0

Here is my php code

<?php
    $link = mysqli_connect('localhost','root','abc','contact');
        if (mysqli_connect_errno())
        {
            echo "Failed to connect to MySQL: " . mysqli_connect_error();
        }

    if(isset($_POST['submit']))
    {
        $fname = $_POST['fname'];
        $lname = $_POST['lname'];
        $email = $_POST['email'];
        $phone = $_POST['phone'];
        $subject = $_POST['subject'];
        $message = $_POST['message'];
        $to = "agarwalmanya1@gmail.com";
        $txt = "Name: ". $fname , " ", $lname;
        $txt .= "Email: ". $email; 
        $txt .= "Mobile No: " .$phone; 
        $txt .= "Message: " .$message; 
        mail($to,$subject,$txt);
        $query = "INSERT INTO hello(`fname`, `lname`, `email`, `mobile`, `subject`, `message`) VALUES('$fname','$lname','$email','$phone','$subject','$message')";
        mysqli_query($link,$query);

    }
?>

It was working well previously and then it just stopped working. Any help would be appreciated :)

Manya Agarwal
  • 11
  • 4
  • What error you are getting? – Jigar Shah Jul 05 '17 at 17:32
  • 3
    It will work if none of your post variables includes a single quote (which will break your query). – Dave Chen Jul 05 '17 at 17:32
  • 6
    You are wide open for SQL injection. Since you're using mysqli, take advantage of [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php). This will also fix your pesky quoting issues. – aynber Jul 05 '17 at 17:33
  • 1
    I'd also recommend checking for [errors](http://php.net/manual/en/mysqli.error.php) – aynber Jul 05 '17 at 17:34
  • @aynber Thanks will look into it :) – Manya Agarwal Jul 05 '17 at 17:38
  • @DaveChen , after removing the quotes too, it isn't working. – Manya Agarwal Jul 05 '17 at 17:42
  • You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysqli_error()`](http://php.net/manual/en/mysqli.error.php) to get a detailed error message from the database. – John Conde Jul 05 '17 at 18:05
  • 1
    No the point isn't the remove the single quotes. You need to prepare and execute your statements. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Dave Chen Jul 05 '17 at 18:13
  • Per the manual http://php.net/manual/en/mysqli.connect-errno.php you are using procedural which should check like `if (!$link) { die('Connect Error: ' . mysqli_connect_errno());}` – nerdlyist Jul 05 '17 at 18:45
  • use try catch to catch the error & prefer to use pdo – Omi Jul 05 '17 at 19:04

0 Answers0