-2

this is my code. i've done this before in other computer and it's okay, but now when try it in my laptop,it can't be done. idk what is the problem, it will show blank in phpmyadmin. i'm using xampp v3.2.2, is that will be the problem?

   <html><head><title>Your Data</title></head>
    <body>
    <?php
    $n = $_POST["n"]; 
    $c = $_POST["contact"]; 
    $e = $_POST["email"]; 
    $cm = $_POST["campus"]; 
    $m1 = $_POST["member1"]; 
    $m2 = $_POST["member2"]; 
    $m3 = $_POST["member3"]; 


    $connect = mysqli_connect("localhost","root","") or die("Unable to connect MySQL".mysqli_error());


    $db = mysqli_select_db($connect,"multimedia_db") or die("Unable to select database");


    $query1 = "INSERT INTO teams(advisor_name,advisor_contact,advisor_email,advisor_campus,member1,member2,member3) VALUES ('$n','$c','$e','$cm','$m1','$m2','$m3')";
    $data1 = mysqli_query($connect,$query1) or die("SQL statement failed"); //records are assigned to variable data
    echo "You've succesfully register";

    ?>

    </body>
    </html>
nbha
  • 11
  • 2
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Nov 28 '17 at 19:31
  • 1
    Get the actual error from the query, like you do with the connection. – Jay Blanchard Nov 28 '17 at 19:32
  • 1
    [mysqli_error](http://php.net/manual/en/mysqli.error.php) should take the connection as argument. You should use [mysqli_connect_error](http://php.net/manual/en/mysqli.connect-error.php) when checking for connection errors. – FirstOne Nov 28 '17 at 19:33
  • Set a password for mySQL: https://www.apachefriends.org/faq_windows.html –  Nov 28 '17 at 19:37
  • don't log your app in as root, it has too many privileges. Give your app a separate login with just the access it actually needs. This isn't likely to be the source of your issue but just a sensible design point, as are the comments above. – ADyson Nov 28 '17 at 19:52
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Nov 28 '17 at 20:02
  • 1
    @tadman thats your discretion, not a rule. we still use mysqli_query and mysqli_fetch_assoc and they work wonderful. Switching to OOP Style is a preference, not a requirement. – somejkuser Nov 29 '17 at 14:46
  • @jkushner There's nothing "wonderful" about using the procedural interface. I've seen hundreds of questions here where the problem boiled down to a missing `i` in one of the function calls. `mysqli` itself is best avoided, PDO offers significant benefits, but if you must use `mysqli` for whatever reason, use the object-oriented interface for the simple reason that it's less code and a lot harder to get wrong. – tadman Nov 29 '17 at 19:11

2 Answers2

1

I don't use MySQLi very often. So I'll explain how to use PDO. Just so you know PDO means PHP Data Objects. The reason I'm explaining, PDO is because, if done properly, it makes SQL injection almost impossible.

Connection connecting to your database is generally done in a separate file. Here is an example:

con.php

<?php
    $hostname = '';
    $username = '';
    $password = '';
    $dbname = '';

    try {
        $dbh = new PDO("mysql:host=$hostname;dbname=$dbname", $username, $password, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    } catch (PDOException $e) {
        echo 'Connection failed: ' . $e->getMessage();
    }
?>

This is just connecting to the database, so we don't have to keep connecting to other pages, we just refer to this page with an include, like this: 

<?php include 'con.php'; ?>

We can put this on any page and it'll include the connection to the database. For example, if you want to select from a database: 

<?php 
    include 'con.php';

    $load_data = $dbh->prepare("SELECT * FROM user_table");

    if ($load_data->execute()) {
        $load_data->setFetchMode(PDO::FETCH_ASSOC);
    }

    while ($row = $load_data->fetch()) {
        $name = $row['name'];
        echo $name;
    }
?>

This would simply SELECT everything from the user_table from the column name and would display all the matching records.

If you're trying to do an INSERT instead:

<?php 
    include 'con.php';

    $post_name = $_POST['post_name'];

    $stmt = $dbh->prepare("INSERT INTO user_table (name) VALUES (:user_name)");
    $stmt->bindParam(':user_name', $post_name, PDO::PARAM_STR);

    if ($stmt->execute()) {
        echo "Success";
    } else {
        echo "Failed";
    }
?>

So the $post_name would be the name you give your input on a form in this case name="post_name" that would be inserted into the user_table.

Hope this helps and FYI here is a very good tutorial on how to do INSERT, UPDATE and DELETE using PDO.

bob
  • 466
  • 1
  • 7
  • 27
  • I dont see whats deprecated about his code. It looks like a basic insertion query against `mysqli`. if he was using `mysql` id say its deprecated. the code is flawed and not architectured correctly, but i see no deprecated code there. – somejkuser Nov 28 '17 at 21:30
  • actually these codes I've learned it from the syllabus in my university. either using mysql or mysqli. my lecturer asked me to use them otherwise she will deduct my mark. and i'm she. not he :) thank you guys for helping – nbha Nov 29 '17 at 02:05
  • @jkushner I misread it, thought it did say `mysql `, so yeah @nbha your code isn't deprecated, but it is still vulnerable to SQL Injection Attacks. That's why I used PDO, because if it's done properly its makes SQL Injection Attacks almost impossible. – bob Nov 29 '17 at 06:09
  • @bob absolutely – somejkuser Nov 29 '17 at 14:41
1

i've found the solution for my question. It's just that i forgot to put localhost in front of the 'url'. no wonder it showed blank.

like 'localhost/sem5/saveRegistration.php'.

i'm sorry for the inconvenience. still a beginner using this hehe

nbha
  • 11
  • 2