-4

I want to insert data into a phpmyadmin table, a similar code worked in another page but It didn't work in this one. Here's the code :

<?php
$hostname = 'localhost';
$username = 'root';
$password = '';
try {
    $conn = new PDO("mysql:host=$hostname;dbname=database", $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
    echo "Connected successfully";
}
catch (PDOException $e) {

    echo $e->getMessage();

}   

if ( isset($_POST['NomPrenom']) && isset($_POST['date']) && isset($_POST['email']) && isset($_POST['description']) ) {
    $NomPrenom      = $_POST['NomPrenom'];
    $date           = $_POST['date'];
    $email          = $_POST['email'];
    $description    = $_POST['description'];

    try {

        $sql = "INSERT INTO demande (NomPrenom,date,email,description) 
                          VALUES ('$NomPrenom','$date','$email','$description')";
        $stmt = $conn->prepare($sql);
        if ($stmt->execute(array(
            $NomPrenom,
            $date,
            $email,
            $description
        ))) {

            echo "Data inserted";
        } else {

            echo "could not insert";
        }
    }
    catch (Exception $ex) {
        error_log($ex->getMessage());
    }
}
?>

When i submit the page refreshes with no errors and nothing is added in the table. this is the table in the database table named demande

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Darkimo
  • 1
  • 2
  • 4
    `phpMyAdmin` does not have tables, its an application! However `MySQL` does have tables. – RiggsFolly Apr 25 '17 at 15:40
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Apr 25 '17 at 15:41
  • 1
    you're not using prepared statements correctly; your query is null and void. – Funk Forty Niner Apr 25 '17 at 15:42

1 Answers1

0

Your query is wrongly constructed, you need to place positional parameter in the query you are going to prepare and then pass the values for those parameters on the execute.

$sql = "INSERT INTO demande (NomPrenom,date,email,description) 
                  VALUES (?,?,?,?)";
$stmt = $conn->prepare($sql);
if ($stmt->execute(array($NomPrenom,$date,$email,$description))) {
    echo "Data inserted";
} else {
    echo "could not insert";
}

Or using named parameters like this

$sql = "INSERT INTO demande (NomPrenom,date,email,description) 
                  VALUES (:nom, :dat, :em, :desc)";
$stmt = $conn->prepare($sql);
$params = array(':nom'=>$NomPrenom,
                ':dat'=>$date,
                ':em'=>$email,
                ':desc'=>$description);

if ( $stmt->execute($params) ) {
    echo "Data inserted";
} else {
    echo "could not insert";
}
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
  • It worked ! Thanks for the fast reply and solution. I'll make sure to study more the query statements. – Darkimo Apr 25 '17 at 15:50