insering HTML form data into MySQL database using PHP

Question

I am just trying to figure out the logic behind inserting form data into the database. Below code (load.php) works fine. Howewer I receive somehow a syntax error in process.php, besides I'm not sure if my insert code is correct. I also doubt this code is secure, what is the key security factor that I should consider while working with databases? I know I ask many questions but I just try to get the whole picture. I would appreciate any advice and thoughts.

thanks!

**//process.php**

<?php
require ("load.php");
$fname= $_POST['fname'];
$lname= $_POST['lname'];

$sql = "INSERT INTO registration (firstname, lastname) VALUES ('$_POST[fname]','$_POST[lname]')";
if (mysqli_query($conn, $sql)) {
      echo "New record created successfully";
} else {
      echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
?>



**//load.php**


    <?php
    $servername = "localhost";
    $database = "registration";
    $username = "root";
    $password = "";

    $conn = mysqli_connect($servername, $username, $password, $database);
    if (!$conn) {
          die("Connection failed: " . mysqli_connect_error());
    }

    echo "Connected successfully";

    ?>




**//index.php**

<?php require ("load.php"); ?>

<html>
   <head>
      <title>Registration Form</title>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   </head>
   <body>
      <h3>Registration Form</h3>
      <form name="registration" method="post" action="process.php">
      <table border="0" cellspacing="2" cellpadding="2">
         <tr><td>First Name:</td><td><input type="text" name="fname"></td></tr>
         <tr><td>Last Name:</td><td><input type="text" name="lname"></td></tr>
         <tr><td>&nbsp;</td><td><input type="submit" name="submit" value="Register"></td></tr>
      </table>
      </form>
   </body>
</html>

**Not Secure** Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Sep 05 '17 at 13:38
_I receive somehow a syntax error in process.php_ Please dont keep the error message a secret — RiggsFolly, Sep 05 '17 at 13:38
Your code is open to SQL injection. As for the syntax error, actually examining the error message would be a good start. If it's coming from the database then that's *probably* because of the SQL injection vulnerability, since you're not actually controlling the code you're trying to execute. — David, Sep 05 '17 at 13:39

Dhruvang Gajjar · Accepted Answer · 2017-09-06T05:04:15.087

-2

Try following code for process.php This will works

require ("load.php");

$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname)    VALUES (?, ?)");
$stmt->bind_param("ss", $firstname, $lastname);

$fname= $_POST['fname'];
$lname= $_POST['lname'];


if ($stmt->execute()) {
      echo "New record created successfully";
} 

$stmt->close();

edited Sep 06 '17 at 05:04

answered Sep 05 '17 at 13:51

Dhruvang Gajjar

568
1
8
20

And there was nothing wrong with the syntax of the string containing the query – RiggsFolly Sep 05 '17 at 13:57
1

Thank you Dhruvang! appreciate your help. – BlockeeR Sep 05 '17 at 13:57
i'm trying to solve error from code, not concerning about security. @RiggsFolly – Dhruvang Gajjar Sep 05 '17 at 13:59
@RiggsFolly Edited to Prepared Statement – Dhruvang Gajjar Sep 06 '17 at 05:04
$fname, $lname should be $firstname, $lastname or vice versa – Indra Kumar S Jun 21 '21 at 19:13

insering HTML form data into MySQL database using PHP

1 Answers1