0

I'm new to PHP and MySQLi. I have created a form that I want to put into database but it seems to be not working I tried simpler things like i did not use arrays but people told me that it is prone to SQL injection that is why I used arrays. Before this I used to put variables in query

$fname = null;
$lname = null;
$address = null;
$city = null;
$zip = null;
$phone = null;
$email = null;
$total = null;

if(isset($_POST['submit'])) {
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$address = $_POST['address'];
$city = $_POST['city'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
$email = $_POST['email'];

$query_params = array(
':fname' => $_POST['fname'],
':lname' => $_POST['lname'],
':address' => $_POST['address'],
':city' => $_POST['city'],
':zip' => $_POST['zip'],
':phone' => $_POST['phone'],
':email' => $_POST['email'],
':total' => $_POST['total']
        );

$query = mysqli_query($connect, $sql);

 echo"Your message has been sent! <br>";
 }


$sql = "INSERT INTO delivery(id,fname,lname,address,city,zip,phone,email)
VALUES('',':fname',':lname',':address',':city',':zip',':phone',':email')";

and this is the form that i have created

<section class="ftco-section">
      <div class="container">
        <div class="row justify-content-center">
          <div class="col-xl-7 ftco-animate">
                        <form action="#" class="billing-form">
                            <h3 class="mb-4 billing-heading">Delivery</h3>
                <div class="row align-items-end">
                    <div class="col-md-6">
                    <div class="form-group">
                        <label for="firstname">First Name</label>
                    <input type="hidden" name="fname">
                      <input type="text" class="form-control" name="fname" >
                    </div>
                  </div>
                  <div class="col-md-6">
                    <div class="form-group">
                        <label for="lastname">Last Name</label>
                      <input type="text" class="form-control" name="lname">
                    </div>
                </div>
                <div class="w-100"></div>
                    <div class="col-md-6">
                        <div class="form-group">
                        <label for="streetaddress">Street Address</label>
                      <input type="text" class="form-control" name="address">
                    </div>
                    </div>

                    <div class="w-100"></div>
                    <div class="col-md-6">
                        <div class="form-group">
                        <label for="towncity">Town / City</label>
                      <input type="text" class="form-control" name="city">
                    </div>
                    </div>
                    <div class="col-md-6">
                        <div class="form-group">
                            <label for="postcodezip">Postcode / ZIP *</label>
                      <input type="text" class="form-control" name="zip">
                    </div>
                    </div>
                    <div class="w-100"></div>
                    <div class="col-md-6">
                    <div class="form-group">
                        <label for="phone">Phone</label>
                      <input type="text" class="form-control" name="phone">
                    </div>
                  </div>
                  <div class="col-md-6">
                    <div class="form-group">
                        <label for="emailaddress">Email Address</label>
                      <input type="text" class="form-control" name="email">
                    </div>
                </div>
                <div class="w-100"></div>
                <div class="col-md-12">
                    <div class="form-group mt-4">
                                    </div>
                </div>
                </div>
              <p><input type="submit" class="btn btn-primary py-3 px-4" name="send" value="Submit Order"></a></p>
              </form>
                    </div>

                </div>
              </div>
          </div>
        </div>
      </div>
    </section>
Ahmad Karimi
  • 1,285
  • 2
  • 15
  • 26
Brucieee
  • 11
  • 1

1 Answers1

0

I don't see you actually executing the query anywhere. You need to start a connection with your database.

I also recommend you use PDO rather than MySQLI as it's more efficient.

First create a connection:

<?php
$host = "localhost";
$user = "username";
$pass = "password";
$datb = "myDBPDO";

$dsn = "mysql:host=$host;dbname=$datb;charset=utf8mb4";
$options = [
    \PDO::ATTR_ERRMODE            => \PDO::ERRMODE_EXCEPTION,
    \PDO::ATTR_DEFAULT_FETCH_MODE => \PDO::FETCH_ASSOC,
    \PDO::ATTR_EMULATE_PREPARES   => false,
];

$conn = new \PDO($dsn, $user, $pass, $options);

if (!$conn) { //Upon failure
    echo('<b>NOTICE:</b> Error connecting to database.');
}

Then prepare your query:

$stmt = $conn->prepare("INSERT INTO delivery(fname,lname,address,city,zip,phone,email) VALUES(:fname, :lname, :address, :city, :zip, :phone, :email)");

Then bind your params:

    $params = [
        ':fname' => $_POST['fname'],
        ':lname' => $_POST['lname'],
        ':address' => $_POST['address'],
        ':city' => $_POST['city'],
        ':zip' => $_POST['zip'],
        ':phone' => $_POST['phone'],
        ':email' => $_POST['email']
    ];

Then execute it:

$stmt->execute($params);

Full example:

<?php
$host = "localhost";
$user = "username";
$pass = "password";
$datb = "myDBPDO";

$dsn = "mysql:host=$host;dbname=$datb;charset=utf8mb4";
$options = [
    \PDO::ATTR_ERRMODE            => \PDO::ERRMODE_EXCEPTION,
    \PDO::ATTR_DEFAULT_FETCH_MODE => \PDO::FETCH_ASSOC,
    \PDO::ATTR_EMULATE_PREPARES   => false,
];

$conn = new \PDO($dsn, $user, $pass, $options);

if (empty$conn) { //Upon failure
    echo('<b>Notice:</b> Error connecting to database.');
}

// Prepare SQL and bind parameters
$stmt = $conn->prepare("INSERT INTO delivery(fname,lname,address,city,zip,phone,email) VALUES(:fname, :lname, :address, :city, :zip, :phone, :email)");
$params = [
    'fname' => $_POST['fname'],
    'lname' => $_POST['lname'],
    'address' => $_POST['address'],
    'city' => $_POST['city'],
    'zip' => $_POST['zip'],
    'phone' => $_POST['phone'],
    'email' => $_POST['email']
];
$stmt->execute($params);

echo "New records created successfully";
Thrallix
  • 699
  • 5
  • 20