trying to send form values to database

Question

i have a problem in sending my form values to mysql database i readed all other topics and i did what they wrote but i didn't get what i want please help me :(

        <?php
      $dbhost = "localhost";
      $dbuser = "root";
      $dbpass = "13838383";
      $dbname = "users";
      $connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
    ?>
    <?php
    include("../includes/functions.php");
    ?>
    <!DOCTYPE html>
    <html>
      <head>
        <link rel="stylesheet" href="../public/stylesheets/style.css" type="text/css">
        <title>Our WebPage</title>
      </head>
      <body>
        <center>
        <form action="input.php" method="post">
          <fieldset>
            <legend>Register</legend>
            <span>UserName: </span><br />
            <input type="text" name="username" placeholder="USERNAME"><br /><br />
            <span>PassWord: </span><br />
            <input type="text" name="lastname" placeholder="PASSWORD"><br /><br />
            <input type="button" name="submit" value="submit"><br /><br />
            <fieldset>
        </form>
        </center>
        <?php
        ?>
        <?php
          if (isset($_POST['submit'])) {
            $username = $_POST['username'];
            $password = $_POST['password'];
            $addUserQuery = "INSERT INTO users (username, password) VALUES ({$username}, {$password});";
            $added = mysqli_query($connection, $addUserQuery);
            if ($added) {
              echo '<br>Input data is successful';
            } else {
              echo '<br>Input data is not valid';
            }
          }
        ?>
      </body>
    </html>

and my problem is i don't know know what should i enter in action attribute in form tag thanks please help

[Your script is at risk for SQL Injection Attacks.](//stackoverflow.com/q/60174) — Blue, Jul 29 '18 at 20:27
What is the actual problem? What happens? What does not happen? — bestprogrammerintheworld, Jul 29 '18 at 20:35

Blue · Accepted Answer · 2018-07-29T20:37:25.437

0

Simply put, your variables aren't quoted, so your query is being turned into this (If someone submitted 1337user as the username, and P@ssw0rd as the password):

INSERT INTO users (username, password) VALUES (1337user, P@ssw0rd);

When it should be:

INSERT INTO users (username, password) VALUES ('1337user', 'P@ssw0rd');

Bind your variables instead: How can I prevent SQL injection in PHP?

if (isset($_POST['submit'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $addUserQuery = mysqli_prepare($connection, "INSERT INTO users (username, password) VALUES (?, ?)");
    mysqli_stmt_bind_param($addUserQuery, "ss", $username, $password);
    $added = mysqli_stmt_execute($addUserQuery);
    if ($added) {
      echo '<br>Input data is successful';
    } else {
      echo '<br>Input data is not valid';
    }
}

edited Jul 29 '18 at 20:37

answered Jul 29 '18 at 20:28

Blue

22,608
7
62
92

INSERT INTO users (username, password) VALUES ({$username}, {$password}); when within quotes (") username and password would actually fetch actual values from $username and $password, but I agree that binding parameters should be used. – bestprogrammerintheworld Jul 29 '18 at 20:35
1

@bestprogrammerintheworld I guess I need to clarify. I understand it fetches the actual values (In my example, I used user and pass, instead of $username and $password to signify they were replaced.) I've updated my answer to use better examples, which show the issue better. – Blue Jul 29 '18 at 20:37
you told something correct and i did it and thank u but u didn't tell something that i should set the submit tinput type to submit as it was button :) thank you :) – Mehdi Aghighi Jul 30 '18 at 04:50
@MehdiAghighi - you were not totally clear what the actual issue was (I guess that's why you got downvoted). Glad to know you figured it out now anyway! :-) – bestprogrammerintheworld Jul 30 '18 at 06:59
@bestprogrammerintheworld yes ! i didn't know what exatly wa my problem i just knew that the form values are not going to mysql database ! and this is why i asked this question :( – Mehdi Aghighi Jul 30 '18 at 07:19
@MehdiAghighi - I mean that noone know what happend / or not happened. You just stated "and my problem is i don't know know what should i enter in action attribute in form tag thanks please help" – bestprogrammerintheworld Jul 30 '18 at 07:23

trying to send form values to database

1 Answers1