MySQL to MySQLi conversion php form

Question

I kinda ran into a problem with my form which is connected with the DB through the outdated MySQL. I'm trying to convert this to MySQLi following online sources and my own knowledge but it doesn't seem to do the trick. I have checked stackoverflow (How to solve Mysql to mysql as I have some problems) which does cover the convertion for some points but as I have some extra functions I dont quite know how to go. Also, is the striplashes function still necessary when using MySQLi? Your help and time is much appreciated, the script goes as follow:

    <?php

    if($_POST['formSubmit'] == "Submit") 
    {
        $errorMessage = false;

        if(empty($_POST['formName'])) 
        {
            $errorMessage = true;
        }
        if(empty($_POST['formEmail'])) 
        {
$errorMessage = true;       }
        if(empty($_POST['formAddress'])) 
        {
$errorMessage = true;       }
    if(empty($_POST['formPrice'])) 
        {
$errorMessage = true;    }


    $varName = $_POST['formName'];
        $varEmail = $_POST['formEmail'];
        $varAddress = $_POST['formAddress'];
    $varPrice = $_POST['formPrice'];
        $varComments = $_POST['formComments'];

         if($errorMessage == false) 
        {

         $db = mysql_connect("","","");
      if(!$db) die("Error connecting to MySQL database.");
      mysql_select_db("" ,$db);

            $sql = "INSERT INTO formdata (name, email, address, price, comments) VALUES (".
                            PrepSQL($varName) . ", " .
                            PrepSQL($varEmail) . ", " .
                            PrepSQL($varAddress) . ", " .
              PrepSQL($varPrice) . ", " .
                            PrepSQL($varComments) . ")";
            mysql_query($sql);

            header("Location: thankyou.php");
            exit();
        }
    }

   //sql injection protection..
    function PrepSQL($value)
    {

        if(get_magic_quotes_gpc()) 
        {
            $value = stripslashes($value);
        }


        $value = "'" . mysql_real_escape_string($value) . "'";

        return($value);
    }


?>

I had the connecting part working but It didnt write to the DB so I think the query part went wrong.

Just don't use this code, use mysqli or PDO with a prepared statement and be done with it. — Funk Forty Niner, Nov 26 '17 at 22:20

score -1 · Answer 1 · answered Nov 26 '17 at 22:09

-1

Just basic changes :

$link = mysqli_connect('localhost','root','pass','myDB');
if (!$link) {
 die('Could not connect: ' . mysqli_connect_error());
}

$sql= "INSERT INTO keypairs (name, email, address, price, comments) VALUES ('$varName','$varEmail','$varAddress','$varPrice','$varComments')";
if (!mysqli_query($link,$sql)) {
  //error ...
}

answered Nov 26 '17 at 22:09

RequireBool

48
1
6

Oh thanks that looks good, do I not need the striplashes anymore though? – Jeroen Nov 26 '17 at 23:21
you will use mysql_real_escape_string for protect from sql injections. – RequireBool Nov 26 '17 at 23:29

MySQL to MySQLi conversion php form

1 Answers1