-1

My user submitted data will not go into my database, I have a form in which they insert their information, and then it should just insert into the database. I can connect to my database fine and it picks up the information, it just doesn't insert it?

The form: 

<div class="form">
    <form id="addsteps" action="add.php" method="post" autocomplete="off">
         <div class="field-wrap">
             <input type="date" required autocomplete="off" name="date" style="color: black; text-align: center;"/>
          </div>
          <div class="field-wrap">
              <input type="number" required autocomplete="off" name="steps" style="color: black;"/>
          </div>
          <button type="submit" class="button button-block" name="submit" />Submit</button>
    </form>
</div>

The code: 

<?php   include '../db_connection.php';

session_start();

$unique_id = $_SESSION['unique_id'];

$_SESSION['date'] = $_POST['date'];
$_SESSION['steps'] = $_POST['steps'];

$_POST['date'];
$_POST['steps'];

$date = $link->escape_string($_POST['date']);
$steps = $link->escape_string($_POST['steps']);

$sql = "INSERT INTO step_count (unique_id, date, steps) "
  . "VALUES ('$unique_id','$date','$steps')";

 ?>

It picks up the data fine and when using a var_dump I get 

string(81) "INSERT INTO step_count (unique_id, date, steps) VALUES ('1','2017-12-16','12345')"

So I was just wondering where I am going wrong as it won't go into the database?

This is the db_connection file: 

<?php
$link = mysqli_connect("localhost", "root", "", "repsandsteps");

 if (!$link) {
  echo "Error: Unable to connect to MySQL." . PHP_EOL;
  echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
  echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
  exit;
  } ?>
samehanwar
  • 3,280
  • 2
  • 23
  • 26
Phoebe
  • 27
  • 1
  • 9
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Dec 14 '17 at 16:31
  • 2
    You are not actually executing the query. http://php.net/manual/en/mysqli-stmt.execute.php – Jay Blanchard Dec 14 '17 at 16:32
  • can you show the db_connection file contents ? – samehanwar Dec 14 '17 at 16:38
  • do you have database access? run your above query in directly database then see what happens – user3337667 Dec 14 '17 at 16:40
  • I have added the db_connection file for you and yes I do, it connects to the database no problem – Phoebe Dec 14 '17 at 16:40
  • `$sql = "INSERT INTO step_count (unique_id, date, steps) " . "VALUES ('$unique_id','$date','$steps')";` just creates a string variable in memory. You aren't doing anything with that string - after that line your PHP script just ends. You never executed a query. – ADyson Dec 14 '17 at 16:44

1 Answers1

1

you should execute the query like this .

<?php   include '../db_connection.php';
session_start();

$unique_id = $_SESSION['unique_id'];
$_SESSION['date'] = $_POST['date'];
$_SESSION['steps'] = $_POST['steps'];

$date = mysqli_real_escape_string($link, $_POST['date']);
$steps = mysqli_real_escape_string($link, $_POST['steps']);

$sql = "INSERT INTO step_count (unique_id, date, steps) "
  . "VALUES ('$unique_id','$date','$steps')"; 

mysqli_query($link,$sql);
samehanwar
  • 3,280
  • 2
  • 23
  • 26