Attempting an INSERT INTO query with a form and php but database is not updating the record

Question

I have an activity table which i want the users to be able to add data to it from my website. I have a Form and an INSERT INTO Query but when i click submit button the form clears but the database does not have the inputted record. I think the issue is that one of the fields (activity_cat) is a FOREIGN KEY on the table I'm trying to insert to.

<form>

<form action="" method="post">
Activity Category: <input type="text" name="activity_cat" /><br><br>
Activity Name: <input type="text" name="activity_name" /><br><br>
Activity Address: <textarea name="activity_address"> </textarea><br><br>
Activity Description: <textarea name="activity_description"> </textarea><br><br>

<input type="submit" name="submit"/>
</form>

The above form is my html form and the below is my php code to insert into the database

<?php


$conn = mysqli_connect($db_host, $db_username, $db_pass, $db_name);
if (!$conn) {
die(mysqli_error());
}


if(isset($_POST["submit"])){


$sql = "INSERT INTO `activity`(`activity_cat`, `activity_name`, `activity_address`, `activity_description`)
VALUES ('".$_POST["activity_cat"]."','".$_POST["activity_name"]."','".$_POST["activity_address"]."','".$_POST["activity_description"]."')";

if ($conn->query($sql) === TRUE) {
echo "<script type= 'text/javascript'>alert('New Record Inserted Successfully');</script>";
} else {
echo "<script type= 'text/javascript'>alert('Error: " . $sql . "<br>" . $conn->error."');</script>";
}


}


?>

The "activity_cat" is a Foreign Key in the "activity" table. This is so the activities are categorised into different categories. Im not sure if this is the problem or not. I am entering the exact activity_cat records that are in categories table but still no luck. Ideally i would like a drop down menu which the user can select the category type for the option in the form. Any help with this would be appreciated. I am new to coding, especially PHP and mysql. Any other information needed please ask

Thank You

Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Apr 20 '17 at 18:54
it is not going to be live. This is for project and learning purposes only — ACC, Apr 20 '17 at 19:03

score 0 · Answer 1 · answered Apr 20 '17 at 19:04

0

You need to include a name attribute on your submit button. Add name='submit' On your submit button

answered Apr 20 '17 at 19:04

Rotimi

4,783
4
18
27

score 0 · Answer 2 · answered Apr 20 '17 at 19:04

0

Apart from the fact that your code is prone to SQL Injection attacks, you are checking if submit is set, when you did not provide a name for your button.

Add a name attribute to your input tag like so:

<input type="submit" name="submit" />

answered Apr 20 '17 at 19:04

Samuel Asor

480
8
25

Hi, Thanks for the reply. I have added a name attribute to the input type but still no luck – ACC Apr 20 '17 at 19:11
No errors. When submit is clicked the page reloads with an empty form as if it has been submitted. However when i check the database the records has not been inserted into the table. – ACC Apr 20 '17 at 19:15
Can you update your question with the recent change? – Samuel Asor Apr 20 '17 at 19:18

score 0 · Answer 3 · answered Apr 20 '17 at 21:31

First, you have an un-closed form tag:

<form> <!-- What is this -->

<form action="" method="post">

Second, (and this is what's causing the problem in this case):

You did not specify an action to your form! The action attribute must be set to the path of the php file which holds your script, which inserts stuff into your database.

For example:

something.html:

<form action="inserter.php" method="post">
  Activity Category: <input type="text" name="activity_cat" /><br><br>
  Activity Name: <input type="text" name="activity_name" /><br><br>
  Activity Address: <textarea name="activity_address"> </textarea><br><br>
  Activity Description: <textarea name="activity_description"> </textarea><br><br>

  <input type="submit" name="submit"/>
</form>

inserter.php:

<?php

    $conn = mysqli_connect($db_host, $db_username, $db_pass, $db_name);
    if (!$conn) {
        die(mysqli_error());
    }

    if(isset($_POST["submit"])){    
        //You don't need to concatenate, you can just put the variables directly into a string (which are double quoted) like this: ${variable's_identifier}
        $sql = "INSERT INTO `activity`(`activity_cat`, `activity_name`, `activity_address`, `activity_description`)
          VALUES ('${_POST["activity_cat"]}','${_POST["activity_name"]}','${_POST["activity_address"]}','${_POST["activity_description"]}')";

        if ($conn->query($sql) === TRUE) {
            echo "<script type= 'text/javascript'>alert('New Record Inserted Successfully');</script>";
        } else {
            echo "<script type= 'text/javascript'>alert('Error: " . $sql . "<br>" . $conn->error."');</script>";
        }
    }

    //You SHOULD close the connection when you are done!
    mysqli_close($conn);
?>

However, please do use parameterized prepared statements!

$conn = new mysqli($db_host, $db_username, $db_pass, $db_name);

$stmt = $conn->prepare("INSERT INTO `activity`(`activity_cat`, `activity_name`, `activity_address`, `activity_description`) VALUES (?, ?, ?, ?)");
$stmt->bind_param('ssss', $_POST["activity_cat"], $_POST["activity_name"], $_POST["activity_address"], $_POST["activity_description"])
$stmt->execute();
$stmt->close();

$conn->close();

Attempting an INSERT INTO query with a form and php but database is not updating the record

3 Answers3