

adding new mySQL table row with PHP doesn't work

4 Answers4