Insert into SQL database user input from HTML form

Question

I am trying to insert into column "UserId" in my sql database, using php, text that the user inputs in the HTML form. Below is a basic example to help me figure out what I am doing wrong.

HTML

<html>
<form action="index1.php" method ="post" name="trial">

    <input type="text" name="testName" id="testId">
    <br>
    <input type="submit" value="Submit">

</form>
</html>

PHP

$servername = "localhost";
$username = "root";
$password = "xx";
$dbname = "wp";

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$UserId = $_POST['testName'];

$sql = "INSERT INTO UserProfile (UserId) VALUES ('$testName')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();

Some notes:

I can connect to database and insert in the correct columns checkbox and radio values from the form
I cannot find a way to insert in the database the user text input from the form (UserProfile is the table and UserId the column). Would using a javascript variable, like below one, help?
```
var testVar = document.getElementById("testId").value;
```
I know I am opening myself to hacking using the above code, I would like to improve it later on but I think I need to first figure out the basics (ie: how to get the user text input added to the database)

Than you in advance for any help!

Does the `$conn->error` trigger, and if so, what does it say? — Qirel, Sep 26 '17 at 16:18
no, no errors at all. just the the userId I input in the textbox doesn't get input in the database. — Letizia, Sep 26 '17 at 16:19
Possible duplicate of [PHP: "Notice: Undefined variable", "Notice: Undefined index", and "Notice: Undefined offset"](https://stackoverflow.com/questions/4261133/php-notice-undefined-variable-notice-undefined-index-and-notice-undef) — Qirel, Sep 26 '17 at 16:20
@JigarShah what do you mean? can you explain where do you think I am making a mistake? thank you — Letizia, Sep 26 '17 at 16:21
You are declaring `$UserId` but you're trying to insert `$testName`. Which is whats wrong! — L Ja, Sep 26 '17 at 16:22
should be : `$sql = "INSERT INTO UserProfile (UserId) VALUES ('$UserId')"; ` — Jigar Shah, Sep 26 '17 at 16:22
"I know I am opening myself to hacking using the above code, I would like to improve it later on but I think I need to first figure out the basics" — Doing it the right way (with prepared statements and bound variables) means throwing out a large portion of the code you are writing. It's a false economy, you are just teaching yourself bad habits. — Quentin, Sep 26 '17 at 16:24

score 3 · Answer 1 · answered Sep 26 '17 at 16:39

you are storing the value in $UserId, not in $testName:

Change your SQL Query to

$sql = "INSERT INTO UserProfile (UserId) VALUES ('$UserId')";

I think this will help. BTW: Think about SQL-Injection! Look here: How can I prevent SQL injection in PHP?

Mohamed Abulnasr · Answer 2 · 2017-09-26T16:59:08.650

0

Look here

$sql = "INSERT INTO UserProfile (UserId) VALUES ('$testName')";

Change $testName to $UserId in sql statement because it's the name of your new variable in php:

$UserId = $_POST['testName'];
$sql = "INSERT INTO UserProfile (UserId) VALUES ('$UserId')";

But I advice you to:

1- use PDO for any sql handling in php

2- use mysqli_real_escape_string to protect your code from threats.

make it like:

$UserId = mysqli_real_escape_string($con, $_POST['testName']);

edited Sep 26 '17 at 16:59

answered Sep 26 '17 at 16:34

Mohamed Abulnasr

589
7
18

Please do not give answers with security vulnerabilities – Rotimi Sep 26 '17 at 16:46
what is wrong in security in my code sample? explain to me please i'm confused now!!!! – Mohamed Abulnasr Sep 26 '17 at 16:48
1

Google prepared statements using mysqli – Rotimi Sep 26 '17 at 16:49
Thank you, i am editing it to explain him how to protect the insert – Mohamed Abulnasr Sep 26 '17 at 17:00

Insert into SQL database user input from HTML form

2 Answers2