PHP Insert Into won't work

Question

I have this register form that I like all my data to be sent to my mysql server using php. Here's my code:

$gidnumber = htmlentities($_POST['stud_idnumber']);
$gfirstname = htmlentities($_POST['stud_firstname']);
$glastname = htmlentities($_POST['stud_lastname']);
$gcourse = htmlentities($_POST['stud_course']);
$gyear = htmlentities($_POST['stud_year']);
$gpassword = htmlentities($_POST['stud_password']);

For security reasons, I tried doubling up by using real_escape_string

$stud_idnumber = mysqli_real_escape_string($con,$gidnumber);
$stud_firstname = mysqli_real_escape_string($con,$gfirstname);
$stud_lastname = mysqli_real_escape_string($con,$glastname);
$stud_course = mysqli_real_escape_string($con,$gcourse);
$stud_year = mysqli_real_escape_string($con,$gyear);
$stud_password = mysqli_real_escape_string($con,$gpassword);

Followed by a:

$sql3 = "INSERT INTO users_student 
                (idnumber, firstname, lastname, course, year, password) 
         VALUES "." ('$stud_idnumber','$stud_firstname','$stud_lastname',
                     '$stud_course','$stud_year','$stud_password') ";
$q = mysqli_query($con,$sql3);

echo "<br/><br/><br/><br/><br/><br/><br/>";
echo $stud_idnumber;
echo $stud_firstname;
echo $stud_lastname;
echo $stud_course;
echo $stud_year;
echo $stud_password;

The echo part was for checking if the php really gets all the variables in the textboxes. On my page, it successfully displayed all the user has input in the textbox (firstname, lastname, etc...). But when I checked my database, it didn't saved it there.

Also it was not giving me any errors.

Your passwords are at risk without encryption. You should look into using password_hash and password_verify. — Option, Mar 28 '17 at 07:48
@Option Oh! how could I do that?? I'm so sorry for being naive, I thought `htmlentities` was enough though — Dranreb, Mar 28 '17 at 07:52
@Dranreb, take a look at the php.net site for password hashing: http://php.net/manual/en/faq.passwords.php — Option, Mar 28 '17 at 07:54
Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you cannot miss or ignore. — RiggsFolly, Mar 28 '17 at 08:08
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Mar 28 '17 at 08:08
cause if someone uses html tags in their password, ex. `password13<`, the `htmlentities()` will convert it to `password12<` because it escapes those characters. You only use it before you output data to the browser. — 131, Mar 28 '17 at 08:09
@RiggsFolly Thanks! It give out an error like this: ` Uncaught exception 'mysqli_sql_exception' with message 'Unknown column 'password' in 'field list'' in C:\xampp\htdocs\buksunetwork\welcome.php:70 Stack trace: #0 C:\xampp\htdocs\buksunetwork\welcome.php(70): mysqli_query(Object(mysqli), 'INSERT INTO use...') #1 {main} thrown in C:\xampp\htdocs\buksunetwork\welcome.php on line 70` any ideas about this? — Dranreb, Mar 28 '17 at 08:10
So the column either does not exist in that table or it has a different name — RiggsFolly, Mar 28 '17 at 08:12
It does seem a little off that you would store a password in a table with that name??? Password should go in the `user` table — RiggsFolly, Mar 28 '17 at 08:14
@RiggsFolly Thanks! I found out the `password` field in my table didn't exist. That was really stupid of me to miss that out. Thank you once again! :) — Dranreb, Mar 28 '17 at 08:27

PHP Insert Into won't work

0 Answers0