0
<form method="POST" action="welcome.php">
<input name="fname" type="text"/>
<input type="submit" value="Submit">
</form>  

<?php
$connect = mysqli_connect("dbhost", "dbuser", "dbpass", "dbname");
mysqli_query($connect, 'INSERT INTO `Urls` (URLS)

VALUES
("$_POST[`fname`]");')
?>

So after fixing the php script several times I finally get it to post to the database, but instead of posting user inputs it's posting 0s in the column. I don't have anymore syntax errors, and I've tried the back ticks in various ways.

The Table looks like:
URLS
0
0
0
Erin
  • 27
  • 3
  • What is your table structure? Also please look into SQL injection (i'd suggest using prepared statements of some kind in PHP) – CollinD Apr 04 '17 at 22:29
  • why do i bet its an int –  Apr 04 '17 at 22:32
  • It's just the URLS column. All that the SQL injection gives me is INSERT INTO Urls (URLS) VALUE ([value-1]) – Erin Apr 04 '17 at 22:33
  • please show DB images or tell us the DB structure. What is the column 'URLS' Type, int or varchar? –  Apr 04 '17 at 22:33
  • Yeah it's an int what's wrong with that? – Erin Apr 04 '17 at 22:33
  • please make it varchar(50) etc.. then it will work –  Apr 04 '17 at 22:34
  • well is url or is fname( can you decide) an integer? sure its not text ? –  Apr 04 '17 at 22:35
  • I tried varchar and it worked, but now it's posting "$_POST[`fname`]" – Erin Apr 04 '17 at 22:39
  • 1
    That's the behavior we expect, when a PHP string is enclosed in single quotes, it's a *literal*. There's no variable interpolation, the dollar sign has no special meaning. http://stackoverflow.com/questions/3446216/what-is-the-difference-/between-single-quoted-and-double-quoted-strings-in-php – spencer7593 Apr 04 '17 at 22:40
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Apr 04 '17 at 23:44
  • I'm using phpmyadmin, and some of these things don't with that. – Erin Apr 05 '17 at 01:58
  • phpmyadmin is not a database, its just another php script like any other –  Apr 05 '17 at 02:32

1 Answers1

-1

Give this a try. PHP doesn't replace variables in strings contained in single quotes. Use concatenation.

<form method="POST" action="welcome.php">
<input name="fname" type="text"/>
<input type="submit" value="Submit">
</form>  

<?php
$connect = mysqli_connect("dbhost", "dbuser", "dbpass", "dbname");
mysqli_query($connect, 'INSERT INTO `Urls` (`URLS`)
VALUES
("'.$_POST['fname'].'");')
?>

As mentioned in the comments, this overall style would be suseptable to SQL injection, and is provided only to show where the OPs code was incorrect.

Sloan Thrasher
  • 4,953
  • 3
  • 22
  • 40
  • you dont want ticks around fname do you? –  Apr 04 '17 at 22:33
  • 1
    The backticks should be single quotes... `$POST['fname']`. Even with that, this pattern appears to be vulnerable to SQL Injection. At a minimum, potentially unsafe values should be properly escaped using the `mysqli_real_escape_string` function. – spencer7593 Apr 04 '17 at 22:34
  • PHP can interpolate using `...{$_POST[...]}` if necessary but as others have pointed out, this is an extremely bad idea in any case. This **must** be escaped. – tadman Apr 04 '17 at 23:45