Connect HTML form to SQL database using PHP

Question

//I created an HTML form and created PHP code that should send the contents of the form to my database table, but while the page returns to its original state, which is fine, the data never makes it to the database -- and there is no error.

I originally tried to create a separate PHP form, but after doing some research found this to be more efficient, and cleaner. I just need it to work and to learn if it's possible of not for it to work.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $firstname = $_POST["firstname"];
    $lastname  = $_POST["lastname"];
    $zipcode   = $_POST["zipcode"];
    $email     = $_POST["email"];
    $subject   = $_POST["subject"];
    $comment   = $_POST["comment"];

    //connect to server
    $dbhost   = "localhost";
    $username = "root";
    $password = "";
    $dbname   = "point12_guestform";

    $mysql = mysqli_connect($dbhost, $username, $password, $dbname);
    $query = "INSERT INTO aboutpage  
        (firstname,lastname,zipcode,email,subject,comment) VALUES 
        $firstname, $lastname, $zipcode, $email, $subject, $comment";
    mysqli_query($mysql, $query);
}
?>  
//HTML Form code
<form method="POST" />
   <br>
   <fieldset>
      <div class="col-50">
         <input type="text" name="firstname" placeholder="First Name" 
            required />
      </div>
      <div class="col-50">
         <input type="text"  name="lastname" placeholder="Last Name"  
            required />    
      </div>
      <div class="col-50">
         <input type="number" name="zipcode" minlength="5" 
            maxlength="5" placeholder="Zip Code (where you live)" 
            required />     
      </div>
      <div class="col-50">
         <input type="email" name="email" placeholder="Email" 
            required />    
      </div>
      <div class="col-50">
         <select name="subject" required>
            <option selected hidden value="">Please select the option 
               that best fits your request.
            </option>
            <option value = "guest">I want to be a guest on the 
               podcast.
            </option>
            <option value = "question">I have a question.</option>
            <option value = "suggestion">I have a suggestion.</option>
         </select>
      </div>
      <div class="col-50">
         <textarea name="comment"     
            placeholder="Questions/Suggestions/Comments"></textarea>
      </div>
      <p>
         <input class="submit" type="submit" value="Submit" />
      </p>
      </div>
   </fieldset>
</form>
//There have been absolutely NO results and NO error messages.//HTML Form code
<form method="POST" />
   <br>
   <fieldset>
      <div class="col-50">
         <input type="text" name="firstname" placeholder="First Name" 
            required />
      </div>
      <div class="col-50">
         <input type="text"  name="lastname" placeholder="Last Name"  
            required />    
      </div>
      <div class="col-50">
         <input type="number" name="zipcode" minlength="5" 
            maxlength="5" placeholder="Zip Code (where you live)" 
            required />     
      </div>
      <div class="col-50">
         <input type="email" name="email" placeholder="Email" 
            required />    
      </div>
      <div class="col-50">
         <select name="subject" required>
            <option selected hidden value="">Please select the option 
               that best fits your request.
            </option>
            <option value = "guest">I want to be a guest on the 
               podcast.
            </option>
            <option value = "question">I have a question.</option>
            <option value = "suggestion">I have a suggestion.</option>
         </select>
      </div>
      <div class="col-50">
         <textarea name="comment"     
            placeholder="Questions/Suggestions/Comments"></textarea>
      </div>
      <p>
         <input class="submit" type="submit" value="Submit" />
      </p>
      </div>
   </fieldset>
</form>
//There have been absolutely NO results and NO error messages.

Answer 1

Taking all the comments into consideration, the following code would be a good start. I cannot guarantee that this will work out of the box, but it should at least show you some errors/warnings. Once you've corrected those, you can also rest assured that the data going into your DB is not vulnerable to SQL injection. You will still have to escape your output if you choose to display the user entered info.

Please notice:

• Error reporting is on (How do I get PHP errors to display?)
• MySQL errors will be turned into PHP exceptions (PDO::ERRMODE_EXCEPTION)
• Using PDO + parameterized queries (https://phpdelusions.net)
• Redirecting to self after query is executed so that a browser refresh doesn't post the data again.
• HTML is cleaned up a bit

---

<?php

// Turn on error reporting
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

if ($_SERVER['REQUEST_METHOD'] === 'POST') {

    // Define your connection properties
    $host = 'localhost';
    $db = 'point12_guestform';
    $user = 'root';
    $pass = '';
    $charset = 'utf8mb4';

    // Build up your connection string and set options
    // See this for more info: https://phpdelusions.net/pdo#dsn
    $dsn = "mysql:host=$host;dbname=$db;charset=$charset";
    $options = [
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        PDO::ATTR_EMULATE_PREPARES => false,
    ];

    // Finally, make a connection using PDO.
    // This will throw an exception if something goes awry. 
    $pdo = new PDO($dsn, $user, $pass, $options);

    // Build up your query
    // Notice the query is using placeholders `?` instead of directly
    // injecting user-entered (dangerous) data.
    $sql = 'INSERT INTO aboutpage (firstname,lastname,zipcode,email,subject,comment) VALUES (?,?,?,?,?,?)';
    $stmt = $pdo->prepare($sql);

    // Finally, execute your query by passing in your data. 
    // This is known as a parameterized query and prevents SQL injection attacks
    $stmt->execute([
        $_POST["firstname"],
        $_POST["lastname"],
        $_POST["zipcode"],
        $_POST["email"],
        $_POST["subject"],
        $_POST["comment"]
    ]);

    // Redirect to self, so that a browser refresh doesn't post data again. 
    header('Location: '.$_SERVER['PHP_SELF']);
    exit;
}
?>

<!-- I clean up some of you HTML too. -->
<form method="post">
    <div class="col-50">
        <label>
            <input type="text" name="firstname" placeholder="First Name" required>
        </label>
    </div>


    <div class="col-50">
        <label>
            <input type="text" name="lastname" placeholder="Last Name" required>
        </label>
    </div>

    <div class="col-50">
        <label>
            <input type="number"
                   name="zipcode"
                   minlength="5"
                   maxlength="5"
                   placeholder="Zip Code (where you live)"
                   required/>
        </label>
    </div>

    <div class="col-50">
        <label>
            <input type="email" name="email" placeholder="Email" required>
        </label>
    </div>

    <div class="col-50">
        <label>
            <select name="subject" required>
                <option selected hidden value="">Please select the option
                    that best fits your request.
                </option>
                <option value="guest">I want to be a guest on the
                    podcast.
                </option>
                <option value="question">I have a question.</option>
                <option value="suggestion">I have a suggestion.</option>
            </select>
        </label>
    </div>

    <div class="col-50">
        <label>
            <textarea name="comment" placeholder="Questions/Suggestions/Comments"></textarea>
        </label>
    </div>

    <p>
        <input class="submit" type="submit" value="Submit"/>
    </p>
</form>