Form data will not go into my database

Question

I have two pieces of code that seems to elude me on what is wrong. Searching this site, I see a lot of others having the same problem. Using some of the given answers, I fashioned my code with what was given but to no avail. Testing my form, all variables where passed (using “echo” in a php file) My form looks like this:

    <div style="position: absolute; left: 10px; top: 290px; z-index: 6;">
      <form name="offerings" action="Offer_done.php"  method="POST">
      <table>
      <tr>
       <td align="right">First Name:</td>
       <td align="left"><input type="text" name="fname" required vspace="4" 
         /></td>
       </tr>
       <tr>
       <td align="right">Last Name:</td>
       <td align="left"><input type="text" name="lname" required vspace="4" 
         /></td>
       </tr>
       <tr>
       <td align="right">Email:</td>
       <td align="left"><input type="text" name="email"  required vspace="4" 
         /></td>
       </tr>
       <tr>
       <td align="right">Choose Your Card:</td>
       <td><input list="card_type" name="card_type" required /></td>
           <datalist id="card_type">
              <option value="American Express">
              <option value="Cirrus">
              <option value="Diners Club">
              <option value="Discover">
              <option value="MasterCard">
              <option value="Visa">
           </datalist>
       </tr>
       <tr>
       <td align="right">Credit Card Num:</td>
       <td align="left"><input type="text" name="c_number" required 
            SIZE="16" MAXLENGTH="16" vspace="4" /></td>
       </tr>
       <tr>
       <td align="right">CV Code:</td>
       <td align="left"><input type="text" name="cv_code" required SIZE="4" 
           MAXLENGTH="4" vspace="4" /></td>
       </tr>
       <tr>
       <td align="right">Offering Amt($):</td>
       <td align="left">$<input type="number" name="amount" value="1" 
           min="0" step="1.00" data-number-to-fixed="2" data-number-
           stepfactor="100" class="currency" id="c1" name="money" required 
           SIZE="7" MAXLENGTH="7" vspace="4" />
       </tr>
       <tr>
       <td align="right"><INPUT TYPE="submit" VALUE="Submit Your Offering">
       </td>

       <td><input action="action" onclick="window.history.go(-1); return 
           false;" type="button" value="Cancel - Back To Index Page" /></td>
       </tr>

   </table>
  </form>

  </div>
  <!- - - - - - - - - - - - - - - - - - End Form- - - - - - - - - - - - - - 
   - - - - - - - ->

My php file to process and send to looks like this:

    <?php

    $conn = mysqli_connect("localhost", "root", "xuncle", "offerings");
    if(!$conn) {
        die("connection failed: " .mysqli_connect_error());
    }

        $fname = $_POST['fname'];
        $lname = $_POST['lname'];
        $email = $_POST['email'];
        $card_type = $_POST['card_type'];
        $c_number = $_POST['c_number'];
        $cv_code = $_POST['cv_code'];
        $amount = $_POST['amount'];




    $mysqli_query = "INSERT INTO givers (fname, lname, email, card_type, 
    c_number, cv_code, amount) 
    VALUES ($fname, $lname, $email, $card_type, $c_number, $cv_code, 
    $amount)";

    $result = mysqli_query($conn,$sql);

    header("Location: index.html"); 


    ?>

Can someone please put me back on the right track?

Answer 1

You had a typo here in this line $result = mysqli_query($conn,$sql); Which you need to change it to $result = mysqli_query($conn,$mysqli_query); as @Akintunde noted too.

I will suggest you to use prepared statements. These are SQL statements that are sent to and parsed by the database server separately from any parameters. Check How can I prevent SQL injection in PHP?

<?php
if(isset($_POST)){

  $conn = mysqli_connect("localhost", "root", "xuncle", "offerings");
  if (!$conn) {
    die("connection failed: " . mysqli_connect_error());
  }

  $result = mysqli_prepare($conn, "INSERT INTO `givers` (`fname`, `lname`, `email`, `card_type`, `c_number`, `cv_code`, `amount`) VALUES (?, ?, ?, ?, ?, ?, ?)");
  mysqli_stmt_bind_param($result, "ssssssd", $_POST['fname'],$_POST['lname'],$_POST['email'],$_POST['card_type'],$_POST['c_number'],$_POST['cv_code'],$_POST['amount']);
  mysqli_stmt_execute($result);

  header("Location: index.html");
}
?>

Answer 2

In the above code, you are accessing the wrong variable when executing the query. Also your code is very risky, therefore you need to start using prepared statements as the api you use supports it. This would help prevent SQL injections.

Your final code would be:

$conn = new mysqli("localhost", "root", "xuncle", "offerings");
    if(!$conn) {
        die("connection failed: " .$conn->connect_error);
    }

    $stmt = $conn->prepare("INSERT INTO givers (fname, lname, email, card_type, c_number, cv_code, amount) VALUES (?, ?, ?, ?, ?, ?, ?)");//prepare the statement
    $stmt->bind_param("sssssss", $fname, $lname, $email, $card_type, $c_number, $cv_code, $amount);//bind placeholders to variables
    if($stmt->execute() === true){//everything went fine
    header("Location: index.html");
        //echo 'Data saved successfully';
    } else {
        echo 'Error. Data not saved. '.$conn->error;//get error
    }