0

My code is:

<?php

$servername = "localhost";
$name = "root";
$pass = "";
$database = "register";

$con = mysqli_connect($servername,$name,$pass,$database);


$username = mysqli_real_escape_string($con, $_POST['username']);
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);

$sql = "INSERT INTO users(username,email,password) VALUES('$username',     '$email', '$password')";


?>

And my form is:

<html>
<body>
<div class="form">
<h1>Registration</h1>
<form name="registration" action="insert.php" method="post">
<input type="text" name="username"  id="username" placeholder="Username"   required />
<input type="email" name="email" id="email" placeholder="Email" required />
<input type="password" name="password" id="password" placeholder="Password" required />
<input type="submit" name="submit" value="Register" />
</form>
</body>
</html>

After inserting data the page becomes blank and data is not inserted to the database. Code worked for mysql before.

BhandariS
  • 606
  • 8
  • 20
Roy Mustang
  • 9
  • 2
  • 2
    Where is your query executing function? – Hardik Solanki Apr 10 '17 at 09:35
  • 1
    In the above code, the actual query execution is missing. If you add that, make sure to check for errors as well. – Sirko Apr 10 '17 at 09:35
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Apr 10 '17 at 09:36
  • 2
    The manual should be your first port of call, **not SO** http://php.net/manual/en/book.mysqli.php – RiggsFolly Apr 10 '17 at 09:38

1 Answers1

6

Missing this?

if (mysqli_query($con, $sql)) {
    echo "New record created successfully"; 
} 
else {
    echo "Error: " . $sql . "<br>" . mysqli_error($con); 
}

mysqli_close($con);
Hmmm
  • 562
  • 3
  • 11
  • As Riggs mentioned ... PDO is the way to go, try PDO too. – Hmmm Apr 10 '17 at 09:38
  • 2
    Mysqli is fine, but use parametrized queries with placeholders. Pdo has its advantages, but there's nothing wrong with mysqli. But I always recommend everyone to try both, see which one they like best – Qirel Apr 10 '17 at 09:40
  • @MasivuyeCokile ... Not at all man, just wanted him to try PDO - that's all. I myself use Prepared Mysql. – Hmmm Apr 10 '17 at 09:43