Fail input to database mysql

Question

I Want to ask about input data to database.

  <?php
  include "koneksi.php";
  if(isset($_POST['daftar'])){
    $daftar = mysqli_query($conn, "INSERT INTO tb_daftar VALUES
    ('".$_POST['id']."',
      '".$_POST['nama']."',
      '".$_POST['asal_sekolah']."',
      '".$_POST['jenis_kelamin']."',
      '".$_POST['nama_ayah']."',
      '".$_POST['nama_ibu']."',
      '".$_POST['alamat']."',
      '".$_POST['no_hp']."',
      '')");
      if($daftar){
        $pesan1 = "Berhasil daftar";
        echo "<script type='text/javascript'>alert('$pesan1');</script>";
      }else{
        $pesan2 = "Gagal daftar";
        echo "<script type='text/javascript'>alert('$pesan2');</script>";
      }
  }
 ?>

That result always show " Gagal daftar ".. How to fix it? Thanks!

Answer 1

You have an extra comma after the last value. You should also use a prepared statement to prevent SQL injection.

if ($dafter = mysqli_prepare($conn, "INSERT INTO tb_dafter VALUES (?, ?, ?, ?, ?, ?, ?, ?)")) {
    mysqli_stmt_bind_param($dafter, "ssssssss", $_POST['id'], $_POST['nama'], $_POST['asal_sekolah'], $_POST['jenis_kelamin'], $_POST['nama_ayah'], $_POST['nama_ibu'], $_POST['alamat'], $_POST['no_hp']);
    mysqli_stmt_execute($dafter);
    $pesan1 = "Berhasil daftar";
    echo "<script type='text/javascript'>alert('$pesan1');</script>";
} else {
    $pesan2 = htmlentities(mysqli_error($conn));
    echo "<script type='text/javascript'>alert('$pesan2');</script>";
}

Answer 2

Your code is not in good condition, You need to think in many aspect like,

1. Integer value like id will not be in quotes.
2. Sequence matter if you not provided column names with table name, Highly risky without column name.
3. You query is easy to Inject, SQL Injection
4. You have not check $_POST variable value, with isset, Check my other answer about this

To cover your risk use mysqli or pdo

But I suggest to insert use mysqli or pdo. Here are some link to learn about mysqli:

mysqli_prepare

mysqli_stmt_bind_param

Prepared Statements in MySQLi

Answer 3

View errors from mysql query using mysqli_error

else{
    $pesan2 = mysqli_error($conn);
    echo "<script type='text/javascript'>alert('Error: '+$pesan2);</script>";
  }

Answer 4

 $daftar = mysqli_query($conn, "INSERT INTO tb_daftar((database columns)) 
  VALUES
('".$_POST['id']."',
  '".$_POST['nama']."',
  '".$_POST['asal_sekolah']."',
  '".$_POST['jenis_kelamin']."',
  '".$_POST['nama_ayah']."',
  '".$_POST['nama_ibu']."',
  '".$_POST['alamat']."',
  '".$_POST['no_hp']."',
  '')");