PHP TO MySQL secured with MySQLi and hyperlink redirect not working once submitted

Question

I had a Freelancer work on a site for me and could not finish my project which should of been of ease to him and I need to get this fully running to be ready by morning.

This is my PHP code which I had to create in a hurry

<?php

$con = mysqli_connect('localhost','dbuser','password'

if(!$con)
{
        echo 'Not Connected To Server';
}

if(!mysqli_select_db($con,'DBName'))
{
    echo 'Database Not Selected';
}

$UserN = $_POST['UserN'];
$FullN = $_POST['FullN'];
$Adrs  = $_POST['Adrs'];
$Email = $_POST['Email'];
$PhoneN = $_POST['PhoneN'];

$sql = "INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN', '$FullN', '$Adrs', '$Email', '$PhoneN')";

if(!mysqli_query($con,$sql))
{
        echo 'Not Inserted';
}
else
{
    echo 'Inserted';
}

header("refresh:2; url=survey.html

?>

this is PHP

this is my Form

 <div class="form-con">
         <form actoin="insert.php" method="post">
             <label>Username</label><br>
             <input type="text" name="UserN" placeholder="Your Username" ><br>
             <label>Full Name</label><br>
             <input type="text" name="FullN" placeholder="Full Name"><br>
             <label>Full Address</label><br>
             <textarea type="text" rows="4" cols="50" name="Adrs" placeholder="Address"></textarea><br> 
                  <label>Email Address</label><br>
                  <input type="email" name="Email" placeholder="Email Address"><br>
                  <label>Phone Number</label><br>
                  <input type="text" name="PhoneN" placeholder="Phone Number"><br>
                   <div class="btn">
                     <a href="survey.html"><button type="submit">Submit</button></a>
                   </div>
         </form>
      </div>

Please help me I want to also secure the form with

Using MySQLi (for MySQL):
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

From here

https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1

please help.

New PHP

<?php

$dbh = new PDO("mysql:host=$host;dbame=$dbname",$user,$pass);

$UserN = mysqli_real_escape_string($con, $_POST['UserN']);
    $FullN = mysqli_real_escape_string($con, $_POST['FullN']);
    $Adrs = mysqli_real_escape_string($con, $_POST['Adrs']);
$Email = mysqli_real_escape_string($con, $_POST['Email']);
$PhoneN = mysqli_real_escape_string($con, $_POST['PhoneN']);

$stmt = $dbh->prepare("INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN','$FullN','$Adrs','$Email','$PhoneN')"); //Insert query $stmt->execute($UserN, $FullN, $Adrs, $Email, $PhoneN);

header("refresh:1; url=survey.html");

?>

Please review [How much research effort is expected?](https://meta.stackoverflow.com/questions/261592/how-much-research-effort-is-expected-of-stack-overflow-users). Stack Overflow is not a coding service. You are expected to research your issue and make a good attempt to write the code yourself before posting. If you get stuck on something *specific*, come back and include a [Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve) and a summary of what you tried. — FluffyKitten, Sep 15 '17 at 01:45
But I have included what I have tried and what my problem is and my attempts on resolving the issue. — RebornXD, Sep 15 '17 at 02:15
What is the *specific* issue you are having? You say in the title that the redirect is "not working" - that tells is nothing. What *exactly* is going wrong? We aren't mind readers. You are also asking for help to secure your form, but you haven't included any evidence that you have researched this and already tried yourself. This is not a coding serivce. Do your research, try it yourself and in you run into a *specific* problem, come back with the details. — FluffyKitten, Sep 15 '17 at 02:20

score 0 · Answer 1 · answered Sep 15 '17 at 00:39

0

You can do 2 things to secure from SQL-injection- 

1) use $UserN = mysqli_real_escape_string($con, $_POST['UserN']); instead of 
$UserN = $_POST['UserN'];

2) for connecting to MySql, use PDO like so-

$dbh = new PDO("mysql:host=$host;dbame=$dbname",$user,$pass);
Then the Insert query $sql = "INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES ('$UserN', '$FullN', '$Adrs', '$Email', '$PhoneN')";
 becomes-

$stmt = $dbh->prepare("INSERT INTO UserIn (UserN, FullN, Adrs, Email, PhoneN) VALUES (?,?,?,?,?)");        //Insert query
$stmt->execute($UserN, $FullN, $Adrs, $Email, $PhoneN);

answered Sep 15 '17 at 00:39

manishk

526
8
26

So what I got is something like this – RebornXD Sep 15 '17 at 01:08
I added the new php file in the main question as an edit at the end please read. – RebornXD Sep 15 '17 at 01:09

PHP TO MySQL secured with MySQLi and hyperlink redirect not working once submitted

1 Answers1

Linked