-1

I am attempting to write a program that will take information from an html form, and upload it to a MySQL database that exists on my local host(using XAMPP). To do this, I have used HTML to create a form that will take in the data to be inserted to the database, like this:

<!DOCTYPE html>
<html lang="en">
    <head>
        <link rel="stylesheet" href="styles/main.css">
        <meta charset="utf-8">
        <title>Presentation Registration</title>
        <script type="text/javascript">
        function Submit()
        {
            // I put input validation stuff here, but left it out to simplify code for reading
            document.getElementById("myForm").submit();
        }
    </script>
</head> 

<body>
    <form id="myForm" action="actionPage.php" method="post">
    <TABLE>
        <TR>
            <TD><input type="radio" name="TimeSlot" class="TimeSlot" id="Slot1" value="Slot1">12/9/15, 6:00 PM – 7:00 PM</TD>
            <TD>
            <?php 
            $con = mysqli_connect('localhost','username','password', 'myDB');

            $query = "SELECT * FROM reserve";

            $result = mysqli_query($con, $query);

            $row = mysqli_fetch_array($result);
            echo $row["Open Seats"]." ";
            ?>
            Seats Remaining</TD>
        </TR>
        <TR>
            <TD><input type="radio" name="TimeSlot" class="TimeSlot" id="Slot2" value="Slot2">12/9/15, 7:00 PM – 8:00 PM</TD>
            <TD><?php
                $row = mysqli_fetch_array($result);
                echo $row["Open Seats"]." ";
                ?>
                Seats Remaining</TD>
        </TR>
        <TR>
            <TD><input type="radio" name="TimeSlot" class="TimeSlot" id="Slot3" value="Slot3">12/9/15, 8:00 PM – 9:00 PM</TD>
            <TD><?php
                $row = mysqli_fetch_array($result);
                echo $row["Open Seats"]." ";
                ?>
                Seats Remaining</TD>
        </TR>
        <TR>
            <TD><input type="radio" name="TimeSlot" class="TimeSlot" id="Slot4" value="Slot4">12/10/15, 6:00 PM – 7:00 PM</TD>
            <TD><?php
                $row = mysqli_fetch_array($result);
                echo $row["Open Seats"]." ";
                ?>
                Seats Remaining</TD>
        </TR>
        <TR>
            <TD><input type="radio" name="TimeSlot" class="TimeSlot" id="Slot5" value="Slot5">12/10/15, 7:00 PM – 8:00 PM</TD>
            <TD><?php
                $row = mysqli_fetch_array($result);
                echo $row["Open Seats"]." ";
                ?>
                Seats Remaining</TD>
        </TR>
        <TR>
            <TD><input type="radio" name="TimeSlot" class="TimeSlot" id="Slot6" value="Slot6">12/10/15, 8:00 PM – 9:00 PM</TD>
            <TD><?php
                $row = mysqli_fetch_array($result);
                echo $row["Open Seats"]." ";
                ?>
                Seats Remaining</TD>
        </TR>
    </TABLE>
    <button type="button">Student List</button>
    <TABLE>
        <TR>
            <TD>UMID&nbsp</TD>
            <TD><input type="text" class="inputText" id="UMID" name="UMID"></TD>
        </TR>
        <TR>
            <TD>First Name&nbsp</TD> 
            <TD><input type="text" class="inputText" id="fName" name="fName"></TD>
        </TR>
        <TR>
            <TD>Last Name&nbsp</TD>
            <TD><input type="text" class="inputText" id="lName" name="lName"></TD>
        </TR>
        <TR>
            <TD>Project Title&nbsp</TD>
            <TD><input type="text" class="inputText" id="projectTitle" name="projectTitle"></TD>
        </TR>
        <TR>
            <TD>E-Mail&nbsp</TD>
            <TD><input type="text" class="inputText" id="email" name="email"></TD>  
        </TR>
        <TR>
            <TD>Phone Number&nbsp</TD>
            <TD><input type="text" class="inputText" id="phone" name="phone"></TD>
        </TR>
    </TABLE>
    <button type="button" OnClick=Submit()>Submit</button>
    </form>

</body>
</html>

As seen in the code, I use an action tag on the submit function to trigger "actionPage.php" to run. The code inside of that program is shown below:

<?php
    $con = mysqli_connect('localhost','username','password', 'myDB');
    $umid = $_POST['UMID'];
    $fName = $_POST['fName'];
    $lName = $_POST['lName'];
    $projTitle = $_POST['projectTitle'];
    $eMail = $_POST['email'];
    $phone = $_POST['phone'];
    $slotID = "1";


    $query = "INSERT INTO student (UMID, fName, lName, projTitle, e-Mail, phone#, SlotID) VALUES ($umid, $fName, $lName, $projTitle, $eMail, $phone, $slotID)";

    $result = mysqli_query($con, $query);

    echo "Database Insertion Complete";
?>

All of this connects to a database with two tables, student and reserve. When I run the code and input the information, actionPage.php triggers, and runs through all the code, including the echo statement at the end. However, the student table is not updated when I look in XAMPP. Is there something wrong with my code, or should I look for other issues?

