0

So I've been trying to create a simple HTML form that will submit user information to a local MYSQL database. When I try to run it I get "Cannot POST /test/addperson.php". I've tried many other solutions posted around but none of them seem to work.

HTML

<!DOCTYPE html>

<html>
    <body>
        <h2>User Database</h2>
        <br>
        <form action="test/addperson.php" method="post">
            <p>First Name: </p>
            <input type="text" name="first_name">
            <p>Last Name: </p>
            <input type="text" name="last_name"><br>
            <input type="submit" name="submit">
        </form>
    </body>
</html>

PHP

<?php
$connect = mysql_connect("localhost:3306","root", "password");

if(!connect){
    die('Connection Failed: ' . mysql_error());
}

mysql_select_db("Users", $connect);

$user_info = "INSERT INTO employees (first_name, last_name) VALUES ('$_POST[first_name]', '$_POST[last_name]')";

if(!sql_query($user_info, $connect)){
    die('Error' . mysql_error());
}

echo "Your information was added to the database.";

mysql_close($connect);

?>
Sneh P
  • 73
  • 7
  • 4
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jul 12 '17 at 14:22
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 12 '17 at 14:22
  • 2
    *Cannot POST /test/addperson.php* are you sure that is where the file is located? Have you checked your error logs for additional information? – Jay Blanchard Jul 12 '17 at 14:23

2 Answers2

0

Use prepared statement like this. DO NOT USE MYSQL_ function for security reasons. If it is a simple page, use this code. Just create one php page and paste the following code.

<?php 

$servername = "yourservername";
$username = "root";
$password = "yourpassword";

try 
    {
    $conn = new PDO("mysql:host=$servername;dbname=yourdatabse", 
    $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    }
    catch(PDOException $e)
    {
        echo "Connection failed: " . $e->getMessage();
    }

 if($_SERVER['REQUEST_METHOD'] == 'POST')
 {

    $first_name=$_POST['first_name'];
    $last_name=$_POST['last_name'];

    //a little protection
    $first_name=htmlentities( $first_name, ENT_QUOTES | ENT_HTML5, 
    $encoding = 'UTF-8' );

    $last_name=htmlentities( $last_name, ENT_QUOTES | ENT_HTML5, 
    $encoding = 'UTF-8' );

    //save to database
    $query = 'INSERT INTO employees (first_name, last_name) VALUES 
    (:name,:lastname)';

    $st=$conn->prepare($query);
    $st->bindParam(':name', $first_name);
    $st->bindParam(':lastname', $last_name);
    $st->execute();
    $st->CloseCursor();
    $st=null;
 }
?>

 <!DOCTYPE html>
      <html>
            <body>
                  <h2>User Database</h2> <br>
                  <form action="" method="post">
                      <p>First Name: </p>
                      <input type="text" name="first_name">
                      <p>Last Name: </p>
                      <input type="text" name="last_name"><br>
                      <input type="submit" name="submit">
                  </form>
            </body>
      </html>
Michael GEDION
  • 879
  • 8
  • 16
0

You need to alter your code a bit and add quotes in the insert query:

$user_info = "INSERT INTO employees (first_name, last_name) VALUES ('".$_POST['first_name']."', '".$_POST['last_name']."')";

but like others have stated there is better way of doing this, prepared statements etc.

Just_Do_It
  • 821
  • 7
  • 20