Info does not submit into database

Question

We have an assignment for school and I've tried to build the application, however some text that I want to have inserted into a database doesn't get submitted.

I've tried different things, but the page does not show an error either.

This is the code of my insert page

<head>
</head>
<body>
<form action="index.php" method="post">
    ID: <input type="text" name="id"><br/>
    Server: <input type="text" name="Server"><br/>
    Student: <input type="text" name="Student"><br/>
    Docent: <input type="text" name="Docent"><br/>
    Project: <input type="text" name="Project"><br/>
    Startdatum: <input type="text" name="Startdatum"><br/>
    Einddatum: <input type="text" name="Einddatum"><br/>
    <input type="submit" name="submit">
</form>

<?php
if(isset($_POST['submit'])) {

    $con = mysqli_connect("localhost", "root", "usbw", "serverruimte");
    if(!$con) {
        die(mysqli_connect_error());
    }

    $sql = "INSERT INTO serverruimte (id,Server,Student,Docent,Project,startdatum,einddatum) VALUES ('$_POST[id]','$_POST[Server]','$_POST[Student]','$_POST[Docent]','$_POST[Project]','$_POST[startdatum]','$_POST[einddatum]')";

    $result = mysqli_query($con, $sql);

    if($result) {
        echo "Opslaan voltooid!";
    } else {
        echo mysqli_error($con);
    }

    mysqli_close($con);
}
?>
</body>
</html>

Basically, what happens is: https://i.imgur.com/aUOx5yj.mp4

Does anyone know what the problem is and why the inserted data does not show up on the index page? The data does show on the page when I submit it directly into the MYSQL database.

Answer 1

Warning: You are wide open to SQL Injections and should use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input! Even when your queries are executed only by trusted users, you are still in risk of corrupting your data. Escaping is not enough!

When working with MySQLi you should enable automatic error reporting instead of checking for errors manually. Checking for errors manually is a terrible practice, very error prone and should be avoided at all costs. Let MySQLi throw exceptions and do not catch them. See How to get the error message in MySQLi?

When opening MySQLi connection you must specify the correct charset. The recommended one is utf8mb4.

if (isset($_POST['submit'])) {
    // Enable automatic error reporting
    mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
    // Create new instance of MySQLi class
    $con = new mysqli("localhost", "root", "usbw", "serverruimte");
    // Set correct charset. Important!
    $con->set_charset('utf8mb4');

    $stmt = $con->prepare('INSERT INTO serverruimte (id,Server,Student,Docent,Project,startdatum,einddatum) VALUES (?,?,?,?,?,?,?)');
    $stmt->bind_param('sssssss', $_POST['id'], $_POST['Server'], $_POST['Student'], $_POST['Docent'], $_POST['Project'], $_POST['startdatum'], $_POST['einddatum']);
    $stmt->execute();

    echo "Opslaan voltooid!";

    mysqli_close($con);
}

Answer 2

Change this line:

$sql = "INSERT INTO serverruimte (id,Server,Student,Docent,Project,startdatum,einddatum) VALUES ('$_POST[id]','$_POST[Server]','$_POST[Student]','$_POST[Docent]','$_POST[Project]','$_POST[startdatum]','$_POST[einddatum]')";

to:

$sql = "INSERT INTO serverruimte (id,Server,Student,Docent,Project,startdatum,einddatum) VALUES ('".$_POST['id']."','".$_POST['Server']."','".$_POST[Student]."','".$_POST['Docent']."','".$_POST['Project']."','".$_POST['Startdatum']."','".$_POST['Einddatum']."')";

Reason behind this change is because your query is wrong for the following reasons:

• You were using strings instead of concatenating your real values coming from $_POST

• Some of your indexes in $_POST were misspelled. For example:

  $_POST[einddatum] should be $_POST['Einddatum']

Also, consider that this code is vulnerable to SQL Injection