Tyrovar
  • 33
  • 1
  • 7
  • 1
    change the `echo` to `if($result) echo "Database Insertion Complete";` and tell us what happens – musashii Dec 01 '17 at 21:11
  • 2
    `$umid = "$_POST(UMID)";` should be `$umid = "$_POST["UMID"];` I believe. And the same for the other similar lines. Then next you should learn about prepared statements and paramterised queries, to protect your database from SQL injection attacks. See http://bobby-tables.com/ for an explanation and examples of how to write your queries safely. – ADyson Dec 01 '17 at 21:11
  • 1
    And also `` needs to be ``, and the same for the other fields. Form elements are not submitted to the server if they don't have a "name" attribute. I suggest you maybe find a basic HTML/PHP forms tutorial and play close attention to it, because these are fairly basic errors. – ADyson Dec 01 '17 at 21:13
  • 1
    Lastly, I notice you have some validation code in your JS which you omitted for brevity. That's nice, but any and all validation code must be repeated on the server-side too. Anyone with minimal knowledge of their browser can simply switch off Javascript, submit the form, and bypass all your validation instantly. If you want to be sure that your data is valid, implement your validation in PHP first. Validation is JS is nice for user experience, but should be a secondary concern. – ADyson Dec 01 '17 at 21:15
  • @musashii I did what you suggested, and the echo statement did not trigger. I'm guessing that means the query I have in $result is invalid. – Tyrovar Dec 02 '17 at 20:36
  • @ADyson I think you were right with your comments. However, the query I am using still appears to be invalid after implementing those changes on my end. I will update the code I have posted here momentarily based on your comments and I will be sure to look at the link you posted as well. – Tyrovar Dec 02 '17 at 20:36
  • 1
    check whether $result returns `false`. If it does, then look at the output of mysqli_error() and see what's wrong. Also make sure PHP error reporting is switched on and something else isn't causing a crash – ADyson Dec 02 '17 at 21:02
  • @ADyson Here is the error that mysqli_error() prints out for me: "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '-Mail, 'phone#', SlotID) VALUES (00000001, John, Smith, Example Project, johnsmith@')' at line 1" (Note that I replaced the exact inputs I used to protect sensitive information, but the point is, it prints out part of my inputs at the end) It looks like something is wrong with the query I use in actionPage.php at this point, but I'm still not sure what it is. – Tyrovar Dec 03 '17 at 20:45
  • The way you've written the query is incorrect. For one thing, normally you need to put the input values for string (varchar) fields in single quotes. But if you use parameterised queries (as per my second comment) this kind of problem goes away anyway. – ADyson Dec 04 '17 at 09:12
  • did you get it to work? – musashii Dec 06 '17 at 18:34
  • @ADyson I changed the input values to have single quotes around each value for the varchar fields, and now my program works perfectly. I apologize for not getting back to you sooner. If you'd like to write up your suggestions into an answer post, I would gladly accept it – Tyrovar Dec 17 '17 at 16:15
  • @Tyrovar done, thankyou. Glad you solved your issue. – ADyson Dec 17 '17 at 20:32

2 Answers2

1

$_POST is an array. So if you want to access „UMID“ for example it should be $_POST['UMID'] to access it. You use braces, which is only used with methods/functions.

Tamali
  • 326
  • 2
  • 8
  • My code still isn't working after this change, but this is certainly a step in the right direction. – Tyrovar Dec 02 '17 at 20:41
  • Did you make sure that you get a connection to the database? And did you make sure that your wuery is not throwing any errors? With mysqli_error for example? – Tamali Dec 02 '17 at 21:02
-1

A few issues:

1) $umid = "$_POST(UMID)"; should be $umid = "$_POST["UMID"]; I believe. And the same for the other similar lines.

2) <input type="text" class="inputText" id="UMID"> needs to be <input type="text" class="inputText" id="UMID" name="UMID">, and the same for the other fields. Form elements are not submitted to the server if they don't have a "name" attribute.

3) The way you've written the query is incorrect. For one thing, normally you need to put the input values for string (varchar) fields in single quotes.

A couple of secondary points:

a) I notice you have some validation code in your JS which you omitted for brevity. That's nice, but any and all validation code must be repeated on the server-side too. Anyone with minimal knowledge of their browser can simply switch off Javascript, submit the form, and bypass all your validation instantly. If you want to be sure that your data is valid, implement your validation in PHP first. Validation is JS is nice for user experience, but should never be your only method of checking the data.

b) You should learn about prepared statements and paramterised queries, to protect your database from SQL injection attacks. Currently your database could easily be compromised by an attacker. See http://bobby-tables.com for an explanation and examples of how to write your queries safely. Also if you use parameterised queries, the kind of problem described in item 3 above goes away automatically, because you no longer have to worry about this kind of syntax - the parameterisation process handles it for you.

ADyson
  • 57,178
  • 14
  • 51
  • 63