0

I'm trying to set up a very simple form to submit data to a MySQL database (I've never actually set up a MySQL database or the connections required to interact with it via a web form myself before).

I have a simple HTML form in my web page, to allow the user to enter a name, email address, and a question that they want to ask:

<!DOCTYPE html>
<html>
    <head>
        <meta content="text/html;charset=utf-8" http-equiv="Content-Type">
        <meta content="utf-8" http-equiv="encoding">
    Page title
    </head>
    <body>
        <h1>Customer Information</h1>

        <form id="customerInfoForm" accept-charset = "utf-8" action = "insert.php" method = "post" >
            <table id = "customerInfoTable">
                <tr><td>Name: </td><td><input type = "text" name = "customerName" ></input></td></tr>
                <tr><td>Email: </td><td><input type = "text" name = "customerEmail"></input></td></tr>
                <tr><td>Enquiry: </td><td><input type = "text" name = "enquiryText"></input></td></tr>
            </table>
            <br>
            <input type = "submit" value = "Sumit"></input>
        </form>
    </body>
</html>

<?php
$con = mysql_connect('localhost','[retracted]','[retracted]');

if(!$con) {
    echo 'Not connected to server!';
}

$Name = $_POST['customerName'];
$Email = $_POST['customerEmail'];
$Query = $_POST['enquiryText'];

$sql = "INSERT INTO Enquiries(Name, Email, Query) VALUES ('$Name', '$Email', '$Query')";
if(!mysql_query($con, $sql)) {
    echo 'Data not inserted';
} else {
    echo 'Data inserted';
}

?>

In the insert.php file that's called when clicking the 'Submit' button on the form, I have the following:

<?php
    //Check if data has been entered
    if( isset( $_POST['data'] ) && !empty( $_POST['data'] ) )
    {
        $data = $_POST['data'];
    } else {
        header( 'location: form.html' );
        exit();
    }

    //set up mysql
    $sql_server = 'localhost';
    $sql_user = 'user';
    $sql_pwd = 'password';
    $sql_db = 'database';

    //Connect to sql database
    $mysqli = new mysqli( $sql_server, $sql_user, $sql_pwd, $sql_db) or die( $mysqli->error );

    //Insert details into table
    $insert = $mysqli->query( "INSERT INTO Enquiries ('data') VALUE ( '$data' )" );

    //Close mysqli connection
    $mysqli->close;
?>

However, currently, when I click the 'Submit' button on my form, I get an error displayed in my browser:

error ); //Insert details into table $insert = $mysqli->query( "INSERT INTO Enquiries ('data') VALUE ( '$data' )" ); //Close mysqli connection $mysqli->close; ?>

i.e. the above error is displayed as the content of the webpage, so it seems I'm doing something wrong with the database connection, but I'm not sure what... Can anyone point me in the right direction?

Noble-Surfer
  • 3,052
  • 11
  • 73
  • 118
  • If instantiating a new `mysqli` class fails the `$mysqli` will not be an object. See [the manual](http://php.net/manual/en/function.mysqli-connect.php) for the correct way to check if a connection worked and to report the erorrs if it didn't – RiggsFolly Dec 03 '18 at 15:36
  • **Error checking** Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any mysqli_ errors to generate an Exception that you can see on the browser as well as normal PHP errors. – RiggsFolly Dec 03 '18 at 15:37
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Dec 03 '18 at 15:40
  • 2
    **WARNING**: Do not use the obsolete [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface which was removed in PHP 7. A replacement like [PDO is not hard to learn](https://phpdelusions.net/pdo) and a guide like [PHP The Right Way](http://www.phptherightway.com/) helps explain best practices. Here parameters are **NOT** [properly escaped](http://bobby-tables.com/php) and this has severe [SQL injection bugs](http://bobby-tables.com/) in this code. Escape **any** and all user data, especially from `$_POST` or `$_GET`. – tadman Dec 03 '18 at 15:40
  • 1
    Consult all (4) duplicates. – Funk Forty Niner Dec 03 '18 at 15:44
  • @FunkFortyNiner (5) – RiggsFolly Dec 03 '18 at 15:45
  • @Riggs I stand corrected. – Funk Forty Niner Dec 03 '18 at 15:46
  • @FunkFortyNiner Not corrected, added too – RiggsFolly Dec 03 '18 at 15:48
  • @FunkFortyNiner Embellished if you like – RiggsFolly Dec 03 '18 at 15:48
  • lastly, if you followed a tutorial to set this up, then either a) find a better one, or b) pay closer attention to the fine details. – ADyson Dec 03 '18 at 15:58

0 Answers0