-3

I am trying to test a very simple PHP form that inserts input into an SQL database. The connection works fine, but the data does not appear in the database when I refresh it. I have only two files, an index.html and a process.php.

index.html:

<html>
<head>Testing</head>
<body>
    <div id="frm">
        <form action="process.php" method=POST>
            <p>
                <label>Username</label>
                <input  type="text" id="stuff" name="stuff">
            </p>
            <p>
                <input type="submit" id="btn" value="Login">
            </p>
        </form>
    </div>
</body>
</html>

Process.php:

<?php
    $userinput = $_POST['stuff'];
    $servername = "localhost";
    $username = "root";
    $password = "";
    $database = "testing";

    $conn = new mysqli($servername, $username, $password, $database);

    if ($conn->connect_error)
    {
        die("connection failed: " . $conn->connect_error);
    }

    else
    {
        echo "Connected successfully "; 
        echo $userinput;
        $sql = "INSERT INTO `entries`(`input`) VALUES ('$userinput')";
    }
?>
Dharman
  • 30,962
  • 25
  • 85
  • 135

4 Answers4

1

The problem is that you're not actually running the query. You just assigned the query string to a variable, so it's not being executed in MySQL.

Your code is vulnerable to SQL injection, so I'm proposing a solution:

<?php
$userinput = $_POST['stuff'];
$servername = "localhost";
$username = "root";
$password = "";
$database = "testing";

$conn = new mysqli($servername, $username, $password, $database);

if ($conn->connect_error)
{
    die("connection failed: " . $conn->connect_error);
}
else
{
    echo "Connected successfully "; 
    echo $userinput;
    $sql = "INSERT INTO `entries` (`input`) VALUES (?)";
    if ($stmt = $conn->prepare($sql)) { // Prepare statement
        $stmt->bind_param("s", $userinput); //Bind the string (s), with the content from $userinput to the statement marker (?)
        $stmt->execute(); // Run (execute) the query
        $stmt->close(); //clean up
}

This code should work and also keep you secure from SQL injections.

Repox
  • 15,015
  • 8
  • 54
  • 79
  • Please read [Should we ever check for mysqli_connect() errors manually?](https://stackoverflow.com/q/58808332/1839439) – Dharman Feb 07 '20 at 13:59
  • @Dharman I'm proposing a solution that fits into OP's current code. If you want to propose a more extensive solution that also teaches OP not to reveal errors, please provide your own answer. – Repox Feb 10 '20 at 08:50
0

Haven't tested it fully but I fixed your query. 

$sql = mysqli_query($conn, "INSERT INTO entries (input) VALUES ('$userinput')");

also change the post part to: <form action="process.php" method="POST">

That should fix the problem for you

Also make sure you use the function: mysqli_real_escape_string to escape malicious user input to prevent SQL injection.

Another thing: you could change localhost to 127.0.0.1. I think this is more reliable although it's the same in most cases.

Niels
  • 1,005
  • 1
  • 8
  • 18
-1

Your code is not submitting the query to the database, it is opening the connection but not submitting the query, see below to the submit query request if you use mysqli in PHP


... else {
  # this submits the query
  $conn -> query ($sql);
}
Community
  • 1
  • 1
AugustoM
  • 405
  • 1
  • 7
  • 15
-2

you need to take function mysqli_query of mysqli that will take parameter as connection object like $conn and 2nd parameter will be sql query to execute. like this 

$sql = mysqli_query($conn, "INSERT INTO entries (input) VALUES ('$userinput')");

to prevent from sql injection you must use PDO because PDO use paramBind to protect injection .

Nitesh Mangla
  • 109
  • 5