Getting the error Undefined variable and all values getting saved as 0 in sql db when saving an html form using php

Question

Html code:

<html>
<head>
</head>
<body>
<p><h1>Student Information Input Form</h1></p>
<section>
<form method="POST" action="connection.php">
<p><b>Name:</b>&nbsp;<input type="text" id="name" name="name"></input></p>
<p><b>Username:</b>&nbsp;<input type="text" id="username" name="username"></input></p>
<p><b>Password:</b>&nbsp;<input type="password" id="password" name="password"></input></p>
<p><b>Email:</b>&nbsp;<input type="email" id="email" name="email"></input></p>
<p><input type="submit" id="submit" name="submit"></p>
</form>
</section>
</body>
</html>

PHP Code:

<?php
$servername="localhost";
$username="root";
$password="";
$dbname="newdb";

//Create Connection
$conn=new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

//get values from form
if (isset($_POST['name'])) {
$nameForm=$_POST['name'];
}
if (isset($_POST['username'])) {
$usernameForm=$_POST['username'];
}
if (isset($_POST['passsword'])) {
$passwordForm=$_POST['password'];
}
if (isset($_POST['email'])) {
$emailForm=$_POST['email'];
}

//Insert Values
$sql = "INSERT INTO userinfo (name, username, password, email) VALUES ('$nameForm', '$usernameForm', '$passwordForm', '$emailForm')";

//To check whether data is inserted properly or not
if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

Error Message:

Notice: Undefined variable: passwordForm in C:\xampp\htdocs\Project2_php db\connection.php on line 28 New record created successfully

On clicking The submit button I am getting the above error and in the database, all the values are stored as zero.

**Your code is vulnerable to [SQL injection attacks](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)!** You should be (**at least**) escaping your input, if not using [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)! — Bytewave, Jul 06 '17 at 17:48
Surely the name, username, password, and email columns aren't numeric or have a default value of '0', right? Otherwise they would not be zero when the row is inserted. — Sloan Thrasher, Jul 06 '17 at 17:48
On another note, **you should never store passwords in plain text!** Read up on [password hashing](http://php.net/manual/en/faq.passwords.php), and use the [`password_hash` and `password_verify`](http://php.net/manual/en/book.password.php) functions when available! — Bytewave, Jul 06 '17 at 17:49
@Byteawave Can you please suggest a bit in detail how can I avoid sql injection as well as use hashing for a password as I am new to this. — Alapan Das, Jul 07 '17 at 02:18
@SloanThrasherThe db rows were set to int, when I changed to varchar it worked. — Alapan Das, Jul 07 '17 at 02:24

Jigar Shah · Answer 1 · 2017-07-06T17:57:16.920

2

its a typo if (isset($_POST['passsword'])) { // password

NOTE: Also consider switching to PDO statement

edited Jul 06 '17 at 17:57

answered Jul 06 '17 at 17:46

Jigar Shah

6,143
2
28
41

@alapan have got it resolved or not? – Jigar Shah Jul 06 '17 at 18:06
This doesn't explain why all values would be stored as 0, though it does answer one part of the question. The asker should also verify that their database rows are not set as "integer" – sicksixstrings Jul 06 '17 at 18:46
@JigarShah Thanks for the find it did the trick. – Alapan Das Jul 07 '17 at 02:21
@sicksixtings I have kept the database rows as integer and when I changed to Varchar its working fine now. – Alapan Das Jul 07 '17 at 02:21

Getting the error Undefined variable and all values getting saved as 0 in sql db when saving an html form using php

1 Answers1